LayerscapeのトピックRe: LS1046ARDB Alternate Image SEC Initialization during Secure boot

LS1046ARDB Alternate Image SEC Initialization during Secure boot

Faizanbaig — Fri, 22 Oct 2021 10:17:20 GMT

Hi,

We are trying to provide an alternate boot image in case authentication of first boot image fails during secure boot. As per LS1046ARM_Reference_Manual, DCFG ScratchRW3 should be written with the CSF header address for alternate boot image. When we test authentication fail for the first image, we get no error in DCFG ScratchRW4 and the alternate boot image is authenticated successfully. But our SEC Initialization is failing when we try to initialise it using alternate boot image .
Are we missing any additional steps in achieving this?

Any suggestions regarding this would be appreciated.

Thanks,

Faizanbaig Inamdar

Re: LS1046ARDB Alternate Image SEC Initialization during Secure boot

yipingwang — Mon, 25 Oct 2021 03:09:07 GMT

What version of LSDK you are using?

Can you share your

input_files/uni_sign/ls1/nor/input_uboot_secure

input_files/uni_sign/ls1/sd_nand/input_uboot_secure

input_files/uni_sign/ls1/sd_nand/input_spl_uboot_secure

In the input files you use to sign the image, depends on your situation,

there should be a

SEC_IMAGE Flag for Secondary Image. Required for TA 2.x platforms only

that you can specify the secondary image information.

Re: LS1046ARDB Alternate Image SEC Initialization during Secure boot

Faizanbaig — Mon, 25 Oct 2021 04:52:16 GMT

Hi, Thanks for your response, I have set SEC_FLAG to 1 and ISBC is authenticating the alternate image successfully but SEC(Security Engine) initialization module is failing when we execute it through alternate boot image. However,When we flash the same image as primary Image it is successfully initializing the SEC(Security Engine). Could you please provide any help on this? Thanks

Re: LS1046ARDB Alternate Image SEC Initialization during Secure boot

yipingwang — Wed, 27 Oct 2021 03:06:07 GMT

Where is the SEC_FLAG-=1 flag is set?
I check the Code Signing Tool (CST) input file and there is no such flag. Is it a flag for linux kernel built?
It sounds like this is not secure boot (ISBC/ESBC) related issue. If customer has a console log, a capture of the log of the message leading to "initializing the SEC" will be helpful. i.e. is the error from uboot init or linux init?

Re: LS1046ARDB Alternate Image SEC Initialization during Secure boot

Faizanbaig — Wed, 27 Oct 2021 06:36:15 GMT

Thanks for the response, Issue was with our binary boot image file .
Now it successfully performs chain of trust from alternate image.