From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
To: u-boot@lists.denx.de
Subject: [U-Boot] nxp: HABv4 secure boot on iMX7 NAND broken
Date: Tue, 30 Jul 2019 15:33:34 +0100 [thread overview]
Message-ID: <ecc38155-7c94-6c78-150c-84c26c444154@linaro.org> (raw)
In-Reply-To: <CAByghJYuXCh=AyUkEu+GUUNwLrR_y+akpeFOgg1h+6AWfA6T_g@mail.gmail.com>
On 30/07/2019 15:26, Igor Opaniuk wrote:
> Anyway, let me go through this article one more time,
> and I'll get back to you.
If I've understood you, you are using the same binary for serial
download and flash booting.
Won't work unfortunately - there's an extra DCD directive in the
recovery image.
Here's my recovery CSF
deckard at event-horizon:~/Development/mbl-u-boot$ cat uboot-c-s-f-recover.txt
# SPDX-License-Identifier: GPL-2.0
[Header]
Version = 4.1
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
[Install SRK]
File = "SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = HAB_BLOCKS_REPLACE "IMAGE_IMX_HAB_NAME_REPLACE"
[Authenticate Data]
Verification index = 2
Blocks = DCD_BLOCKS_REPLACE "IMAGE_IMX_DCD_NAME_REPLACE"
and my eMMC CSF
deckard at event-horizon:~/Development/mbl-u-boot$ cat uboot-c-s-f.txt
# SPDX-License-Identifier: GPL-2.0
[Header]
Version = 4.1
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
[Install SRK]
File = "SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
File = "CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
File = "IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = HAB_BLOCKS_REPLACE "IMAGE_IMX_HAB_NAME_REPLACE"
next prev parent reply other threads:[~2019-07-30 14:33 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-30 11:00 [U-Boot] nxp: HABv4 secure boot on iMX7 NAND broken Igor Opaniuk
2019-07-30 13:32 ` Bryan O'Donoghue
2019-07-30 13:56 ` Igor Opaniuk
2019-07-30 14:02 ` Bryan O'Donoghue
2019-07-30 14:08 ` Bryan O'Donoghue
2019-07-30 14:26 ` Igor Opaniuk
2019-07-30 14:33 ` Bryan O'Donoghue [this message]
2019-09-12 13:55 ` Igor Opaniuk
2019-09-16 2:54 ` Breno Matheus Lima
2019-09-16 8:42 ` Igor Opaniuk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ecc38155-7c94-6c78-150c-84c26c444154@linaro.org \
--to=bryan.odonoghue@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.