Cannot use Toradex Easy Installer with closed device

Hi everyone,

I’m performing some secure boot tests on the Toradex Colibri iMX7D 1GB v1.1 module.

By following the procedure explained in AN4581, I am able to create a custom signed u-boot and to verify it by means of hab_status command.
I successfully used easy installer 1.8 (via USB OTG) to update the u-boot.

The next step was to extend the root of trust to the Linux Kernel (Appendix G of AN4581) signing the zImage.
As for u-boot, I successfully load the new kernel via easy installer but the execution of hab_auth_img command failed.

As I figured out, I need to “close” the device by blowing the SEC_CONFIG bit in order to let the u-boot to verify the kernel signature.
After I closed the device, I was not able anymore to use easy installer.

Here is the output of the execution od “recovery-windows.bat”

config file <recovery\\\imx_usb.conf>
vid=0x15a2 pid=0x0054 file_name=mx6_usb_rom.conf
-> vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0061 file_name=mx6_usb_rom.conf
-> vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0076 file_name=mx7_usb_rom.conf
-> vid=0x1b67 pid=0x4000 file_name=mx7_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0080 file_name=mx6ull_usb_rom.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6ull_usb_sdp_uboot.conf
config file <recovery\\\mx7_usb_rom.conf>
parse recovery\\\mx7_usb_rom.conf
Trying to open device vid=0x15a2 pid=0x0076
Interface 0 claimed
HAB security state: production mode (0x12343412)
== work item
filename u-boot.imx
load_size 0 bytes
load_addr 0x83f00000
dcd 1
clear_dcd 0
plug 0
jump_mode 2
jump_addr 0x00000000
== end work item
loading DCD table @0x910000

<<<-588, 1024 bytes>>>
succeeded (status 0x128a8a12)

loading binary file(u-boot.imx) to 877ff400, skip=0, fsize=55c00 type=aa

<<<351232, 351232 bytes>>>
succeeded (status 0x88888888)
jumping to 0x877ff400
j4 in err=0, last_trans=64  33 22 0a 00
config file <recovery\\\mx7_usb_sdp_uboot.conf>
parse recovery\\\mx7_usb_sdp_uboot.conf
Trying to open device vid=0x1b67 pid=0x4000.........................
Could not open device vid=0x1b67 pid=0x4000
Premere un tasto per continuare . . .

From the serial console no output showed up.

HAB security state: production mode (0x12343412)

Being in production mode could collide with the not signed Toradex Easy Installer’s u-boot?
How is it possibile to update a zImage in a “closed” device?

Thank you in advance for your support.

Luca

Greetings @lupo,

It still is technically possible to use the easy installer to load binaries unto a closed device. For Easy Installer V1.8 we use a variant of imx_usb_loader for the recovery mode utility. Our source for this tool does have a commit that enables support for loading a signed binary unto a closed device (https://github.com/toradex/imx_loader/commit/6deb910dd0a64267c43e65e95486f975e293823f).

Appendix F of AN4581 describes modifications to your CSF file needed to make use of the SDP which the imx_usb_loader uses.

As for specifics I’m afraid we don’t have anyone here at Toradex that has tried to use our Easy Installer tool on a device that has been closed via HAB. So I’m unable to provide more detail than this.

Best Regards,
Jeremias

Hi @jeremias.tx ,
thank you for your suggest.

I dig deeper in this issue, and has I understood, in a “closed” device also the Toradex Easy Installer must have a signed u-boot.imx.
Thus, following Appendix E and F of AN4581, I have tried to sign the u-boot.imx present in the Easy installer root directory, but the problem still persist. By looking to HAB errors, probably it’s due to a u-boot built without CONFIG_SECURE_BOOT=y in its config.

