topic Re: Secure u-boot issues iMX8M Nano in i.MX Processors

Secure u-boot issues iMX8M Nano

malicious_mind — Thu, 11 Aug 2022 12:45:37 GMT

Hello crew,

I was following procedure from link below to do secure u-boot and there are some issues about it:

Steps to enable secure boot in i.MX8M Nano - NXP Community

My u-boot is on sd card and there are HAB Events:

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x45 0x33 0x11 0xcf 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CSF (0x11)
CTX = HAB_CTX_CSF (0xCF)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0x1f 0xc0
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0x1f 0xe0
0x00 0x00 0x00 0x0c

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0x20 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

But when I flash this to the eMMC, hab events are gone, why ?

Why procedure from this link is different than procedure on this link mx8m_mx8mm_secure_boot.txt\guides\habv4\imx\doc - uboot-imx - i.MX U-Boot (codeaurora.org) ?

On codeaurora link they are flashing OTP fuses first and then check HAB events ? What is correct way to do it (please somebody official from NXP to answer) ?

Another question is, can I have only secure u-boot with non-secure kernel image and how to do it ? Do I need padding like it is mentioned on mx8m_mx8mm_secure_boot.txt\guides\habv4\imx\doc - uboot-imx - i.MX U-Boot (codeaurora.org) paragraph 2 or ?

For now we have u-boot enabled on eMMC but kernel will not start, what's the best way to proceed ?

Thanks.

Re: Secure u-boot issues iMX8M Nano

Harvey021 — Mon, 15 Aug 2022 09:27:27 GMT

Hi @malicious_mind

Based on the hab events. There exists problem in your signing process. Let's firstly focus on the signed uboot image which can be boot in eMMC normally, but not with SD Card.

Can you please make sure that the eMMC in board is formatted before flashing and the signed uboot image for SD Card with hab events to the eMMC?

Best regards

Harvey

Re: Secure u-boot issues iMX8M Nano

malicious_mind — Tue, 16 Aug 2022 07:20:33 GMT

Hello Harvey

We manage do to it, I will upload tutorial here but issue is when I erase eMMC I can't directly flash it only via SD card and I used 7 SD and it is always same story:

Device 0: unknown device
switch to partitions #0, OK
mmc1 is current device
Scanning mmc 1:1...
Error reading cluster
** Unable to read file /imx8mn-evk.dtb **
Failed to load '/imx8mn-evk.dtb'
** No partition table - mmc 1 **
** No partition table - mmc 1 **
libfdt fdt_check_header(): FDT_ERR_BADMAGIC
Scanning disk mmc@30b50000.blk...
** fs_devread read error - block
Failed to mount ext2 filesystem...
** Unrecognized filesystem type **
Scanning disk mmc@30b60000.blk...
** Unrecognized filesystem type **
Found 2 disks
No EFI system partition
adv7535_mipi2hdmi adv7535@3d: Can't find cec device id=0x3c
fail to probe panel device adv7535@3d
mxs_video lcd-controller@32e00000: failed to get any video link display timings
ERROR: invalid device tree
** No partition table - mmc 1 **
switch to partitions #0, OK
mmc2(part 0) is current device
** No partition table - mmc 2 **
Running BSP bootcmd ...
switch to partitions #0, OK
mmc1 is current device
Failed to load 'boot.scr'
Error reading cluster
** Unable to read file Image **
Failed to load 'Image'
Booting from net ...
ethernet@30be0000 Waiting for PHY auto negotiation to complete......................................... TIMEOUT !
Could not initialize PHY ethernet@30be0000
BOOTP broadcast 1
BOOTP broadcast 2
BOOTP broadcast 3
BOOTP broadcast 4
BOOTP broadcast 5
BOOTP broadcast 6
BOOTP broadcast 7
BOOTP broadcast 8
BOOTP broadcast 9
BOOTP broadcast 10
BOOTP broadcast 11
BOOTP broadcast 12
BOOTP broadcast 13
BOOTP broadcast 14
BOOTP broadcast 15
BOOTP broadcast 16
BOOTP broadcast 17

Retry time exceeded; starting again
ethernet@30be0000 Waiting for PHY auto negotiation to complete......................................... TIMEOUT !
Could not initialize PHY ethernet@30be0000
BOOTP broadcast 1
BOOTP broadcast 2
BOOTP broadcast 3
BOOTP broadcast 4
BOOTP broadcast 5
BOOTP broadcast 6
BOOTP broadcast 7
BOOTP broadcast 8
BOOTP broadcast 9
BOOTP broadcast 10
BOOTP broadcast 11
BOOTP broadcast 12
BOOTP broadcast 13
BOOTP broadcast 14
BOOTP broadcast 15
BOOTP broadcast 16
BOOTP broadcast 17

Retry time exceeded; starting again
WARN: Cannot load the DT

I have MCU which is didn't have eMMC erased and everything is working perfectly but for these two which have erased eMMC I got this error. Any ideas ?

Re: Secure u-boot issues iMX8M Nano

Harvey021 — Tue, 16 Aug 2022 22:56:31 GMT

Hi @malicious_mind

Based on the boot log, there are no loading dtb and Image. You can follow up the 4.3 Preparing an SD/MMC card to boot of Linux User Guide.

If you still have such issue related to SD/MMC card to boot, please raise another case for further assistance.

On codeaurora link they are flashing OTP fuses first and then check HAB events ? What is correct way to do it (please somebody official from NXP to answer) ?

> Firstly blow fuse and then check hab events.

Another question is, can I have only secure u-boot with non-secure kernel image and how to do it ?

> You can disable kernel/DTB image authenticate in u-boot, it's "booti" command for i.mx8 platform.

diff --git a/cmd/booti.c b/cmd/booti.c
index a132949091..b66dfbff0e 100644
--- a/cmd/booti.c
+++ b/cmd/booti.c
@@ -42,7 +42,7 @@ static int booti_start(cmd_tbl_t *cmdtp, int flag, int argc,
if (ret != 0)
return 1;

-#if defined(CONFIG_IMX_HAB) && !defined(CONFIG_AVB_SUPPORT)
+#if 0
extern int authenticate_image(
uint32_t ddr_start, uint32_t raw_image_size);
if (authenticate_image(ld, image_size) != 0) {

Best regards

Harvey