[U-Boot] mxs: HAB experiments

[U-Boot] mxs: HAB experiments

[Florian Achleitner]

Hi Marek,

thanks for you contributions to support mxs HAB v4 in u-boot. I'm currently 
experimenting with HAB on my imx28 board. I think I put everything together 
quite well. 

But examining the HAB event log I see two successful authentications for the 
u-boot.bin and the IVT followed by a FAILURE with "unsupported command" in the 
"CSF Context".  It is the same for both the SPL and the main u-boot. Did you 
see something similar? It suggests a wrong command in the CSF file, but I 
think there is not a lot that can be wrong in the CSF input file for the cst 
tool. But probably the cst output is different between versions? I use version 
BLN_CST_MAIN_02.03.00.

I use u-boot's mkimage, which can generate a signed boot stream, together with 
your hand-crafted IVT generator in the Makefile. 

I wonder if the image size field, which is appended to IVT is critical. In 
9c2c8a3 you mention that the HAB Rom accepts a not exact size field value of 
your SPL image layout. So it seems to be not that critical.
I found that my .sig file created by freescale's cst tool is 3372B, while 
yours seems to have been 3904B. Currently, I am experimenting with the image 
memory layout and the size field.

My CSF file is virtually identical to the example in the freescale's 
application notes, which uses sha256. I programmed the SRK fuses, but did not 
set any lock bits.
HAB is in the open configuration. The SRK seems to be ok, otherwise there 
would be no SUCCESS events in the log.

Did HAB work without FAILURE events for you? Did anybody else on the list see 
something similar? Below, you can find the HAB event log.

Thanks!
Florian



Status: Operation failed (0x33)
Config: Non-secure IC (0xf0)
State: No security state machine (0xf0)
-------- HAB Event 0 --------
event data:
 db 00 10 40  f0 00 db 00
 00 00 10 00  00 00 26 c0
 status: HAB_STATUS_SUCCESS reason: HAB_RSN_ANY context: HAB_CTX_AUT_DAT

-------- HAB Event 1 --------
event data:
 db 00 10 40  f0 00 db 00
 00 00 80 00  00 00 00 40
 status: HAB_STATUS_SUCCESS reason: HAB_RSN_ANY context: HAB_CTX_AUT_DAT

-------- HAB Event 2 --------
event data:
 db 00 08 40  33 03 cf 00
 status: HAB_STATUS_FAILURE reason: HAB_UNS_COMMAND context: HAB_CTX_CSF

-------- HAB Event 3 --------
event data:
 db 00 10 40  f0 00 db 00
 40 00 20 00  00 06 ef 00
 status: HAB_STATUS_SUCCESS reason: HAB_RSN_ANY context: HAB_CTX_AUT_DAT

-------- HAB Event 4 --------
event data:
 db 00 10 40  f0 00 db 00
 40 00 10 00  00 00 00 40
 status: HAB_STATUS_SUCCESS reason: HAB_RSN_ANY context: HAB_CTX_AUT_DAT

-------- HAB Event 5 --------
event data:
 db 00 08 40  33 03 cf 00
 status: HAB_STATUS_FAILURE reason: HAB_UNS_COMMAND context: HAB_CTX_CSF

[U-Boot] mxs: HAB experiments

[Marek Vasut]

On Tuesday, November 17, 2015 at 02:16:06 PM, Florian Achleitner wrote:
> Hi Marek,

Hi,

> thanks for you contributions to support mxs HAB v4 in u-boot. I'm currently
> experimenting with HAB on my imx28 board. I think I put everything together
> quite well.
> 
> But examining the HAB event log I see two successful authentications for
> the u-boot.bin and the IVT followed by a FAILURE with "unsupported
> command" in the "CSF Context".  It is the same for both the SPL and the
> main u-boot. Did you see something similar? It suggests a wrong command in
> the CSF file, but I think there is not a lot that can be wrong in the CSF
> input file for the cst tool. But probably the cst output is different
> between versions? I use version BLN_CST_MAIN_02.03.00.
> 
> I use u-boot's mkimage, which can generate a signed boot stream, together
> with your hand-crafted IVT generator in the Makefile.

