From: Marek Vasut <marex@denx.de>
To: u-boot@lists.denx.de
Subject: [U-Boot] mxs: HAB experiments
Date: Wed, 18 Nov 2015 11:01:03 +0100 [thread overview]
Message-ID: <201511181101.04070.marex@denx.de> (raw)
In-Reply-To: <7248552.1V5XTJgcqi@r90b40zn>
On Wednesday, November 18, 2015 at 10:57:13 AM, Florian Achleitner wrote:
> Hi,
>
> On Wednesday, November 18, 2015 09:55:12 AM Marek Vasut wrote:
> > On Tuesday, November 17, 2015 at 02:16:06 PM, Florian Achleitner wrote:
> > > Hi Marek,
> >
> > Hi,
> >
> > > thanks for you contributions to support mxs HAB v4 in u-boot. I'm
> > > currently
> > > experimenting with HAB on my imx28 board. I think I put everything
> > > together
> > > quite well.
> > >
> > >
> > >
> > > But examining the HAB event log I see two successful authentications
> > > for the u-boot.bin and the IVT followed by a FAILURE with "unsupported
> > > command" in the "CSF Context". It is the same for both the SPL and
> > > the main u-boot. Did you see something similar? It suggests a wrong
> > > command in the CSF file, but I think there is not a lot that can be
> > > wrong in the CSF input file for the cst tool. But probably the cst
> > > output is different between versions? I use version
> > > BLN_CST_MAIN_02.03.00.
> > >
> > >
> > >
> > > I use u-boot's mkimage, which can generate a signed boot stream,
> > > together with your hand-crafted IVT generator in the Makefile.
> >
> > Can you share your CSF files (make sure to blank out the private
> > material) ?
>
> The CSF follows. It is the same for the spl and the main u-boot.
>
> Anyways, I currently suspect the cst tool in its current version (2.3.1) to
> produce binaries that are incompatible with the mx28 HAB Rom. However, I
> couldn't find an older version of the cst yet, so I can't try it at the
> moment.
>
> Thanks!
> Florian
>
> [Header]
> Version = 4.0
> Hash Algorithm = sha256
> Engine Configuration = 0
> Certificate Format = X509
> Signature Format = CMS
> Engine = DCP
I use "Engine = ANY" here, not sure if it matters.
>
> [Install SRK]
> File = "$SRK_1_2_table.bin"
> Source index = 0
>
> [Install CSFK]
> File = "$CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
>
> [Authenticate CSF]
>
> [Install Key]
> Verification index = 0
> Target index = 2
> File = "$IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
>
> [Authenticate Data]
> Verification index = 2
Here I use "Engine = DCP" (missing in your example)
I am using BLN_CST_MAIN_02.00.00 btw.
Best regards,
Marek Vasut
next prev parent reply other threads:[~2015-11-18 10:01 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-17 13:16 [U-Boot] mxs: HAB experiments Florian Achleitner
2015-11-18 8:55 ` Marek Vasut
2015-11-18 9:57 ` Florian Achleitner
2015-11-18 10:01 ` Marek Vasut [this message]
2015-11-18 12:39 ` Florian Achleitner
2015-11-26 9:24 ` [U-Boot] mxs: HAB: current CST broken Florian Achleitner
2015-11-26 11:06 ` Marek Vasut
2015-11-26 12:51 ` Florian Achleitner
2015-11-26 12:52 ` Marek Vasut
2015-11-26 13:03 ` Florian Achleitner
2015-11-26 13:09 ` Marek Vasut
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201511181101.04070.marex@denx.de \
--to=marex@denx.de \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.