Hab_auth_img fails to verify kernel and dtb images

We are implementing HAB secure boot for custom board based on colibri imx6ull 512MB wifi-bt and yocto BSP 5.7.0 layer. We’ve managed to successfully sign u-boot binary (no HAB events), but extending this to kernel and dtb image authentication fails with data abort interrupt.

Output of trying to authenticate signed zImage:

Colibri iMX6ULL # ubifsmount ubi0:rootfsb
Colibri iMX6ULL # ubifsload ${kernel_addr_r} /boot/zImage
Loading file '/boot/zImage' to addr 0x81000000...
Colibri iMX6ULL # md 0x81691000 8
81691000: 402000d1 81000000 00000000 00000000    .. @............
81691010: 00000000 81691000 81691020 00000000    ......i. .i.....
Colibri iMX6ULL # hab_auth_img ${kernel_addr_r} ${filesize} 0x691000

Authenticate image from DDR location 0x81000000...
data abort
pc : [<0000a8a2>]          lr : [<0000ab1f>]
reloc pc : [<e78b58a2>]    lr : [<e78b5b1f>]
sp : 9df2c2a8  ip : 0000e7ed     fp : 00690fe0
r10: 04d3f640  r9 : 9df2c584     r8 : 00000000
r7 : 00000000  r6 : 00904cb4     r5 : 04d3f640  r4 : 00000000
r3 : 5be0cd19  r2 : 00000008     r1 : 00904cb4  r0 : 04d3f640
Flags: nZCv  IRQs off  FIQs off  Mode SVC_32 (T)
Code: 2a08 d1ea 4605 2400 (f810) 7024
Resetting CPU ...

resetting ...

We are using cst version 3.3.2 and RSA 4096 bit keys.

CSF Text:

Version = 4.2
Hash Algorithm = sha256
Engine = SW
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
File = "../crts/srk_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
File = "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
Verification index = 0
Target index = 2
File = "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

[Authenticate Data]
Verification index = 2
Blocks = 81000000 0x00000000 0x00691020 "/tmp/cst_CODE_SIGN/kernel_image.bin"

As said before, u-boot signing produces no HAB events, so why does this fail?

Hello @Tuomas_Tuhkanen_IM,

Thanks for reaching out to the Toradex Community! Also, sorry about the delay in answering. In the past few days, I had some internal discussions around this topic.
I would like to point out to you that we have some work around the topic of secure boot on Torizon OS where the base support for Secure Boot is included in the meta-toradex-security layer. We have not thoroughly tested it with our BSP however, this layer only works on Embedded Linux 6.3.0 and newer releases.
May I ask if there is a specific reason why you are using BSP 5.7.0?

If you could move to BSP 6, I would suggest giving it a try with the layer that I linked before.

Also, I see that you are trying to authenticate the kernel using HAB, whereas in our case the kernel FIT image is authenticated by u-boot. If you really want to go forward with this approach I would suggest following the guidelines from NXP and their resources (for example: https://community.nxp.com/t5/i-MX-Processors/bd-p/imx-processors).

Development started over a year ago and, I believe, higher BSP versions where experimental at that time. We are considering upgrading to BSP 6.1, and have already adapted some things from meta-toradex-security yocto layer.

We have integrated mender for software updates and its yocto layer with colibri-imx6ull defaults to zImage. Our build system already has CST signing for these images working and it would be preferable to use it as it would require minimal changes on our end.

However my question is why have you not used HAB to authenticate the FIT image? Have you also had problems with it or is it just a design choice?

Turns out the problem was missing ‘0x’ in the address in CSF Blocks field.

1 Like

Hi @Tuomas_Tuhkanen_IM,

Thanks a lot for sharing the solution. Glad that it is solved for you :slight_smile: