Manualshelf

User`s guide

ManualsBrandsCrypto ManualsGadgetsD100
21222324252627282930
Secure Boot with i.MX28 HAB Version 4, Rev. 1
Freescale Semiconductor 25
Development and debug tips
The otp_burner.py script uses the binary SRK hash file to generate an executable image that can program
fuses. The output image otp_init.sb resulting from otp_burner.py is then downloaded to i.MX28 using
BitInit.exe. The i.MX28 must be connected in USB recovery mode in order for BitInit.exe to download
the SB file to internal RAM on the device. When executed on i.MX28 otp_init.sb programs the SRK fuses.
Using these tools will ensure SRK and other fuses are programmed correctly.
The arguments to otp_burner.py to generate otp_init.sb with SRK fuse programming is --srk:
otp_burner.py --srk srk_fuses.bin --key encryption_key.txt –i bit_settings.txto
otp_init.sb
The bit_settings.txt file provided with –i option carries values for other fuses. The format of bit_settings.txt
file is specified in the documentation with the IMX_OTP_TOOLS package.
The file encryption_key.txt is the 128 bit OTP key created using keygen utility. The 128 bit OTP key will
be programmed to the fuses that ROM uses in decrypting the boot image.
7 Development and debug tips
7.1 Error logging
In development phase it is always wise to test the device in Open configuration. It is recommended for
boot images to use ROM HAP API report_event to browse through the events created during HAB
authentication. The report_status API can be used to determine the security configuration and security
state of the system. Detailed information on HAB Event Data is available on request from Freescale
representative. All FAILURE events reported by HAB in Open configuration must be resolved before
moving on to Closed configuration, otherwise the image will not boot. Here is example code that can be
included in u-boot to print any events occurred during the image authentication process. This example
could be extended to report all warning events as well using HAB_STS_ANY instead of HAB_FAILURE
in hab_report_event. While they do not prevent booting in Closed configuration, warning events should
still be analyzed. For example, if software hash is used when DCP hash was requested, there is a warning,
not a failure. Given that it slows down the boot, it is a good idea to fix all warnings before final production
using the image.
int get_hab_status(void)
{
uint32_t index = 0; /* Loop index */
uint8_t event_data[128]; /* Event data buffer */
size_t bytes = sizeof(event_data); /* Event size in bytes */
hab_config_t config= 0;
hab_state_t state = 0;
/* Check HAB status */
if (hab_rvt_report_status(&config, &state) != HAB_SUCCESS)
{
printf("\nHAB Configuration: 0x%02x HAB State: 0x%02x\n",
config, state);