Bootloader signing is broken when FIT image signing is disabled

leograba commented 10 months ago

A secure boot image built with HAB enabled (TDX_IMX_HAB_ENABLE = "1") but with FIT image signing disabled (UBOOT_SIGN_ENABLE = "0") is generating HAB events at runtime on a properly fused device. This means the signing is somehow broken. Here is the log from the U-Boot CLI:

Verdin iMX8MP # hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x08 0x45 0x33 0x11 0xcf 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CSF (0x11)
CTX = HAB_CTX_CSF (0xCF)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 2 -----------------
event data:
        0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x00 0x91 0xff 0xc0
        0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 3 -----------------
event data:
        0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x00 0x91 0xff 0xe0
        0x00 0x00 0x00 0x0c

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 4 -----------------
event data:
        0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x00 0x92 0x00 0x00
        0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

Some important points:

This was detected on a verdin-imx8mp which is based on HABv4. I couldn’t reproduced the problem on a colibri-imx8x which is based on AHAB.
I couldn’t test on a verdin-imx8mm because of , but it’s likely the the issue is present there considering that the signing process works in the same way on both of these devices.
On a previous test I found that the signing with UBOOT_SIGN_ENABLE="0" was working in our 2023/11 monthly release.
Also I tested with the latest version of meta-toradex-security with all the other layers from the 2023/11 monthly release and the signing also worked; thus we have reasons to be believe the issue was introduced by (somewhat recent) changes in other layers, most likely this one: in layer meta-toradex-nxp, alongside related commits in U-Boot referred as LFU-573 patches.

Originally reported by @rborn-tx

sergioprado commented 10 months ago

@leograba just to confirm, if UBOOT_SIGN_ENABLE = "1", this issue is not reproducible, right?

leograba commented 10 months ago

I don't know, @rborn-tx can confirm

rborn-tx commented 10 months ago

just to confirm, if UBOOT_SIGN_ENABLE = "1", this issue is not reproducible, right?

@sergioprado Yes, when UBOOT_SIGN_ENABLE = "1" things seem to be working fine.

sergioprado commented 4 months ago

I tested this on Verdin iMX8MP using the latest from kirkstone and could not reproduce the issue anymore.

I added the following lines to conf/local.conf:

INHERIT += "tdx-signed"
UBOOT_SIGN_ENABLE = "0"

When booting, I can see from bootloader logs that the FIT image was not signed:

## Loading kernel from FIT Image at 50300000 ...                                                         
   Using 'conf-freescale_imx8mp-verdin-wifi-dev.dtb' configuration                                                                                                                                                 
   Trying 'kernel-1' kernel subimage                                                                     
     Description:  Linux kernel                                                                          
     Type:         Kernel Image                                                                          
     Compression:  gzip compressed                                                                       
     Data Start:   0x5030010c                                                                            
     Data Size:    11675349 Bytes = 11.1 MiB                                                             
     Architecture: AArch64                                                                               
     OS:           Linux                                                                                 
     Load Address: 0x48200000                                                                            
     Entry Point:  0x48200000                                                                            
     Hash algo:    sha256                                                                                
     Hash value:   d7e4d737541db2e252f95518e36fd58d6b27d20d0e607cfd7e234d0abd463fa4                      
   Verifying Hash Integrity ... sha256+ OK                                                               
## Loading fdt from FIT Image at 50300000 ...                                                            
   Using 'conf-freescale_imx8mp-verdin-wifi-dev.dtb' configuration                                       
   Trying 'fdt-freescale_imx8mp-verdin-wifi-dev.dtb' fdt subimage                                        
     Description:  Flattened Device Tree blob                                                            
     Type:         Flat Device Tree                                                                      
     Compression:  uncompressed                                                                                                                                                                                    
     Data Start:   0x50e90bb8                                                                                                                                                                                      
     Data Size:    90278 Bytes = 88.2 KiB                                                                
     Architecture: AArch64                                                                                                                                                                                         
     Load Address: 0x50200000
     Hash algo:    sha256
     Hash value:   c639f32d79f024e98fc82c43a77ec3e0bc0b084eafadf033bc65d2b1392d7412
   Verifying Hash Integrity ... sha256+ OK
   Loading fdt from 0x50e90bb8 to 0x50200000
## Loading fdt from FIT Image at 50300000 ...
   Using 'conf-verdin-imx8mp_hdmi_overlay.dtbo' configuration
   Trying 'fdt-verdin-imx8mp_hdmi_overlay.dtbo' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x50ed626c
     Data Size:    2219 Bytes = 2.2 KiB
     Architecture: AArch64
     Load Address: 0x50240000
     Hash algo:    sha256
     Hash value:   c4ec36638c7d6bff0af64735d0a5a71acf2a1041b7de69bca1dd1a1ca25b8112
   Verifying Hash Integrity ... sha256+ OK
## Loading fdt from FIT Image at 50300000 ...
   Using 'conf-verdin-imx8mp_dsi-to-hdmi_overlay.dtbo' configuration
   Trying 'fdt-verdin-imx8mp_dsi-to-hdmi_overlay.dtbo' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x50ed2dd8
     Data Size:    3652 Bytes = 3.6 KiB
     Architecture: AArch64
     Load Address: 0x50240000
     Hash algo:    sha256
     Hash value:   2afe82462f32ab9d163b816bfd8ae4071a7f48a9382fb545b4feede3bc93598e
   Verifying Hash Integrity ... sha256+ OK
## Loading fdt from FIT Image at 50300000 ...
   Using 'conf-verdin-imx8mp_spidev_overlay.dtbo' configuration
   Trying 'fdt-verdin-imx8mp_spidev_overlay.dtbo' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x50edd3ec
     Data Size:    561 Bytes = 561 Bytes
     Architecture: AArch64
     Load Address: 0x50240000
     Hash algo:    sha256
     Hash value:   a18be5d8a83083491c21b8de76d20e403b0ba28685fce6b628e196f46b1924d2
   Verifying Hash Integrity ... sha256+ OK
   Booting using the fdt blob at 0x50200000
   Uncompressing Kernel Image
   Loading Device Tree to 00000000ffade000, end 00000000ffaf74a6 ... OK

And there was no HAB events:

# hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

The problem was probably a regression introduced by another layer that was solved in the meantime.

Closing out this issue.

toradex / meta-toradex-security

Bootloader signing is broken when FIT image signing is disabled #2