Hi everyone

I am having a problem with a Freescale imx28 to get HAB (High Assurance Boot) working with U-Boot. I understand that this is a question regarding one specific processor model but since I have seen several patches from Marek Vasut which deal with this specific processor I am taking a chance that I can get some help here.

What I have done is that I have started with a mainline U-Boot (v2016.01) and I have added/modified a few hab-related items.

* board/freescale/mx28evk/sign/u-boot-spl.csf * board/freescale/mx28evk/sign/u-boot.csf * board/freescale/mx28evk/hab.h * board/freescale/mx28evk/hab_types.h * board/freescale/mx28evk/mx28evk.c

A complete patch of these files is included. I am also not certain that my csf files are correct but I get HAB errors even before I get to that point so it should be irrelevant at the moment.

The following files have been copied from the cst tool to the u-boot root directory. * CSF1_1_sha256_1024_65537_v3_usr_crt.pem * CSF1_1_sha256_1024_65537_v3_usr_key.pem * IMG1_1_sha256_1024_65537_v3_usr_crt.pem * IMG1_1_sha256_1024_65537_v3_usr_key.pem * srk_table.bin * srk_fuses.bin * key_pass.txt

The certificates are generated with the CST tool downloaded from Freescale. The above example uses a 1024 bit RSA key but I have also tested with 2048 bits without any luck. The srk_table is generated using the Freescale srktool $ srktool -h 4 -t srk_table.bin -e srk_fuses.bin -d sha256 -c crts/SRK1_sha256_1024_65537_v3_ca_crt.pem -f 1

Once all this was in placed I built and ran it using $ make mrproper $ make mx28evk_nand_config $ make u-boot-signed.sb $ sudo mxsldr u-boot-signed.sb

I get the following result: --------- HAB Event 1 ----------------- event data: 0xdb 0x00 0x14 0x40 0x33 0x21 0xc0 0x00 0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00 0x00 0x00 0x00 0x50

(HAB_INV_CERTIFICATE 0x21)

--------- HAB Event 2 ----------------- event data: 0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x80 0x00 0x00 0x00 0x00 0x20

(HAB_INV_ASSERTION 0x0C)

--------- HAB Event 3 ----------------- event data: 0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x10 0x00 0x00 0x00 0x00 0x04

(HAB_INV_ASSERTION 0x0C)

--------- HAB Event 4 ----------------- event data: 0xdb 0x00 0x14 0x40 0x33 0x21 0xc0 0x00 0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00 0x00 0x00 0x00 0x50

(HAB_INV_CERTIFICATE 0x21)

--------- HAB Event 5 ----------------- event data: 0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00 0x00 0x00 0x00 0x00 0x40 0x00 0x10 0x00 0x00 0x00 0x00 0x20

(HAB_INV_ASSERTION 0x0C)

--------- HAB Event 6 ----------------- event data: 0xdb 0x00 0x14 0x40 0x33 0x0c 0xa0 0x00 0x00 0x00 0x00 0x00 0x40 0x00 0x20 0x00 0x00 0x00 0x00 0x04

(HAB_INV_ASSERTION 0x0C)

We get two invalid certificates. These are from u-boot-spl and u-boot. The asserts are the execution of the unverified code. I'm at a loss what I might have done wrong and I am hoping Marek perhaps can help me with this issue.

As I mentioned before I am not certain my csf files are correct. I suspect the Authenticate Data part might be wrong but if I get a signature error it would be another error code indicating a CSF verification error (HAB_INV_CSF 0x11).

Another issue I also have is that I am not certain I have burned the fuses properly in the hardware but yet again that should cause a verification error and not an invalid certificate error. At least that is what I believe but now when typing this I am getting uncertain.

If Marek or anyone can shed any light on this I am thankful for any assistance.

Many thanks in advance, Per Smitt