https://community.nxp.com/t5/S32G/M7-boot-with-secure-boot-feature-enabled-on-RDB3-SDK-BSP43/m-p/2039753#M12561 <P>Hello,&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/135277">@hittzt</a>&nbsp;</P> <P>Thanks for your confirmation.</P> <P>I tested it without m7boot added to the local.conf, and seems there are no issues, the possible reason for the issue you met seems to be secure boot verification fail.</P> <P>While you added m7boot to the local.conf, then a small m7 bootloader would be appended, the boot image could be changed to the&nbsp;bl2_w_dtb.s32-sdcard.m7 instead of the original one, but when booted to Linux, while enabling secure boot, the command is like:</P> <P>hse-secboot -s -d /dev/mmcblk0 --bl2_key /etc/keys/secboot/bl2_rsa2048_public.pem --bl31_key -:0x010700 --bl33_key -:0x010700 --bl2_sign /etc/keys/secboot/bl2-signature.bin-sdcard --bl2_bin /etc/keys/secboot/bl2_w_dtb.bin-sdcard</P> <P>Which does not match the boot image specified.</P> <P>From my understanding, the default secboot operation steps are only reference for default settings, if there are some additional configurations added, there may be issues.</P> <P>&nbsp;</P> <P>BR</P> <P>Chenyin</P> Fri, 07 Feb 2025 07:11:21 GMT chenyin_h 2025-02-07T07:11:21Z https://community.nxp.com/t5/S32G/M7-boot-with-secure-boot-feature-enabled-on-RDB3-SDK-BSP43/m-p/2038435#M12520 <P>Hi,</P><P>&nbsp;</P><P>I noticed that SDK BSP43 has been released, and I am testing M7 boot with secure boot enabled on RDB3 v1.1 silicon, but the board boot failed after excuting hse-secboot command and rebooting, command is following:</P><P>hse-secboot -s -d /dev/mmcblk0 -b sd --bl2_bin bl2_w_dtb.bin --bl2_key /etc/keys/secboot/bl2_rsa2048_public.pem /etc/keys/secboot/bl2_rsa2048_public.pem --bl31_key -:0x010700 --bl33_key -:0x010700 --bl2_sign bl2-signature.bin</P><P>&nbsp;</P><P>The HSE firmware version is 0.2.51.0 for Gen3 v1.1 SOC, so would you please help to tell how to test this case, is there any other settings or configures?</P><P>&nbsp;</P><P>Thanks,</P><P>Zhantao</P> Wed, 05 Feb 2025 09:04:26 GMT https://community.nxp.com/t5/S32G/M7-boot-with-secure-boot-feature-enabled-on-RDB3-SDK-BSP43/m-p/2038435#M12520 hittzt 2025-02-05T09:04:26Z https://community.nxp.com/t5/S32G/M7-boot-with-secure-boot-feature-enabled-on-RDB3-SDK-BSP43/m-p/2039001#M12524 <P>Hello, <a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/135277">@hittzt</a>&nbsp;</P> <P>Thanks for your post.</P> <P>Would you mind testing it with the following command on your board to check if it is correct?</P> <P>"<SPAN>/etc/keys/secboot/secboot_script.sh sd /dev/mmcblk0&nbsp; /etc/keys/secboot/bl2_w_dtb.bin-sdcard /etc/keys/secboot/bl2-signature.bin-sdcard"</SPAN></P> <P>&nbsp;</P> <P>BR</P> <P>Chenyin</P> <P>&nbsp;</P> Thu, 06 Feb 2025 04:20:21 GMT https://community.nxp.com/t5/S32G/M7-boot-with-secure-boot-feature-enabled-on-RDB3-SDK-BSP43/m-p/2039001#M12524 chenyin_h 2025-02-06T04:20:21Z https://community.nxp.com/t5/S32G/M7-boot-with-secure-boot-feature-enabled-on-RDB3-SDK-BSP43/m-p/2039075#M12527 <P>Yes, I tested it using the command in reference manual:</P><P>/etc/keys/secboot/secboot_script.sh sd /dev/mmcblk0 \<BR />&gt; /etc/keys/secboot/bl2_w_dtb.bin-sdcard \<BR />&gt; /etc/keys/secboot/bl2-signature.bin-sdcard</P><P>&nbsp;</P><P>And the whole test log is attached.</P><P>&nbsp;</P><P>Thanks,</P><P>Zhantao</P> Thu, 06 Feb 2025 07:01:14 GMT https://community.nxp.com/t5/S32G/M7-boot-with-secure-boot-feature-enabled-on-RDB3-SDK-BSP43/m-p/2039075#M12527 hittzt 2025-02-06T07:01:14Z https://community.nxp.com/t5/S32G/M7-boot-with-secure-boot-feature-enabled-on-RDB3-SDK-BSP43/m-p/2039134#M12529 <P>Thanks,&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/135277">@hittzt</a>&nbsp;</P> <P>I have checked the log, and do not see M7 bootloader information, which version M7 bootloader is used? any applications running on M7 side?</P> <P>And, may I know if you have tested it with A53 standalone boot without M7 involved? I just tested it only with BSP, and found no issues on my local RDB3.