Cannot use Toradex Easy Installer with closed device

lupo · September 6, 2019, 1:50pm

Hi everyone,

I’m performing some secure boot tests on the Toradex Colibri iMX7D 1GB v1.1 module.

By following the procedure explained in AN4581, I am able to create a custom signed u-boot and to verify it by means of hab_status command.
I successfully used easy installer 1.8 (via USB OTG) to update the u-boot.

The next step was to extend the root of trust to the Linux Kernel (Appendix G of AN4581) signing the zImage.
As for u-boot, I successfully load the new kernel via easy installer but the execution of hab_auth_img command failed.

As I figured out, I need to “close” the device by blowing the SEC_CONFIG bit in order to let the u-boot to verify the kernel signature.
After I closed the device, I was not able anymore to use easy installer.

Here is the output of the execution od “recovery-windows.bat”

config file <recovery\\\imx_usb.conf>
vid=0x15a2 pid=0x0054 file_name=mx6_usb_rom.conf
-> vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0061 file_name=mx6_usb_rom.conf
-> vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0076 file_name=mx7_usb_rom.conf
-> vid=0x1b67 pid=0x4000 file_name=mx7_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0080 file_name=mx6ull_usb_rom.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6ull_usb_sdp_uboot.conf
config file <recovery\\\mx7_usb_rom.conf>
parse recovery\\\mx7_usb_rom.conf
Trying to open device vid=0x15a2 pid=0x0076
Interface 0 claimed
HAB security state: production mode (0x12343412)
== work item
filename u-boot.imx
load_size 0 bytes
load_addr 0x83f00000
dcd 1
clear_dcd 0
plug 0
jump_mode 2
jump_addr 0x00000000
== end work item
loading DCD table @0x910000

<<<-588, 1024 bytes>>>
succeeded (status 0x128a8a12)

loading binary file(u-boot.imx) to 877ff400, skip=0, fsize=55c00 type=aa

<<<351232, 351232 bytes>>>
succeeded (status 0x88888888)
jumping to 0x877ff400
j4 in err=0, last_trans=64  33 22 0a 00
config file <recovery\\\mx7_usb_sdp_uboot.conf>
parse recovery\\\mx7_usb_sdp_uboot.conf
Trying to open device vid=0x1b67 pid=0x4000.........................
Could not open device vid=0x1b67 pid=0x4000
Premere un tasto per continuare . . .

From the serial console no output showed up.

HAB security state: production mode (0x12343412)

Being in production mode could collide with the not signed Toradex Easy Installer’s u-boot?
How is it possibile to update a zImage in a “closed” device?

Thank you in advance for your support.

Luca

jeremias.tx · September 6, 2019, 11:05pm

Greetings @lupo,

It still is technically possible to use the easy installer to load binaries unto a closed device. For Easy Installer V1.8 we use a variant of imx_usb_loader for the recovery mode utility. Our source for this tool does have a commit that enables support for loading a signed binary unto a closed device (Use the DCD_WRITE SDP command · toradex/imx_loader@6deb910 · GitHub).

Appendix F of AN4581 describes modifications to your CSF file needed to make use of the SDP which the imx_usb_loader uses.

As for specifics I’m afraid we don’t have anyone here at Toradex that has tried to use our Easy Installer tool on a device that has been closed via HAB. So I’m unable to provide more detail than this.

Best Regards,
Jeremias

lupo · September 9, 2019, 1:14pm

Hi @jeremias.tx ,
thank you for your suggest.

I dig deeper in this issue, and has I understood, in a “closed” device also the Toradex Easy Installer must have a signed u-boot.imx.
Thus, following Appendix E and F of AN4581, I have tried to sign the u-boot.imx present in the Easy installer root directory, but the problem still persist. By looking to HAB errors, probably it’s due to a u-boot built without CONFIG_SECURE_BOOT=y in its config.

