topic Re: Multi-stage Secure Boot in iMX6 through SPL & u-boot.img in i.MX Processors

Multi-stage Secure Boot in iMX6 through SPL & u-boot.img

satyadamarla — Thu, 10 Nov 2016 10:58:12 GMT

Hello Guys,

I was successfull in getting Secure Boot running through u-boot-imx-2013 (https://community.nxp.com/thread/428505 ) and we recently moved to u-boot-denx-2015 for multi stage booting as we have read some reports about speed and effciency. Fortunately, we got the multi stage boot working. Now, we want to get the Secure Boot working also in this multi-stage booting. I am not sure this is the place to ask the current question but I am sure many people here can guide me here than else where. So, please bear with me.

Working - Normal Multi-stage Boot: This works like a charm

1. There are two main files SPL and u-boot.img

2. They are flashed onto the sd card

sudo dd if=SPL of=/dev/sdc bs=1k seek=1

sudo dd if=u-boot.img of=/dev/sdc bs=1k seek=69

3. seek=1 which means 0x400 (1KB) is to be left free and SPL has to be flashed

4. seek=69 means that SPL cannot be great than 68KB. After that it is u-boot.img

Not Working - Secure Multi-stage Boot:

SPL is only 39936 Bytes (0x9C00) but devices like sd card and flash needs to be padded with 0x1000 (4KB). So, it is padded. 40960 Bytes (0xA000) is the new size.
SPL hexdump looks like this SPL
The SPL starts with IVT and therefore the Authenticate data of CSF file is as follows
The CSF bin generated by CST is added to SPL.pad to generate SPL-signed.bin. This SPL-signed.bin is further padded to the size 0x1000
I flashed the new SPL-signed.bin.pad and u-boot.img as in the Normal Multi-stage boot. Unfortunately it doesnt work.

Questions?

Is there any mistake in my above process to get secure boot running?
I only sign the SPL image and not u-boot.img as I assume that the ROM only check the first part of the boot loader which is SPL in the current case. Is this wrong?
How do I know at what RAM address is the u-boot.img is loaded to? Where in the code could that be written?

Ask me anything for more info, I would be happy to receive help from you guys.

Greets,

Satya

Re: Multi-stage Secure Boot in iMX6 through SPL & u-boot.img

igorpadykov — Sat, 12 Nov 2016 01:49:27 GMT

Hi Satya

for u-boot-denx-2015 issues one can post on meta-fsl-arm mailing list or uboot mail
list, so that someone familiar with that version could try to assist you.
https://lists.yoctoproject.org/listinfo/meta-freescale
http://lists.denx.de/mailman/listinfo/u-boot
alternatively one can try uboot-imx which is supported in nxp official bsps (note spl is not
used in nxp versions).
http://git.freescale.com/git/cgit.cgi/imx/uboot-imx.git/tree/?h=imx_v2015.04_4.1.15_1.0.0_ga

Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

Re: Multi-stage Secure Boot in iMX6 through SPL & u-boot.img

fabio_estevam — Sat, 12 Nov 2016 13:07:55 GMT

Please check this series posted recently in the U-Boot mailing list:

[U-Boot] [PATCH 0/5] arm: imx6: Enable Secure Boot (HAB) with SPL Builds

Re: Multi-stage Secure Boot in iMX6 through SPL & u-boot.img

satyadamarla — Wed, 16 Nov 2016 13:42:05 GMT

Hello Fabio, Hello Igor

Thanks for the link. I had a look deeply into the link and it has nothing to do with my problem. The patches in the link are for SPL (1st stage bootloader) to authenticate u-boot.img (2nd stage bootloader). On the other hand, my problem is with ROM Boot authenticating the SPL. This is one step before and had to do with the way ROM Boot authenticates the 1st image, i.e. SPL

My SPL.imx is as follows

The HAB error is

It's actually at DCD data. The error means the following

0x33 - failure

0x06 - Invalid Command - command malformed

0xC0 - Error occured while executing CSF or DCD, in our case DCD

0x00 - Any Engine

Data - "CC 00 04 04" which means

CC - Write Data

00 04 - Length of DCD which is 4 Bytes

04 - Width of addresses which is 32bit or 4 Bytes.

Can you guys tell me why this occurs? Is it a mistake that the length of DCD data is only 4 Bytes and the rest is empty? Did any one check their SPL's DCD data?

Greets,

Satya

Re: Multi-stage Secure Boot in iMX6 through SPL & u-boot.img

fabio_estevam — Wed, 16 Nov 2016 15:19:37 GMT

I would suggest you to try U-Boot 2016.11 and post the issue at the U-Boot mailing list.

Re: Multi-stage Secure Boot in iMX6 through SPL & u-boot.img

satyadamarla — Thu, 17 Nov 2016 09:13:02 GMT

Hello Everyone,

I solved it through a contributor to u-boot, Sven Ebenfeld.

Solution:

Change the DCD address in IVT to 0x0. For the moment I just hacked it using hex editor but this has to be changed in the code. That means my new SPL.imx looks as follows

Output:

Why did it work? Possible Explanation:

DCD is actually information about initialising RAM which I assume is done by the firmware part, the second stage of bootloader (u-boot.img). So, there is no necessity of it being mentioned in the IVT data structure. So, changing DCD address to 0x0 doesn't effect the booting in any way.

Greets & Thanks,

Satya

Re: Multi-stage Secure Boot in iMX6 through SPL & u-boot.img

mach — Tue, 03 Jan 2017 09:01:30 GMT

Hello Satya,

I notice that you have finished Normal Multi-stage Boot, could you help me to answer my question: https://community.nxp.com/message/864563. Thanks.

Best wishes,