topic U-boot FIT image verification failed when HAB is enabled in i.MX Processors

U-boot FIT image verification failed when HAB is enabled

robertliu — Mon, 29 Nov 2021 03:57:59 GMT

Hi,

I enabled the HAB (CONFIG_IMX_HAB) and FIT image verification in u-boot. It also has CAAM related options and "CONFIG_RSA_FREESCALE_EXP" enabled automatically. However, u-boot failed to verify my signed FIT image. I also forced the FIT image verification to use "mod_exp_sw" and it worked well.

The error message was "fsl_mod_exp: RSA failed to verify: -1". It seems the error was happened in "drivers/crypto/fsl/jr.c: run_descriptor_jr_idx()" when it was calling "jr_dequeue()".

Is there anything I can verify the CAAM and fsl_rsa_mod are working on my device?

My environment:
- i.mx8m mini
- atf + op-tee enabled
- u-boot is the upstream v2021.07 version from the hardware vendor
- sha256 and rsa204 are used for FIT image signatures.

Thank you

Re: U-boot FIT image verification failed when HAB is enabled

Yuri — Tue, 30 Nov 2021 05:16:52 GMT

@robertliu
Hello,

the following may be helpful:

https://community.nxp.com/t5/i-MX-Processors/Is-there-a-way-to-sign-a-FIT-image-as-a-whole-for-HAB/m-p/1361708

Regards,
Yuri.

Re: U-boot FIT image verification failed when HAB is enabled

robertliu — Tue, 30 Nov 2021 07:08:58 GMT

Hi @Yuri

The post you provided is not the same as my issue. U-boot did load the kernel FIT image successfully. The verification was failed in CAAM (fsl_mod_exp() of u-boot).

So I was wondering if it's possible to test CAAM in u-boot, or if there's any document showing how to access CAAM.

Thanks,

Re: U-boot FIT image verification failed when HAB is enabled

Yuri — Wed, 22 Dec 2021 07:01:08 GMT

@robertliu
Hello,

I am afraid we do not have special CAAM tests in U-boot.

Regards,
Yuri.

Re: U-boot FIT image verification failed when HAB is enabled

Bayou — Wed, 10 Apr 2024 12:05:53 GMT

Well, for anybody stumbling on this thread:

In U-Boot 2020.04 I had the problem the FIT image verification with iminfo was OK, but bootm did not find the signature. I do not want to use the HAB certificates, but instead only rely on FIT signature.

I've enabled CONFIG_SPL_RSA and CONFIG_RSA_SOFTWARE_EXP and patched lib/rsa/rsa-verify.c:rsa_verify_key to move back to software checking as such:

ret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf); printf("%s: error rsa_mod_exp\n", __func__); if (ret) { printf("%s: attempting rsa_mod_exp_sw instead \n", __func__); ret = rsa_mod_exp_sw(sig, sig_len, prop, buf); }

This seems to work.