From mboxrd@z Thu Jan  1 00:00:00 1970
From: Igor Opaniuk <igor.opaniuk@gmail.com>
Date: Tue, 30 Jul 2019 17:26:51 +0300
Subject: [U-Boot] nxp: HABv4 secure boot on iMX7 NAND broken
In-Reply-To: <5c151f7d-f108-982f-b221-578a528c0c61@linaro.org>
References: <CAByghJZn8d91uFr5JXSR=jXcfU4engZP_=buOk7MNNjaVeigLA@mail.gmail.com>
 <6a373006-65e5-191a-1ae7-d66bfaa66be5@linaro.org>
 <CAByghJYNpJ6FxXZYfUuAFLuOvNJukjSFwTN88PFOC_ja3r+y9Q@mail.gmail.com>
 <b054d13d-a568-241f-c3fa-dc92db173d53@linaro.org>
 <5c151f7d-f108-982f-b221-578a528c0c61@linaro.org>
Message-ID: <CAByghJYuXCh=AyUkEu+GUUNwLrR_y+akpeFOgg1h+6AWfA6T_g@mail.gmail.com>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
To: u-boot@lists.denx.de

Hi Bryan,

On Tue, Jul 30, 2019 at 5:08 PM Bryan O'Donoghue
<bryan.odonoghue@linaro.org> wrote:
>
>
>
> On 30/07/2019 15:02, Bryan O'Donoghue wrote:
> >
> >
> > On 30/07/2019 14:56, Igor Opaniuk wrote:
> >>> Does that happen ?
> >> Yes, it does.
> >
> > And the board is closed ?

Actually it's not. In U-boot stored to RAM via recovery:

Colibri iMX7 # hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x22 0x0a 0x00

STS =3D HAB_FAILURE (0x33)
RSN =3D HAB_INV_ADDRESS (0x22)
CTX =3D HAB_CTX_AUTHENTICATE (0x0A)
ENG =3D HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x22 0x0a 0x00

STS =3D HAB_FAILURE (0x33)
RSN =3D HAB_INV_ADDRESS (0x22)
CTX =3D HAB_CTX_AUTHENTICATE (0x0A)
ENG =3D HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x22 0x0a 0x00

STS =3D HAB_FAILURE (0x33)
RSN =3D HAB_INV_ADDRESS (0x22)
CTX =3D HAB_CTX_AUTHENTICATE (0x0A)
ENG =3D HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20

STS =3D HAB_FAILURE (0x33)
RSN =3D HAB_INV_ASSERTION (0x0C)
CTX =3D HAB_CTX_ASSERT (0xA0)
ENG =3D HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
0x00 0x00 0x00 0x04

STS =3D HAB_FAILURE (0x33)
RSN =3D HAB_INV_ASSERTION (0x0C)
CTX =3D HAB_CTX_ASSERT (0xA0)
ENG =3D HAB_ENG_ANY (0x00)

>
> Obviously yes it is.
>
> You have to sign the binary differently for serial download versus boot
> from eMMC - I guess this holds for NAND too.
>
> https://boundarydevices.com/high-assurance-boot-hab-dummies/
>
> I have a serial download version of u-boot and an eMMC version for
> signed boards for that reason i.e. you can't use the same image.
>
> HAB for dummies explains it.
>
> ---
> bod

Anyway, let me go through this article one more time,
and I'll get back to you.

Thanks for suggestions!

--=20
Best regards - Freundliche Gr=C3=BCsse - Meilleures salutations

Igor Opaniuk

mailto: igor.opaniuk at gmail.com
skype: igor.opanyuk
+380 (93) 836 40 67
http://ua.linkedin.com/in/iopaniuk