</P> <P>&nbsp;</P> <P>BR</P> <P>Chenyin</P> Thu, 06 Feb 2025 08:10:01 GMT https://community.nxp.com/t5/S32G/M7-boot-with-secure-boot-feature-enabled-on-RDB3-SDK-BSP43/m-p/2039134#M12529 chenyin_h 2025-02-06T08:10:01Z https://community.nxp.com/t5/S32G/M7-boot-with-secure-boot-feature-enabled-on-RDB3-SDK-BSP43/m-p/2039643#M12556 <P>Hi&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/24163">@chenyin_h</a>,</P><P>&nbsp;</P><P>I followed the steps in SDK BSP43 user manual section "3.1.6 Building Images with M7 as Boot Target" to test the m7 boot, and there seems no other commands or settings when booting the board with the output image.</P><P>For this test, I just add the following lines in project conf/local.conf:</P><P>DISTRO_FEATURES:append = " m7boot secboot"<BR />NXP_FIRMWARE_LOCAL_DIR = "&lt;0.2.51.0 hse firmware path&gt;"</P><P>And then I used the output image "fsl-image-auto-s32g399ardb3.sdcard" to boot up the board and test as the log shows.</P><P>If I missed something please tell me.</P><P>&nbsp;</P><P>Thanks,</P><P>Zhantao</P> Fri, 07 Feb 2025 01:46:06 GMT https://community.nxp.com/t5/S32G/M7-boot-with-secure-boot-feature-enabled-on-RDB3-SDK-BSP43/m-p/2039643#M12556 hittzt 2025-02-07T01:46:06Z https://community.nxp.com/t5/S32G/M7-boot-with-secure-boot-feature-enabled-on-RDB3-SDK-BSP43/m-p/2039753#M12561 <P>Hello,&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/135277">@hittzt</a>&nbsp;</P> <P>Thanks for your confirmation.</P> <P>I tested it without m7boot added to the local.conf, and seems there are no issues, the possible reason for the issue you met seems to be secure boot verification fail.</P> <P>While you added m7boot to the local.conf, then a small m7 bootloader would be appended, the boot image could be changed to the&nbsp;bl2_w_dtb.s32-sdcard.m7 instead of the original one, but when booted to Linux, while enabling secure boot, the command is like:</P> <P>hse-secboot -s -d /dev/mmcblk0 --bl2_key /etc/keys/secboot/bl2_rsa2048_public.pem --bl31_key -:0x010700 --bl33_key -:0x010700 --bl2_sign /etc/keys/secboot/bl2-signature.bin-sdcard --bl2_bin /etc/keys/secboot/bl2_w_dtb.bin-sdcard</P> <P>Which does not match the boot image specified.</P> <P>From my understanding, the default secboot operation steps are only reference for default settings, if there are some additional configurations added, there may be issues.</P> <P>&nbsp;</P> <P>BR</P> <P>Chenyin</P> Fri, 07 Feb 2025 07:11:21 GMT https://community.nxp.com/t5/S32G/M7-boot-with-secure-boot-feature-enabled-on-RDB3-SDK-BSP43/m-p/2039753#M12561 chenyin_h 2025-02-07T07:11:21Z https://community.nxp.com/t5/S32G/M7-boot-with-secure-boot-feature-enabled-on-RDB3-SDK-BSP43/m-p/2039980#M12564 <P>Hi&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/24163">@chenyin_h</a>,</P><P>&nbsp;</P><P>Thanks for your reply.</P><P>It is reasonable that the default command: “<SPAN>hse-secboot -s -d /dev/mmcblk0 --bl2_key /etc/keys/secboot/bl2_rsa2048_public.pem --bl31_key -:0x010700 --bl33_key -:0x010700 --bl2_sign /etc/keys/secboot/bl2-signature.bin-sdcard --bl2_bin /etc/keys/secboot/bl2_w_dtb.bin-sdcard</SPAN>” is only for normal secure boot, not for m7 case.</P><P>So it is to say that we can not enable m7 and secure boot at same time currently, or else, the issue will show, right?</P><P>&nbsp;</P><P>Thanks,</P><P>Zhantao</P><P>&nbsp;</P> Fri, 07 Feb 2025 13:01:42 GMT https://community.nxp.com/t5/S32G/M7-boot-with-secure-boot-feature-enabled-on-RDB3-SDK-BSP43/m-p/2039980#M12564 hittzt 2025-02-07T13:01:42Z https://community.nxp.com/t5/S32G/M7-boot-with-secure-boot-feature-enabled-on-RDB3-SDK-BSP43/m-p/2040257#M12573 <P>Hello,&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/135277">@hittzt</a>&nbsp;</P> <P>Thanks for the reply.</P> <P>Yes, from my understanding, the secure boot example shown in BSP UM is for default settings.</P> <P>&nbsp;</P> <P>BR</P> <P>Chenyin</P> Sat, 08 Feb 2025 01:59:17 GMT https://community.nxp.com/t5/S32G/M7-boot-with-secure-boot-feature-enabled-on-RDB3-SDK-BSP43/m-p/2040257#M12573 chenyin_h 2025-02-08T01:59:17Z