Can you share your CSF files (make sure to blank out the private material) ?

> I wonder if the image size field, which is appended to IVT is critical. In
> 9c2c8a3 you mention that the HAB Rom accepts a not exact size field value
> of your SPL image layout. So it seems to be not that critical.
> I found that my .sig file created by freescale's cst tool is 3372B, while
> yours seems to have been 3904B. Currently, I am experimenting with the
> image memory layout and the size field.
> 
> My CSF file is virtually identical to the example in the freescale's
> application notes, which uses sha256. I programmed the SRK fuses, but did
> not set any lock bits.
> HAB is in the open configuration. The SRK seems to be ok, otherwise there
> would be no SUCCESS events in the log.
> 
> Did HAB work without FAILURE events for you? Did anybody else on the list
> see something similar? Below, you can find the HAB event log.
> 
> Thanks!
> Florian
> 
> 
> 
> Status: Operation failed (0x33)
> Config: Non-secure IC (0xf0)
> State: No security state machine (0xf0)
> -------- HAB Event 0 --------
> event data:
>  db 00 10 40  f0 00 db 00
>  00 00 10 00  00 00 26 c0
>  status: HAB_STATUS_SUCCESS reason: HAB_RSN_ANY context: HAB_CTX_AUT_DAT
> 
> -------- HAB Event 1 --------
> event data:
>  db 00 10 40  f0 00 db 00
>  00 00 80 00  00 00 00 40
>  status: HAB_STATUS_SUCCESS reason: HAB_RSN_ANY context: HAB_CTX_AUT_DAT
> 
> -------- HAB Event 2 --------
> event data:
>  db 00 08 40  33 03 cf 00
>  status: HAB_STATUS_FAILURE reason: HAB_UNS_COMMAND context: HAB_CTX_CSF
> 
> -------- HAB Event 3 --------
> event data:
>  db 00 10 40  f0 00 db 00
>  40 00 20 00  00 06 ef 00
>  status: HAB_STATUS_SUCCESS reason: HAB_RSN_ANY context: HAB_CTX_AUT_DAT
> 
> -------- HAB Event 4 --------
> event data:
>  db 00 10 40  f0 00 db 00
>  40 00 10 00  00 00 00 40
>  status: HAB_STATUS_SUCCESS reason: HAB_RSN_ANY context: HAB_CTX_AUT_DAT
> 
> -------- HAB Event 5 --------
> event data:
>  db 00 08 40  33 03 cf 00
>  status: HAB_STATUS_FAILURE reason: HAB_UNS_COMMAND context: HAB_CTX_CSF

[U-Boot] mxs: HAB experiments

[Florian Achleitner]

Hi,

On Wednesday, November 18, 2015 09:55:12 AM Marek Vasut wrote:
> On Tuesday, November 17, 2015 at 02:16:06 PM, Florian Achleitner wrote:
> > Hi Marek,
> 
> Hi,
> 
> > thanks for you contributions to support mxs HAB v4 in u-boot. I'm
> > currently
> > experimenting with HAB on my imx28 board. I think I put everything
> > together
> > quite well.
> >
> > 
> >
> > But examining the HAB event log I see two successful authentications for
> > the u-boot.bin and the IVT followed by a FAILURE with "unsupported
> > command" in the "CSF Context".  It is the same for both the SPL and the
> > main u-boot. Did you see something similar? It suggests a wrong command in
> > the CSF file, but I think there is not a lot that can be wrong in the CSF
> > input file for the cst tool. But probably the cst output is different
> > between versions? I use version BLN_CST_MAIN_02.03.00.
> >
> > 
> >
> > I use u-boot's mkimage, which can generate a signed boot stream, together
> > with your hand-crafted IVT generator in the Makefile.
> 
> Can you share your CSF files (make sure to blank out the private material) ?

The CSF follows. It is the same for the spl and the main u-boot. 

Anyways, I currently suspect the cst tool in its current version (2.3.1) to 
produce binaries that are incompatible with the mx28 HAB Rom. However, I 
couldn't find an older version of the cst yet, so I can't try it at the 
moment.

