I’m performing some secure boot tests on the Toradex Colibri iMX7D 1GB v1.1 module.
By following the procedure explained in AN4581, I am able to create a custom signed u-boot and to verify it by means of hab_status command.
I successfully used easy installer 1.8 (via USB OTG) to update the u-boot.
The next step was to extend the root of trust to the Linux Kernel (Appendix G of AN4581) signing the zImage.
As for u-boot, I successfully load the new kernel via easy installer but the execution of hab_auth_img command failed.
As I figured out, I need to “close” the device by blowing the SEC_CONFIG bit in order to let the u-boot to verify the kernel signature.
After I closed the device, I was not able anymore to use easy installer.
Here is the output of the execution od “recovery-windows.bat”
config file <recovery\\\imx_usb.conf>
vid=0x15a2 pid=0x0054 file_name=mx6_usb_rom.conf
-> vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0061 file_name=mx6_usb_rom.conf
-> vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0076 file_name=mx7_usb_rom.conf
-> vid=0x1b67 pid=0x4000 file_name=mx7_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0080 file_name=mx6ull_usb_rom.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6ull_usb_sdp_uboot.conf
config file <recovery\\\mx7_usb_rom.conf>
parse recovery\\\mx7_usb_rom.conf
Trying to open device vid=0x15a2 pid=0x0076
Interface 0 claimed
HAB security state: production mode (0x12343412)
== work item
filename u-boot.imx
load_size 0 bytes
load_addr 0x83f00000
dcd 1
clear_dcd 0
plug 0
jump_mode 2
jump_addr 0x00000000
== end work item
loading DCD table @0x910000
<<<-588, 1024 bytes>>>
succeeded (status 0x128a8a12)
loading binary file(u-boot.imx) to 877ff400, skip=0, fsize=55c00 type=aa
<<<351232, 351232 bytes>>>
succeeded (status 0x88888888)
jumping to 0x877ff400
j4 in err=0, last_trans=64 33 22 0a 00
config file <recovery\\\mx7_usb_sdp_uboot.conf>
parse recovery\\\mx7_usb_sdp_uboot.conf
Trying to open device vid=0x1b67 pid=0x4000.........................
Could not open device vid=0x1b67 pid=0x4000
Premere un tasto per continuare . . .
From the serial console no output showed up.
HAB security state: production mode (0x12343412)
Being in production mode could collide with the not signed Toradex Easy Installer’s u-boot?
How is it possibile to update a zImage in a “closed” device?
It still is technically possible to use the easy installer to load binaries unto a closed device. For Easy Installer V1.8 we use a variant of imx_usb_loader for the recovery mode utility. Our source for this tool does have a commit that enables support for loading a signed binary unto a closed device (Use the DCD_WRITE SDP command · toradex/imx_loader@6deb910 · GitHub).
Appendix F of AN4581 describes modifications to your CSF file needed to make use of the SDP which the imx_usb_loader uses.
As for specifics I’m afraid we don’t have anyone here at Toradex that has tried to use our Easy Installer tool on a device that has been closed via HAB. So I’m unable to provide more detail than this.
I dig deeper in this issue, and has I understood, in a “closed” device also the Toradex Easy Installer must have a signed u-boot.imx.
Thus, following Appendix E and F of AN4581, I have tried to sign the u-boot.imx present in the Easy installer root directory, but the problem still persist. By looking to HAB errors, probably it’s due to a u-boot built without CONFIG_SECURE_BOOT=y in its config.
Then, I downloaded the u-boot source code, built it with secure boot enabled, signed it and here is what I had as result:
config file <recovery\\\imx_usb.conf>
vid=0x15a2 pid=0x0054 file_name=mx6_usb_rom.conf
-> vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0061 file_name=mx6_usb_rom.conf
-> vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0076 file_name=mx7_usb_rom.conf
-> vid=0x1b67 pid=0x4000 file_name=mx7_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0080 file_name=mx6ull_usb_rom.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6ull_usb_sdp_uboot.conf
config file <recovery\\\mx7_usb_rom.conf>
parse recovery\\\mx7_usb_rom.conf
Trying to open device vid=0x15a2 pid=0x0076
Interface 0 claimed
HAB security state: production mode (0x12343412)
== work item
filename u-boot.imx
load_size 0 bytes
load_addr 0x83f00000
dcd 1
clear_dcd 0
plug 0
jump_mode 2
jump_addr 0x00000000
== end work item
loading DCD table @0x910000
<<<-588, 1024 bytes>>>
succeeded (status 0x128a8a12)
loading binary file(u-boot.imx) to 877ff400, skip=0, fsize=61814 type=aa
<<<399380, 400384 bytes>>>
succeeded (status 0x88888888)
jumping to 0x877ff400
config file <recovery\\\mx7_usb_sdp_uboot.conf>
parse recovery\\\mx7_usb_sdp_uboot.conf
Trying to open device vid=0x1b67 pid=0x4000.........................
Could not open device vid=0x1b67 pid=0x4000
Premere un tasto per continuare . . .
No HAB error appear and I can see u-boot starting up on the console.
But I still cannot open device vid=0x1b67 pid=0x4000.
I suppose is due to SDP that is not enabled by default in u-boot, isn’t it?
Is it possible to obtain the .config that has been used to compile the u-boot present in your Toradex Easy Installer?
Hello @lupo
Could you explain the steps followed in brief , to solve this issue.
I face similar issue , where in i have closed my device by blowing the necessary fuses and now i am unable to use easy installer application to flash any images on to my board.
Any suggestions plz.
Hello @lupo
Even I am facing the exact similar issue in I.MX7D module. After closing the device I tried to flash an unsigned image to my board via easy installer application. The device didn’t booted up and is freezed. So any solution to this . How to recover the module back so that i can test both my signed and unsignd images via easy installer application . Kindly address this at the earliest plz
Hi@lupo
Thanks for the reply and letting me know the steps to recover the board.
I followed your steps but sadly, still couldn’t recover the board.
The procedure carried out by me :
I tried to clone a new U-boot package , building it for the config specified by you “colibri_imx7_tezi_recovery_defconfig” ,enabling the security features and then signing it with the keys which I have already dumped on to the board. (i mean using the SRKs for signing …)…then replacing the signed u-boot.imx in the root folder of toradex easy installer.
Then followed the recovery mode procedure for toradex I.MX7 module, I tried to flash the
easy installer image, but it failed to download the easy installer on to the board.
loading binary file(u-boot.imx) to 877ff400, skip=0, fsize=59c00 type=aa
<<<367616, 367616 bytes>>>
succeeded (status 0x88888888)
jumping to 0x877ff400
j4 in err=0, last_trans=64 33 18 c0 00
config file <./recovery//mx7_usb_sdp_uboot.conf>
parse ./recovery//mx7_usb_sdp_uboot.conf
Trying to open device vid=0x1b67 pid=0x4000…
Could not open device vid=0x1b67 pid=0x4000
and replacing the signed binary in the root folder of toradex easy installer …it was successful.
I was able to load the easy installer application on the board.
So just to confirm was this the process U mentioned earlier while signing the U-boot binary or is it something else.
Correct me if something is wrong.