Then, I downloaded the u-boot source code, built it with secure boot enabled, signed it and here is what I had as result:

config file <recovery\\\imx_usb.conf>
vid=0x15a2 pid=0x0054 file_name=mx6_usb_rom.conf
-> vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0061 file_name=mx6_usb_rom.conf
-> vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0076 file_name=mx7_usb_rom.conf
-> vid=0x1b67 pid=0x4000 file_name=mx7_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0080 file_name=mx6ull_usb_rom.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6ull_usb_sdp_uboot.conf
config file <recovery\\\mx7_usb_rom.conf>
parse recovery\\\mx7_usb_rom.conf
Trying to open device vid=0x15a2 pid=0x0076
Interface 0 claimed
HAB security state: production mode (0x12343412)
== work item
filename u-boot.imx
load_size 0 bytes
load_addr 0x83f00000
dcd 1
clear_dcd 0
plug 0
jump_mode 2
jump_addr 0x00000000
== end work item
loading DCD table @0x910000

<<<-588, 1024 bytes>>>
succeeded (status 0x128a8a12)

loading binary file(u-boot.imx) to 877ff400, skip=0, fsize=61814 type=aa

<<<399380, 400384 bytes>>>
succeeded (status 0x88888888)
jumping to 0x877ff400
config file <recovery\\\mx7_usb_sdp_uboot.conf>
parse recovery\\\mx7_usb_sdp_uboot.conf
Trying to open device vid=0x1b67 pid=0x4000.........................
Could not open device vid=0x1b67 pid=0x4000
Premere un tasto per continuare . . .

No HAB error appear and I can see u-boot starting up on the console.
But I still cannot open device vid=0x1b67 pid=0x4000.

I suppose is due to SDP that is not enabled by default in u-boot, isn’t it?
Is it possible to obtain the .config that has been used to compile the u-boot present in your Toradex Easy Installer?

Thank you,

Luca

@lupo

For the eMMC i.MX7 we use this special easy installer u-boot config: http://git.toradex.com/cgit/u-boot-toradex.git/tree/configs/colibri_imx7_emmc_tezi_defconfig?h=2016.11-toradex

@jeremias.tx,

I tried to compile my u-boot with the configuration you suggest but the result was the same as above.

By parsing the list of possible configurations, I found this one http://git.toradex.com/cgit/u-boot-toradex.git/tree/configs/colibri_imx7_tezi_recovery_defconfig?h=2016.11-toradex that works!! (it’s the only one named “recovery”)

This is my output:

config file <recovery\\\imx_usb.conf>
vid=0x15a2 pid=0x0054 file_name=mx6_usb_rom.conf
-> vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0061 file_name=mx6_usb_rom.conf
-> vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0076 file_name=mx7_usb_rom.conf
-> vid=0x1b67 pid=0x4000 file_name=mx7_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0080 file_name=mx6ull_usb_rom.conf
-> vid=0x1b67 pid=0x4000 file_name=mx6ull_usb_sdp_uboot.conf
config file <recovery\\\mx7_usb_rom.conf>
parse recovery\\\mx7_usb_rom.conf
Trying to open device vid=0x15a2 pid=0x0076
Interface 0 claimed
HAB security state: production mode (0x12343412)
== work item
filename u-boot.imx
load_size 0 bytes
load_addr 0x83f00000
dcd 1
clear_dcd 0
plug 0
jump_mode 2
jump_addr 0x00000000
== end work item
loading DCD table @0x910000

<<<-588, 1024 bytes>>>
succeeded (status 0x128a8a12)

loading binary file(u-boot.imx) to 877ff400, skip=0, fsize=58814 type=aa

<<<362516, 363520 bytes>>>
succeeded (status 0x88888888)
jumping to 0x877ff400
config file <recovery\\\mx7_usb_sdp_uboot.conf>
parse recovery\\\mx7_usb_sdp_uboot.conf
Trying to open device vid=0x1b67 pid=0x4000
Interface 0 claimed
HAB security state: development mode (0x56787856)
== work item
filename tezi.itb
load_size 0 bytes
load_addr 0x82100000
dcd 0
clear_dcd 0
plug 0
jump_mode 0
jump_addr 0x00000000
== end work item
load_addr=82100000

loading binary file(tezi.itb) to 82100000, skip=0, fsize=1462718 type=0

<<<21374744, 21374976 bytes>>>
succeeded (status 0x88888888)
HAB security state: development mode (0x56787856)
== work item
filename boot-sdp.scr
load_size 0 bytes
load_addr 0x82000000
dcd 0
clear_dcd 0
plug 0
jump_mode 1
jump_addr 0x82000000
== end work item
load_addr=82000000

loading binary file(boot-sdp.scr) to 82000000, skip=0, fsize=12c type=aa

<<<300, 1024 bytes>>>
succeeded (status 0x88888888)
jumping to 0x82000000
ECHO disattivato.
== Successfully downloaded Tezi
Premere un tasto per continuare . . .