Thanks!
Florian

[Header]
Version = 4.0
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = DCP
	
[Install SRK]
File = "$SRK_1_2_table.bin"
Source index = 0
	
[Install CSFK]
File = "$CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
	
[Authenticate CSF]

[Install Key]
Verification index = 0
Target index = 2
File = "$IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2

[U-Boot] mxs: HAB experiments

[Marek Vasut]

On Wednesday, November 18, 2015 at 10:57:13 AM, Florian Achleitner wrote:
> Hi,
> 
> On Wednesday, November 18, 2015 09:55:12 AM Marek Vasut wrote:
> > On Tuesday, November 17, 2015 at 02:16:06 PM, Florian Achleitner wrote:
> > > Hi Marek,
> > 
> > Hi,
> > 
> > > thanks for you contributions to support mxs HAB v4 in u-boot. I'm
> > > currently
> > > experimenting with HAB on my imx28 board. I think I put everything
> > > together
> > > quite well.
> > > 
> > > 
> > > 
> > > But examining the HAB event log I see two successful authentications
> > > for the u-boot.bin and the IVT followed by a FAILURE with "unsupported
> > > command" in the "CSF Context".  It is the same for both the SPL and
> > > the main u-boot. Did you see something similar? It suggests a wrong
> > > command in the CSF file, but I think there is not a lot that can be
> > > wrong in the CSF input file for the cst tool. But probably the cst
> > > output is different between versions? I use version
> > > BLN_CST_MAIN_02.03.00.
> > > 
> > > 
> > > 
> > > I use u-boot's mkimage, which can generate a signed boot stream,
> > > together with your hand-crafted IVT generator in the Makefile.
> > 
> > Can you share your CSF files (make sure to blank out the private
> > material) ?
> 
> The CSF follows. It is the same for the spl and the main u-boot.
> 
> Anyways, I currently suspect the cst tool in its current version (2.3.1) to
> produce binaries that are incompatible with the mx28 HAB Rom. However, I
> couldn't find an older version of the cst yet, so I can't try it at the
> moment.
> 
> Thanks!
> Florian
> 
> [Header]
> Version = 4.0
> Hash Algorithm = sha256
> Engine Configuration = 0
> Certificate Format = X509
> Signature Format = CMS
> Engine = DCP

I use "Engine = ANY" here, not sure if it matters.

> 
> [Install SRK]
> File = "$SRK_1_2_table.bin"
> Source index = 0
> 
> [Install CSFK]
> File = "$CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
> 
> [Authenticate CSF]
> 
> [Install Key]
> Verification index = 0
> Target index = 2
> File = "$IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
> 
> [Authenticate Data]
> Verification index = 2

Here I use "Engine = DCP" (missing in your example)

I am using BLN_CST_MAIN_02.00.00 btw.

Best regards,
Marek Vasut

[U-Boot] mxs: HAB experiments

[Florian Achleitner]

On Wednesday, November 18, 2015 11:01:03 AM Marek Vasut wrote:
> > [Header]
> > Version = 4.0
> > Hash Algorithm = sha256
> > Engine Configuration = 0
> > Certificate Format = X509
> > Signature Format = CMS
> > Engine = DCP
> 
> I use "Engine = ANY" here, not sure if it matters.

Makes no difference.

> 
> > 
> >
> > [Install SRK]
> > File = "$SRK_1_2_table.bin"
> > Source index = 0
> >
> > 
> >
> > [Install CSFK]
> > File = "$CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
> >
> > 
> >
> > [Authenticate CSF]
> >
> > 
> >
> > [Install Key]
> > Verification index = 0
> > Target index = 2
> > File = "$IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
> >
> > 
> >
> > [Authenticate Data]
> > Verification index = 2
> 
> Here I use "Engine = DCP" (missing in your example)

Also no difference. 
> 
> I am using BLN_CST_MAIN_02.00.00 btw.

I think I have to try this version..

