topic Re: imx8qxp-mek secure boot in i.MX Processors

imx8qxp-mek secure boot

rakesh3 — Tue, 31 Oct 2023 10:57:53 GMT

I am using the imx8qxp-mek board and implementing the secure boot.

But I am getting the below ahab events while running the ahab status .

=> ahab_status
Lifecycle: 0x0020, NXP closed

SECO Event[0] = 0x0087EE00
CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
IND = AHAB_NO_AUTHENTICATION_IND (0xEE)

And also I am using the op-tee os and while at boot up time I am getting below warning messages.

I/TC: Non-secure external DT found
I/TC: OP-TEE version: 4e32281 (gcc version 12.2.0 (Debian 12.2.0-14)) #1 Thu Jan 1 01:00:00 UTC 1970 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html

Could this be the cause of this ahab status events or not ?

I checked the events code means, its saying that container is not signed But i have signed the image using cst tool.

Please suggest me on this issue.

Regards,

Re: imx8qxp-mek secure boot

Harvey021 — Thu, 02 Nov 2023 07:03:59 GMT

The error is telling that container is not signed (signature is missing).

if you run make SOC=iMX8QX flash_spl, you should see another container signature block from print log for signing.

You can refer to soc.mak for what images you need to compile.

Best regards

Harvey

Re: imx8qxp-mek secure boot

rakesh3 — Thu, 02 Nov 2023 09:41:23 GMT

Hi @Harvey021 ,

thanks for reply.

I have all the required images for flash_spl , checked in the soc.mk file.

I am following the below file

https://github.com/nxp-imx/uboot-imx/blob/lf_v2023.04/doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt

for flash_spl which seems incorrect. I should have followed the below one instead of above one.

https://github.com/nxp-imx/uboot-imx/blob/lf_v2023.04/doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt

since i am building the image for flash_spl

$cd imx-mkimage

$make SOC=iMX8QX flash_spl

In the above one document we have to sign the u-boot-atf image also and then sign the flash.bin after

$make SOC=iMX8QX flash_spl

But after this also I am getting the same error code,which says image is not signed .

SECO Event[1] = 0x0087EE00
CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
IND = AHAB_NO_AUTHENTICATION_IND (0xEE)

flash_spl needed following bins.

flash_spl: $(MKIMG) $(AHAB_IMG) scfw_tcm.bin u-boot-spl.bin u-boot-atf-container.img

1) scfw_tcm.bin

2) ub-too-spl.bin

3) u-boot-atf-container.img

Here do we need to sign the u-boot-atf-container.img file also as mentioned in

https://github.com/nxp-imx/uboot-imx/blob/lf_v2023.04/doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt?

Where I am missing the steps ? Am i following the correct document or missing any steps for this . ?

Also I am flashing the signed flash.bin image to uboot as below cmd

$sudo dd if=signed_flash.bin of=/dev/mmcblk0 bs=1k seek=32; sync

Please suggest on this! Its quite seems complicated than it mentioned in doc.

Please help me on this secure boot steps.

Regards,

Re: imx8qxp-mek secure boot

Harvey021 — Thu, 02 Nov 2023 10:15:56 GMT

You need to sign u-boot-atf-container.img if target is flash_spl. refer to: uboot-imx/doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt at lf_v2023.04 · nxp-imx/uboot-imx · GitHub

Best regards

Harvey

Re: imx8qxp-mek secure boot

rakesh3 — Mon, 06 Nov 2023 07:59:32 GMT

Hi @Harvey021 ,

Thanks for reply,

During the signing process of uboot-atf in debian rules override_dh_auto_build process, while running the below code

Certain doubts:

1) which container needs to be signed for uboot final signed image flash.bin if we are following flash_spl target. As per soc.mk of imx-mkimage. flash_spl contains below 3 containers.

https://github.com/nxp-imx/uboot-imx/blob/lf_v2023.04/doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt

a) scfw_tcm.bin

b) u-boot-spl.bin

c) u-boot-atf-container.img

From above which needs to be signed . In above link doc its describing about signing of u-boot-proper+atf only but at line L- 212, it says that

The flash.bin file include three containers and the second container have to be
signed using the Code Signing Tool (CST).

So , it means that 2nd container here "u-boot-spl.bin" also needs to get signed using cst tool. If yes then how will we get the Container offset and signature of this binary ? its not mentioned in the doc.

2) We don't have to sign the scfw_tcm.bin ?

3) I have generated the cst key having enabled the CA flags in that while generating the SRK certificate so , I am confused which csf file should i use (a) csf_boot_image.txt or csf_boot_image_sgk.txt ?

bash ./bin/cst -i csf_uboot_atf.txt -o signed-u-boot-atf-container.img

I am getting the below error.

bash: ./bin/cst: ./bin/cst: cannot execute binary file,

/release/linux64/bin$ file cst
cst: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a7c94f18b0d664d9d03f1a28ed2979ac407044a1, stripped

Seems like this cst binary is build for x86-64 ? Can we get the cst binary for ARM64 ?

Could you please give some suggestion on this ! it will be helpful

Regards,

Re: imx8qxp-mek secure boot

rakesh3 — Mon, 06 Nov 2023 09:36:39 GMT

Hi @Harvey021 ,

Thanks for reply,

1) which container needs to be signed for uboot final signed image flash.bin if we are following flash_spl target. As per soc.mk of imx-mkimage. flash_spl contains below 3 containers.

https://github.com/nxp-imx/uboot-imx/blob/lf_v2023.04/doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt

a) scfw_tcm.bin

b) u-boot-spl.bin

c) u-boot-atf-container.img

From above which needs to be signed . In above link doc its describing about signing of u-boot-proper+atf only but at line L- 212, it says that

The flash.bin file include three containers and the second container have to be
signed using the Code Signing Tool (CST).

2) We don't have to sign the scfw_tcm.bin ?

Please suggest on these doubts.

Regards,