Now I’m able to use Toradex Easy Installer loaded through a signed u-boot!

Luca

@lupo

Glad to hear you got it working! This is also helpful feedback for reference sake.

Hello @lupo
Could you explain the steps followed in brief , to solve this issue.
I face similar issue , where in i have closed my device by blowing the necessary fuses and now i am unable to use easy installer application to flash any images on to my board.
Any suggestions plz.

Hello @lupo
Even I am facing the exact similar issue in I.MX7D module. After closing the device I tried to flash an unsigned image to my board via easy installer application. The device didn’t booted up and is freezed. So any solution to this . How to recover the module back so that i can test both my signed and unsignd images via easy installer application . Kindly address this at the earliest plz

Hi @Jayanth,

once the device is closed, you must load only signed u-boot in order to boot up your device.

The Toradex Easy Installer, through the usage of the Serial Download Protocol, loads its own u-boot and image!

To let the Toradex Easy Installer to work again after the device closure operation, you need to recompile its u-boot, enable HAB support and sign it.

Here is the procedure:

Download the arm-linux-gnueabihf compiler.

wget -c https://releases.linaro.org/components/toolchain/binaries/6.2-2016.11/arm-linux-gnueabihf/gcc-linaro-6.2.1-2016.11-x86_64_arm-linux-gnueabihf.tar.xz
tar xvf gcc-linaro-6.2.1-2016.11-x86_64_arm-linux-gnueabihf.tar.xz gcc-linaro-6.2.1-2016.11-x86_64_arm-linux-gnueabihf/

Create an export file to setup the compie-time environment variables:

echo "export ARCH=arm" >> ~/export_compiler
echo "export PATH=~/gcc-linaro/bin/:$PATH" >> ~/export_compiler
echo "export CROSS_COMPILE=arm-linux-gnueabihf-" >> ~/export_compiler

Load the variables

source ~/export_compiler

Download the u-boot source code

cd
git clone -b 2016.11-toradex git://git.toradex.com/u-boot-toradex.git
cd u-boot-toradex
git checkout 2016.11-toradex

We need to define which config to use. Toradex Easy Installer use the “Recovery Defconfig”

make colibri_imx7_tezi_recovery_defconfig

Now, we can add the CONFIG_SECURE_BOOT to the .config file to enable the HAB support

CONFIG_SECURE_BOOT=y

Compile

make V=1

From now on, you can procede by signing the u-boot and substitute the one contained in the Toradex Easy Installer root folder.

Let me know if this procedure works.

Regards,

Luca

Hi@lupo
Thanks for the reply and letting me know the steps to recover the board.
I followed your steps but sadly, still couldn’t recover the board.

The procedure carried out by me :

  1. I tried to clone a new U-boot package , building it for the config specified by you “colibri_imx7_tezi_recovery_defconfig” ,enabling the security features and then signing it with the keys which I have already dumped on to the board. (i mean using the SRKs for signing …)…then replacing the signed u-boot.imx in the root folder of toradex easy installer.

  2. Then followed the recovery mode procedure for toradex I.MX7 module, I tried to flash the
    easy installer image, but it failed to download the easy installer on to the board.

3.This is the error msg :

HI @lupo
Is there something which I missed out in these steps. Kindly let me know if I something needs to be handled apart from these steps. Thanks

Downloading Toradex Easy Installer…
config file <./recovery//imx_usb.conf>
vid=0x15a2 pid=0x0054 file_name=mx6_usb_rom.conf
→ vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
→ vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0061 file_name=mx6_usb_rom.conf
→ vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
→ vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0076 file_name=mx7_usb_rom.conf
→ vid=0x1b67 pid=0x4000 file_name=mx7_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0080 file_name=mx6ull_usb_rom.conf
→ vid=0x1b67 pid=0x4000 file_name=mx6ull_usb_sdp_uboot.conf
config file <./recovery//mx7_usb_rom.conf>
parse ./recovery//mx7_usb_rom.conf
Trying to open device vid=0x15a2 pid=0x0076
Interface 0 claimed
HAB security state: production mode (0x12343412)
== work item
filename u-boot.imx
load_size 0 bytes
load_addr 0x83f00000
dcd 1
clear_dcd 0
plug 0
jump_mode 2
jump_addr 0x00000000
== end work item
loading DCD table @0x910000

