Signed Unencrypted U-boot for iMX28

Hi,

Im looking for a way to boot on a signed unencrypt U-boot, I have done the following steps :

1. Set OTP setting using MFGTool :

# force HAB authentication
hw_ocotp_rom7 = 0x00300000

# enable unencrypted boot
hw_ocotp_rom0 = 0x00000010

2. For the signing keys I followed instruction  Problems with i.MX28 High Assurance Boot , so I have all keys ok

3. Generated U-boot binaries (u-boot-spl.bin and u-boot.bin) using target "make u-boot-signed.sb" (u-boot-2016-05)

4. The target "u-boot-signed" is encrypt :

$ sbtool -x 2 u-boot-signed.sb
---- Boot image header ----
Signature 1:           STMP
Signature 2:           sgtl
Format version:        1.1
Flags:                 0x0001
Image blocks:          35944
First boot tag block:  9
First boot section ID: 0x00000000
Key count:             1
Key dictionary block:  7
Header blocks:         6
Section count:         1
Section header size:   1
Timestamp:             531932795000000
Product version:       999.999.999
Component version:     999.999.999
Drive tag:             0x0000
SHA-1 digest of header:
    0x00000000: 6e 26 45 72 f5 02 ef ac 95 00 d4 f2 b6 d8 2c ac
    0x00000010: c7 5a 81 bd
Header digest is correct.

---- Section table ----
Section 0:
    Identifier: 0x0
    Offset:     10 blocks (160 bytes)
    Length:     35932 blocks (574912 bytes)
    Flags:      0x00000001
                0x1 = ROM_SECTION_BOOTABLE

---- Key dictionary ----
error: the image is encrypted but no key was provided

so I used elftosb to get an unencrypt bootsream like below :

$ elftosb -V -d -f imx28 -c ./arch/arm/cpu/arm926ejs/mxs/u-boot-imx28.bd -o u-boot_unencrypt.sb
source u_boot_spl => path(spl/u-boot-spl.bin)
source u_boot => path(u-boot.bin)
Boot Section 0x00000000:
  LOAD | adr=0x00000000 | len=0x000021c0 | crc=0x0d86a13e | flg=0x00000000
  LOAD | adr=0x00008000 | len=0x00000020 | crc=0x88d2e4d7 | flg=0x00000000
  CALL | adr=0x00008000 | arg=0x00000000 | flg=0x00000001
  LOAD | adr=0x40000100 | len=0x00088480 | crc=0x40fa530b | flg=0x00000000
  LOAD | adr=0x00008000 | len=0x00000020 | crc=0xf66ee67b | flg=0x00000000
  CALL | adr=0x00008000 | arg=0x00000000 | flg=0x00000001

Here the detail of the unencrypt bootstream:

$ sbtool -x 2 u-boot_unencrypt.sb
---- Boot image header ----
Signature 1:           STMP
Signature 2:           sgtl
Format version:        1.1
Flags:                 0x0000
Image blocks:          35448
First boot tag block:  7
First boot section ID: 0x00000000
Key count:             0
Key dictionary block:  7
Header blocks:         6
Section count:         1
Section header size:   1
Timestamp:             546699162000000
Product version:       999.999.999
Component version:     999.999.999
Drive tag:             0x0000
SHA-1 digest of header:
    0x00000000: bc fc 49 d4 14 67 95 0e 37 49 97 e0 03 35 6c ae
    0x00000010: 70 ec 87 75
Header digest is correct.

---- Section table ----
Section 0:
    Identifier: 0x0
    Offset:     8 blocks (128 bytes)
    Length:     35438 blocks (567008 bytes)
    Flags:      0x00000001
                0x1 = ROM_SECTION_BOOTABLE

---- SHA-1 digest of entire image ----
    0x00000000: 7e f3 88 d8 37 df 96 e7 a6 65 89 28 53 47 68 cb
    0x00000010: 20 5d 38 a0
Image digest is correct.

---- Boot tags ----
0000: @ block 000007 | id=0x00000000 | length=035438 | flags=0x00000001
        0x1 = ROM_SECTION_BOOTABLE

When I tried to boot on this bootstream using mxsldr or mfgtool, Im getting ROM error code 0X80501010 (Request data beyond the end of a section).

Question: How do we generate a signed unencrypted U-boot Bootstream for iMX28 ?

Best Regards,

KB