Then, I downloaded the u-boot source code, built it with secure boot enabled, signed it and here is what I had as result:

config file <recovery\\\imx_usb.conf>
vid=0x15a2 pid=0x0054 file_name=mx6_usb_rom.conf
-> vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0061 file_name=mx6_usb_rom.conf
-> vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0076 file_name=mx7_usb_rom.conf
-> vid=0x1b67 pid=0x4000 file_name=mx7_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0080 file_name=mx6ull_usb_rom.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6ull_usb_sdp_uboot.conf
config file <recovery\\\mx7_usb_rom.conf>
parse recovery\\\mx7_usb_rom.conf
Trying to open device vid=0x15a2 pid=0x0076
Interface 0 claimed
HAB security state: production mode (0x12343412)
== work item
filename u-boot.imx
load_size 0 bytes
load_addr 0x83f00000
dcd 1
clear_dcd 0
plug 0
jump_mode 2
jump_addr 0x00000000
== end work item
loading DCD table @0x910000

<<<-588, 1024 bytes>>>
succeeded (status 0x128a8a12)

loading binary file(u-boot.imx) to 877ff400, skip=0, fsize=61814 type=aa

<<<399380, 400384 bytes>>>
succeeded (status 0x88888888)
jumping to 0x877ff400
config file <recovery\\\mx7_usb_sdp_uboot.conf>
parse recovery\\\mx7_usb_sdp_uboot.conf
Trying to open device vid=0x1b67 pid=0x4000.........................
Could not open device vid=0x1b67 pid=0x4000
Premere un tasto per continuare . . .

No HAB error appear and I can see u-boot starting up on the console.
But I still cannot open device vid=0x1b67 pid=0x4000.

I suppose is due to SDP that is not enabled by default in u-boot, isn’t it?
Is it possible to obtain the .config that has been used to compile the u-boot present in your Toradex Easy Installer?

Thank you,

Luca

jeremias.tx · September 9, 2019, 8:39pm

@lupo

For the eMMC i.MX7 we use this special easy installer u-boot config: colibri_imx7_emmc_tezi_defconfig « configs - u-boot-toradex.git - U-Boot bootloader for Apalis and Colibri modules

lupo · September 10, 2019, 12:54pm

@jeremias.tx,

I tried to compile my u-boot with the configuration you suggest but the result was the same as above.

By parsing the list of possible configurations, I found this one colibri_imx7_tezi_recovery_defconfig « configs - u-boot-toradex.git - U-Boot bootloader for Apalis and Colibri modules that works!! (it’s the only one named “recovery”)

This is my output:

config file <recovery\\\imx_usb.conf>
vid=0x15a2 pid=0x0054 file_name=mx6_usb_rom.conf
-> vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0061 file_name=mx6_usb_rom.conf
-> vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0076 file_name=mx7_usb_rom.conf
-> vid=0x1b67 pid=0x4000 file_name=mx7_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0080 file_name=mx6ull_usb_rom.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6ull_usb_sdp_uboot.conf
config file <recovery\\\mx7_usb_rom.conf>
parse recovery\\\mx7_usb_rom.conf
Trying to open device vid=0x15a2 pid=0x0076
Interface 0 claimed
HAB security state: production mode (0x12343412)
== work item
filename u-boot.imx
load_size 0 bytes
load_addr 0x83f00000
dcd 1
clear_dcd 0
plug 0
jump_mode 2
jump_addr 0x00000000
== end work item
loading DCD table @0x910000

<<<-588, 1024 bytes>>>
succeeded (status 0x128a8a12)

loading binary file(u-boot.imx) to 877ff400, skip=0, fsize=58814 type=aa

<<<362516, 363520 bytes>>>
succeeded (status 0x88888888)
jumping to 0x877ff400
config file <recovery\\\mx7_usb_sdp_uboot.conf>
parse recovery\\\mx7_usb_sdp_uboot.conf
Trying to open device vid=0x1b67 pid=0x4000
Interface 0 claimed
HAB security state: development mode (0x56787856)
== work item
filename tezi.itb
load_size 0 bytes
load_addr 0x82100000
dcd 0
clear_dcd 0
plug 0
jump_mode 0
jump_addr 0x00000000
== end work item
load_addr=82100000

loading binary file(tezi.itb) to 82100000, skip=0, fsize=1462718 type=0

<<<21374744, 21374976 bytes>>>
succeeded (status 0x88888888)
HAB security state: development mode (0x56787856)
== work item
filename boot-sdp.scr
load_size 0 bytes
load_addr 0x82000000
dcd 0
clear_dcd 0
plug 0
jump_mode 1
jump_addr 0x82000000
== end work item
load_addr=82000000

loading binary file(boot-sdp.scr) to 82000000, skip=0, fsize=12c type=aa

<<<300, 1024 bytes>>>
succeeded (status 0x88888888)
jumping to 0x82000000
ECHO disattivato.
== Successfully downloaded Tezi
Premere un tasto per continuare . . .