> 
> Best regards,
> Marek Vasut

Thanks!
Florian

[U-Boot] mxs: HAB: current CST broken

[Florian Achleitner]

Hi,

for everybody's information:

On Wednesday, November 18, 2015 11:01:03 AM Marek Vasut wrote:
> On Wednesday, November 18, 2015 at 10:57:13 AM, Florian Achleitner wrote:
> > On Wednesday, November 18, 2015 09:55:12 AM Marek Vasut wrote:

> > [..]
> > Anyways, I currently suspect the cst tool in its current version (2.3.1)
> > to
> > produce binaries that are incompatible with the mx28 HAB Rom. However, I
> > couldn't find an older version of the cst yet, so I can't try it at the
> > moment.

> [...]
> 
> I am using BLN_CST_MAIN_02.00.00 btw.

I eventually got version BLN_CST_MAIN_02.00.00 from freescale support, and it 
works nicely with the i.mx28 HAB.

Thus, I'm quite sure that the current version BLN_CST_MAIN_02.03.00 is simply 
broken at least for i.mx28. 

hth,
Florian

[U-Boot] mxs: HAB: current CST broken

[Marek Vasut]

On Thursday, November 26, 2015 at 10:24:50 AM, Florian Achleitner wrote:
> Hi,

Hi,

> for everybody's information:
> 
> On Wednesday, November 18, 2015 11:01:03 AM Marek Vasut wrote:
> > On Wednesday, November 18, 2015 at 10:57:13 AM, Florian Achleitner wrote:
> > > On Wednesday, November 18, 2015 09:55:12 AM Marek Vasut wrote:
> > > 
> > > [..]
> > > Anyways, I currently suspect the cst tool in its current version
> > > (2.3.1) to
> > > produce binaries that are incompatible with the mx28 HAB Rom. However,
> > > I couldn't find an older version of the cst yet, so I can't try it at
> > > the moment.
> > 
> > [...]
> > 
> > I am using BLN_CST_MAIN_02.00.00 btw.
> 
> I eventually got version BLN_CST_MAIN_02.00.00 from freescale support, and
> it works nicely with the i.mx28 HAB.
> 
> Thus, I'm quite sure that the current version BLN_CST_MAIN_02.03.00 is
> simply broken at least for i.mx28.

Thanks for the heads up! Would it be possible for you to check what's the 
problem and submit a patch to make both versions work please?

Best regards,
Marek Vasut

[U-Boot] mxs: HAB: current CST broken

[Florian Achleitner]

On Thursday, November 26, 2015 12:06:42 PM Marek Vasut wrote:
> On Thursday, November 26, 2015 at 10:24:50 AM, Florian Achleitner wrote:
> > Hi,
> 
> Hi,
> 
> > for everybody's information:
> > 
> > On Wednesday, November 18, 2015 11:01:03 AM Marek Vasut wrote:
> > > On Wednesday, November 18, 2015 at 10:57:13 AM, Florian Achleitner 
wrote:
> > > > On Wednesday, November 18, 2015 09:55:12 AM Marek Vasut wrote:
> > > > 
> > > > [..]
> > > > Anyways, I currently suspect the cst tool in its current version
> > > > (2.3.1) to
> > > > produce binaries that are incompatible with the mx28 HAB Rom. However,
> > > > I couldn't find an older version of the cst yet, so I can't try it at
> > > > the moment.
> > > 
> > > [...]
> > > 
> > > I am using BLN_CST_MAIN_02.00.00 btw.
> > 
> > I eventually got version BLN_CST_MAIN_02.00.00 from freescale support, and
> > it works nicely with the i.mx28 HAB.
> > 
> > Thus, I'm quite sure that the current version BLN_CST_MAIN_02.03.00 is
> > simply broken at least for i.mx28.
> 
> Thanks for the heads up! Would it be possible for you to check what's the
> problem and submit a patch to make both versions work please?

I guess, no. I think there is nothing to be done on u-boot's side. From the 
outside, the cst still looks the same, all inputs are the same. And this tool 
is known to be closed-source. I can only compare the output. The binary it 
produces differs significantly between the two versions. This must bei fixed 
by freescale in the cst. Their support promised to forward the issue.

