Hi,
Im looking for a way to boot on a signed unencrypt U-boot, I have done the following steps :
1. Set OTP setting using MFGTool :
# force HAB authentication
hw_ocotp_rom7 = 0x00300000# enable unencrypted boot
hw_ocotp_rom0 = 0x00000010
2. For the signing keys I followed instruction Problems with i.MX28 High Assurance Boot , so I have all keys ok
3. Generated U-boot binaries (u-boot-spl.bin and u-boot.bin) using target "make u-boot-signed.sb" (u-boot-2016-05)
4. The target "u-boot-signed" is encrypt :
$ sbtool -x 2 u-boot-signed.sb
---- Boot image header ----
Signature 1: STMP
Signature 2: sgtl
Format version: 1.1
Flags: 0x0001
Image blocks: 35944
First boot tag block: 9
First boot section ID: 0x00000000
Key count: 1
Key dictionary block: 7
Header blocks: 6
Section count: 1
Section header size: 1
Timestamp: 531932795000000
Product version: 999.999.999
Component version: 999.999.999
Drive tag: 0x0000
SHA-1 digest of header:
0x00000000: 6e 26 45 72 f5 02 ef ac 95 00 d4 f2 b6 d8 2c ac
0x00000010: c7 5a 81 bd
Header digest is correct.
---- Section table ----
Section 0:
Identifier: 0x0
Offset: 10 blocks (160 bytes)
Length: 35932 blocks (574912 bytes)
Flags: 0x00000001
0x1 = ROM_SECTION_BOOTABLE
---- Key dictionary ----
error: the image is encrypted but no key was provided
so I used elftosb to get an unencrypt bootsream like below :
$ elftosb -V -d -f imx28 -c ./arch/arm/cpu/arm926ejs/mxs/u-boot-imx28.bd -o u-boot_unencrypt.sb
source u_boot_spl => path(spl/u-boot-spl.bin)
source u_boot => path(u-boot.bin)
Boot Section 0x00000000:
LOAD | adr=0x00000000 | len=0x000021c0 | crc=0x0d86a13e | flg=0x00000000
LOAD | adr=0x00008000 | len=0x00000020 | crc=0x88d2e4d7 | flg=0x00000000
CALL | adr=0x00008000 | arg=0x00000000 | flg=0x00000001
LOAD | adr=0x40000100 | len=0x00088480 | crc=0x40fa530b | flg=0x00000000
LOAD | adr=0x00008000 | len=0x00000020 | crc=0xf66ee67b | flg=0x00000000
CALL | adr=0x00008000 | arg=0x00000000 | flg=0x00000001
Here the detail of the unencrypt bootstream:
$ sbtool -x 2 u-boot_unencrypt.sb
---- Boot image header ----
Signature 1: STMP
Signature 2: sgtl
Format version: 1.1
Flags: 0x0000
Image blocks: 35448
First boot tag block: 7
First boot section ID: 0x00000000
Key count: 0
Key dictionary block: 7
Header blocks: 6
Section count: 1
Section header size: 1
Timestamp: 546699162000000
Product version: 999.999.999
Component version: 999.999.999
Drive tag: 0x0000
SHA-1 digest of header:
0x00000000: bc fc 49 d4 14 67 95 0e 37 49 97 e0 03 35 6c ae
0x00000010: 70 ec 87 75
Header digest is correct.
---- Section table ----
Section 0:
Identifier: 0x0
Offset: 8 blocks (128 bytes)
Length: 35438 blocks (567008 bytes)
Flags: 0x00000001
0x1 = ROM_SECTION_BOOTABLE
---- SHA-1 digest of entire image ----
0x00000000: 7e f3 88 d8 37 df 96 e7 a6 65 89 28 53 47 68 cb
0x00000010: 20 5d 38 a0
Image digest is correct.
---- Boot tags ----
0000: @ block 000007 | id=0x00000000 | length=035438 | flags=0x00000001
0x1 = ROM_SECTION_BOOTABLE
When I tried to boot on this bootstream using mxsldr or mfgtool, Im getting ROM error code 0X80501010 (Request data beyond the end of a section).
Question: How do we generate a signed unencrypted U-boot Bootstream for iMX28 ?
Best Regards,
KB
Hello,
the following may help.
https://community.nxp.com/message/624901
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hello Yuri,
I already followed the threads for the signing steps, but Im still stuck on how to get an unencrypted u-boot ?