From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marek Vasut Date: Wed, 18 Nov 2015 11:01:03 +0100 Subject: [U-Boot] mxs: HAB experiments In-Reply-To: <7248552.1V5XTJgcqi@r90b40zn> References: <4013722.vYVsa85hXv@r90b40zn> <201511180955.12795.marex@denx.de> <7248552.1V5XTJgcqi@r90b40zn> Message-ID: <201511181101.04070.marex@denx.de> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On Wednesday, November 18, 2015 at 10:57:13 AM, Florian Achleitner wrote: > Hi, > > On Wednesday, November 18, 2015 09:55:12 AM Marek Vasut wrote: > > On Tuesday, November 17, 2015 at 02:16:06 PM, Florian Achleitner wrote: > > > Hi Marek, > > > > Hi, > > > > > thanks for you contributions to support mxs HAB v4 in u-boot. I'm > > > currently > > > experimenting with HAB on my imx28 board. I think I put everything > > > together > > > quite well. > > > > > > > > > > > > But examining the HAB event log I see two successful authentications > > > for the u-boot.bin and the IVT followed by a FAILURE with "unsupported > > > command" in the "CSF Context". It is the same for both the SPL and > > > the main u-boot. Did you see something similar? It suggests a wrong > > > command in the CSF file, but I think there is not a lot that can be > > > wrong in the CSF input file for the cst tool. But probably the cst > > > output is different between versions? I use version > > > BLN_CST_MAIN_02.03.00. > > > > > > > > > > > > I use u-boot's mkimage, which can generate a signed boot stream, > > > together with your hand-crafted IVT generator in the Makefile. > > > > Can you share your CSF files (make sure to blank out the private > > material) ? > > The CSF follows. It is the same for the spl and the main u-boot. > > Anyways, I currently suspect the cst tool in its current version (2.3.1) to > produce binaries that are incompatible with the mx28 HAB Rom. However, I > couldn't find an older version of the cst yet, so I can't try it at the > moment. > > Thanks! > Florian > > [Header] > Version = 4.0 > Hash Algorithm = sha256 > Engine Configuration = 0 > Certificate Format = X509 > Signature Format = CMS > Engine = DCP I use "Engine = ANY" here, not sure if it matters. > > [Install SRK] > File = "$SRK_1_2_table.bin" > Source index = 0 > > [Install CSFK] > File = "$CSF1_1_sha256_2048_65537_v3_usr_crt.pem" > > [Authenticate CSF] > > [Install Key] > Verification index = 0 > Target index = 2 > File = "$IMG1_1_sha256_2048_65537_v3_usr_crt.pem" > > [Authenticate Data] > Verification index = 2 Here I use "Engine = DCP" (missing in your example) I am using BLN_CST_MAIN_02.00.00 btw. Best regards, Marek Vasut