> Best regards,
> Marek Vasut

Best Regards,
Florian

[U-Boot] mxs: HAB: current CST broken

[Marek Vasut]

On Thursday, November 26, 2015 at 01:51:17 PM, Florian Achleitner wrote:
> On Thursday, November 26, 2015 12:06:42 PM Marek Vasut wrote:
> > On Thursday, November 26, 2015 at 10:24:50 AM, Florian Achleitner wrote:
> > > Hi,
> > 
> > Hi,
> > 
> > > for everybody's information:
> > > 
> > > On Wednesday, November 18, 2015 11:01:03 AM Marek Vasut wrote:
> > > > On Wednesday, November 18, 2015 at 10:57:13 AM, Florian Achleitner
> 
> wrote:
> > > > > On Wednesday, November 18, 2015 09:55:12 AM Marek Vasut wrote:
> > > > > 
> > > > > [..]
> > > > > Anyways, I currently suspect the cst tool in its current version
> > > > > (2.3.1) to
> > > > > produce binaries that are incompatible with the mx28 HAB Rom.
> > > > > However, I couldn't find an older version of the cst yet, so I
> > > > > can't try it at the moment.
> > > > 
> > > > [...]
> > > > 
> > > > I am using BLN_CST_MAIN_02.00.00 btw.
> > > 
> > > I eventually got version BLN_CST_MAIN_02.00.00 from freescale support,
> > > and it works nicely with the i.mx28 HAB.
> > > 
> > > Thus, I'm quite sure that the current version BLN_CST_MAIN_02.03.00 is
> > > simply broken at least for i.mx28.
> > 
> > Thanks for the heads up! Would it be possible for you to check what's the
> > problem and submit a patch to make both versions work please?
> 
> I guess, no. I think there is nothing to be done on u-boot's side. From the
> outside, the cst still looks the same, all inputs are the same. And this
> tool is known to be closed-source. I can only compare the output. The
> binary it produces differs significantly between the two versions. This
> must bei fixed by freescale in the cst. Their support promised to forward
> the issue.

Please keep an eye on them at least. Thanks!

Best regards,
Marek Vasut

[U-Boot] mxs: HAB: current CST broken

[Florian Achleitner]

On Thursday, November 26, 2015 01:52:58 PM Marek Vasut wrote:
> On Thursday, November 26, 2015 at 01:51:17 PM, Florian Achleitner wrote:
> > On Thursday, November 26, 2015 12:06:42 PM Marek Vasut wrote:
> > >  [...]
> > > Thanks for the heads up! Would it be possible for you to check what's
> > > the
> > > problem and submit a patch to make both versions work please?
> > 
> > I guess, no. I think there is nothing to be done on u-boot's side. From
> > the
> > outside, the cst still looks the same, all inputs are the same. And this
> > tool is known to be closed-source. I can only compare the output. The
> > binary it produces differs significantly between the two versions. This
> > must bei fixed by freescale in the cst. Their support promised to forward
> > the issue.
> 
> Please keep an eye on them at least. Thanks!

I'll keep you up-to-date!
Florian
> 
> Best regards,
> Marek Vasut

[U-Boot] mxs: HAB: current CST broken

[Marek Vasut]

On Thursday, November 26, 2015 at 02:03:16 PM, Florian Achleitner wrote:
> On Thursday, November 26, 2015 01:52:58 PM Marek Vasut wrote:
> > On Thursday, November 26, 2015 at 01:51:17 PM, Florian Achleitner wrote:
> > > On Thursday, November 26, 2015 12:06:42 PM Marek Vasut wrote:
> > > >  [...]
> > > > 
> > > > Thanks for the heads up! Would it be possible for you to check what's
> > > > the
> > > > problem and submit a patch to make both versions work please?
> > > 
> > > I guess, no. I think there is nothing to be done on u-boot's side. From
> > > the
> > > outside, the cst still looks the same, all inputs are the same. And
> > > this tool is known to be closed-source. I can only compare the output.
> > > The binary it produces differs significantly between the two versions.
> > > This must bei fixed by freescale in the cst. Their support promised to
> > > forward the issue.
> > 
> > Please keep an eye on them at least. Thanks!
> 
> I'll keep you up-to-date!

Thanks!

Best regards,
Marek Vasut