Now I’m able to use Toradex Easy Installer loaded through a signed u-boot!

Luca

jeremias.tx · September 10, 2019, 10:32pm

@lupo

Glad to hear you got it working! This is also helpful feedback for reference sake.

Jayanth · January 14, 2020, 1:19pm

Hello @lupo
Could you explain the steps followed in brief , to solve this issue.
I face similar issue , where in i have closed my device by blowing the necessary fuses and now i am unable to use easy installer application to flash any images on to my board.
Any suggestions plz.

Jayanth · January 14, 2020, 1:22pm

Hello @lupo
Even I am facing the exact similar issue in I.MX7D module. After closing the device I tried to flash an unsigned image to my board via easy installer application. The device didn’t booted up and is freezed. So any solution to this . How to recover the module back so that i can test both my signed and unsignd images via easy installer application . Kindly address this at the earliest plz

lupo · January 16, 2020, 8:51am

Hi @Jayanth,

once the device is closed, you must load only signed u-boot in order to boot up your device.

The Toradex Easy Installer, through the usage of the Serial Download Protocol, loads its own u-boot and image!

To let the Toradex Easy Installer to work again after the device closure operation, you need to recompile its u-boot, enable HAB support and sign it.

Here is the procedure:

Download the arm-linux-gnueabihf compiler.

wget -c https://releases.linaro.org/components/toolchain/binaries/6.2-2016.11/arm-linux-gnueabihf/gcc-linaro-6.2.1-2016.11-x86_64_arm-linux-gnueabihf.tar.xz
tar xvf gcc-linaro-6.2.1-2016.11-x86_64_arm-linux-gnueabihf.tar.xz gcc-linaro-6.2.1-2016.11-x86_64_arm-linux-gnueabihf/

Create an export file to setup the compie-time environment variables:

echo "export ARCH=arm" >> ~/export_compiler
echo "export PATH=~/gcc-linaro/bin/:$PATH" >> ~/export_compiler
echo "export CROSS_COMPILE=arm-linux-gnueabihf-" >> ~/export_compiler

Load the variables

source ~/export_compiler

Download the u-boot source code

cd
git clone -b 2016.11-toradex git://git.toradex.com/u-boot-toradex.git
cd u-boot-toradex
git checkout 2016.11-toradex

We need to define which config to use. Toradex Easy Installer use the “Recovery Defconfig”

make colibri_imx7_tezi_recovery_defconfig

Now, we can add the CONFIG_SECURE_BOOT to the .config file to enable the HAB support

CONFIG_SECURE_BOOT=y

Compile

make V=1

From now on, you can procede by signing the u-boot and substitute the one contained in the Toradex Easy Installer root folder.

Let me know if this procedure works.

Regards,

Luca

Jayanth · January 20, 2020, 9:59am

Hi@lupo
Thanks for the reply and letting me know the steps to recover the board.
I followed your steps but sadly, still couldn’t recover the board.

The procedure carried out by me :

I tried to clone a new U-boot package , building it for the config specified by you “colibri_imx7_tezi_recovery_defconfig” ,enabling the security features and then signing it with the keys which I have already dumped on to the board. (i mean using the SRKs for signing …)…then replacing the signed u-boot.imx in the root folder of toradex easy installer.
Then followed the recovery mode procedure for toradex I.MX7 module, I tried to flash the
easy installer image, but it failed to download the easy installer on to the board.