<<<-588, 1024 bytes>>>
succeeded (status 0x128a8a12)

loading binary file(u-boot.imx) to 877ff400, skip=0, fsize=59c00 type=aa

<<<367616, 367616 bytes>>>
succeeded (status 0x88888888)
jumping to 0x877ff400
j4 in err=0, last_trans=64 33 18 c0 00
config file <./recovery//mx7_usb_sdp_uboot.conf>
parse ./recovery//mx7_usb_sdp_uboot.conf
Trying to open device vid=0x1b67 pid=0x4000…
Could not open device vid=0x1b67 pid=0x4000

Downloading Toradex Easy Installer failed…

On the other side, when I followed the steps mentioned as per this link
https://boundarydevices.com/high-assurance-boot-hab-dummies/
Section: What about imx_usb_loader?

and replacing the signed binary in the root folder of toradex easy installer …it was successful.
I was able to load the easy installer application on the board.

So just to confirm was this the process U mentioned earlier while signing the U-boot binary or is it something else.
Correct me if something is wrong.

Downloading Toradex Easy Installer…
[sudo] password for user:
config file <./recovery//imx_usb.conf>
vid=0x15a2 pid=0x0054 file_name=mx6_usb_rom.conf
→ vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
→ vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0061 file_name=mx6_usb_rom.conf
→ vid=0x1b67 pid=0x4fff file_name=mx6_usb_sdp_spl.conf
→ vid=0x1b67 pid=0x4000 file_name=mx6_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0076 file_name=mx7_usb_rom.conf
→ vid=0x1b67 pid=0x4000 file_name=mx7_usb_sdp_uboot.conf
vid=0x15a2 pid=0x0080 file_name=mx6ull_usb_rom.conf
→ vid=0x1b67 pid=0x4000 file_name=mx6ull_usb_sdp_uboot.conf
config file <./recovery//mx7_usb_rom.conf>
parse ./recovery//mx7_usb_rom.conf
Trying to open device vid=0x15a2 pid=0x0076
Interface 0 claimed
HAB security state: production mode (0x12343412)
== work item
filename u-boot.imx
load_size 0 bytes
load_addr 0x83f00000
dcd 1
clear_dcd 0
plug 0
jump_mode 2
jump_addr 0x00000000
== end work item
loading DCD table @0x910000

<<<-588, 1024 bytes>>>
succeeded (status 0x128a8a12)

loading binary file(u-boot.imx) to 877ff400, skip=0, fsize=58d50 type=aa

<<<363856, 364544 bytes>>>
succeeded (status 0x88888888)
jumping to 0x877ff400
config file <./recovery//mx7_usb_sdp_uboot.conf>
parse ./recovery//mx7_usb_sdp_uboot.conf
Trying to open device vid=0x1b67 pid=0x4000
Interface 0 claimed
HAB security state: development mode (0x56787856)
== work item
filename tezi.itb
load_size 0 bytes
load_addr 0x82100000
dcd 0
clear_dcd 0
plug 0
jump_mode 0
jump_addr 0x00000000
== end work item
load_addr=82100000

loading binary file(tezi.itb) to 82100000, skip=0, fsize=1462718 type=0

<<<21374744, 21374976 bytes>>>
succeeded (status 0x88888888)
HAB security state: development mode (0x56787856)
== work item
filename boot-sdp.scr
load_size 0 bytes
load_addr 0x82000000
dcd 0
clear_dcd 0
plug 0
jump_mode 1
jump_addr 0x82000000
== end work item
load_addr=82000000

loading binary file(boot-sdp.scr) to 82000000, skip=0, fsize=12c type=aa

<<<300, 1024 bytes>>>
succeeded (status 0x88888888)
jumping to 0x82000000
Successfully downloaded Toradex Easy Installer.