3.This is the error msg :

Jayanth · January 20, 2020, 10:02am

HI @lupo
Is there something which I missed out in these steps. Kindly let me know if I something needs to be handled apart from these steps. Thanks

Jayanth · January 20, 2020, 10:30am

Downloading Toradex Easy Installer…
config file <./recovery//imx_usb.conf>
vid=0x15a2 pid=0x0054 file_name=mx6_usb_rom.conf
→ vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
→ vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0061 file_name=mx6_usb_rom.conf
→ vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
→ vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0076 file_name=mx7_usb_rom.conf
→ vid=0x1b67 pid=0x4000 file_name=mx7_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0080 file_name=mx6ull_usb_rom.conf
→ vid=0x1b67 pid=0x4000 file_name=mx6ull_usb_sdp_uboot.conf
config file <./recovery//mx7_usb_rom.conf>
parse ./recovery//mx7_usb_rom.conf
Trying to open device vid=0x15a2 pid=0x0076
Interface 0 claimed
HAB security state: production mode (0x12343412)
== work item
filename u-boot.imx
load_size 0 bytes
load_addr 0x83f00000
dcd 1
clear_dcd 0
plug 0
jump_mode 2
jump_addr 0x00000000
== end work item
loading DCD table @0x910000

<<<-588, 1024 bytes>>>
succeeded (status 0x128a8a12)

loading binary file(u-boot.imx) to 877ff400, skip=0, fsize=59c00 type=aa

<<<367616, 367616 bytes>>>
succeeded (status 0x88888888)
jumping to 0x877ff400
j4 in err=0, last_trans=64 33 18 c0 00
config file <./recovery//mx7_usb_sdp_uboot.conf>
parse ./recovery//mx7_usb_sdp_uboot.conf
Trying to open device vid=0x1b67 pid=0x4000…
Could not open device vid=0x1b67 pid=0x4000

Downloading Toradex Easy Installer failed…

Jayanth · January 20, 2020, 11:43am

On the other side, when I followed the steps mentioned as per this link
https://boundarydevices.com/high-assurance-boot-hab-dummies/
Section: What about imx_usb_loader?

and replacing the signed binary in the root folder of toradex easy installer …it was successful.
I was able to load the easy installer application on the board.

So just to confirm was this the process U mentioned earlier while signing the U-boot binary or is it something else.
Correct me if something is wrong.

Jayanth · January 20, 2020, 11:44am

Downloading Toradex Easy Installer…
[sudo] password for user:
config file <./recovery//imx_usb.conf>
vid=0x15a2 pid=0x0054 file_name=mx6_usb_rom.conf
→ vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
→ vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0061 file_name=mx6_usb_rom.conf
→ vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
→ vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0076 file_name=mx7_usb_rom.conf
→ vid=0x1b67 pid=0x4000 file_name=mx7_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0080 file_name=mx6ull_usb_rom.conf
→ vid=0x1b67 pid=0x4000 file_name=mx6ull_usb_sdp_uboot.conf
config file <./recovery//mx7_usb_rom.conf>
parse ./recovery//mx7_usb_rom.conf
Trying to open device vid=0x15a2 pid=0x0076
Interface 0 claimed
HAB security state: production mode (0x12343412)
== work item
filename u-boot.imx
load_size 0 bytes
load_addr 0x83f00000
dcd 1
clear_dcd 0
plug 0
jump_mode 2
jump_addr 0x00000000
== end work item
loading DCD table @0x910000

<<<-588, 1024 bytes>>>
succeeded (status 0x128a8a12)

loading binary file(u-boot.imx) to 877ff400, skip=0, fsize=58d50 type=aa

<<<363856, 364544 bytes>>>
succeeded (status 0x88888888)
jumping to 0x877ff400
config file <./recovery//mx7_usb_sdp_uboot.conf>
parse ./recovery//mx7_usb_sdp_uboot.conf
Trying to open device vid=0x1b67 pid=0x4000
Interface 0 claimed
HAB security state: development mode (0x56787856)
== work item
filename tezi.itb
load_size 0 bytes
load_addr 0x82100000
dcd 0
clear_dcd 0
plug 0
jump_mode 0
jump_addr 0x00000000
== end work item
load_addr=82100000

loading binary file(tezi.itb) to 82100000, skip=0, fsize=1462718 type=0

<<<21374744, 21374976 bytes>>>
succeeded (status 0x88888888)
HAB security state: development mode (0x56787856)
== work item
filename boot-sdp.scr
load_size 0 bytes
load_addr 0x82000000
dcd 0
clear_dcd 0
plug 0
jump_mode 1
jump_addr 0x82000000
== end work item
load_addr=82000000

loading binary file(boot-sdp.scr) to 82000000, skip=0, fsize=12c type=aa

<<<300, 1024 bytes>>>
succeeded (status 0x88888888)
jumping to 0x82000000
Successfully downloaded Toradex Easy Installer.