CSF Header: RSA Signature

Dear yipingwang​ thank you for this detail information. Here is the input file I am currently using:

/* Copyright (c) 2013 Freescale Semiconductor, Inc.
 * All rights reserved.
 */
---------------------------------------------------
# Specify the platform. [Mandatory]
# Choose Platform - 1010/1040/2041/3041/4080/5020/5040/9131/9132/9164/4240/C290/LS1
PLATFORM=LS1
# ESBC Flag. Specify ESBC=0 to sign u-boot and ESBC=1 to sign ESBC images.(default is 0)
ESBC=0
---------------------------------------------------
# Entry Point/Image start address field in the header.[Mandatory]
# (default=ADDRESS of first file specified in images)
ENTRY_POINT=10000a00
---------------------------------------------------
# Specify the file name of the keys seperated by comma.
# The number of files and key select should lie between 1 and 4 for 1040 and C290.
# For rest of the platforms only one key is required and key select should not be provided.
# USAGE (for 4080/5020/5040/3041/2041/1010/913x): PRI_KEY = <key1.pri>
# USAGE (for 1040/C290/9164/4240/LS1): PRI_KEY = <key1.pri>, <key2.pri>, <key3.pri>, <key4.pri>
# PRI_KEY (Default private key :srk.pri) - [Optional]
PRI_KEY=srk.pri
# PUB_KEY (Default public key :srk.pub) - [Optional]
PUB_KEY=srk.pub
# Please provide KEY_SELECT(between 1 to 4) (Required for 1040/C290/9164/4240/LS1 only) - [Optional]
KEY_SELECT=
---------------------------------------------------
# Specify SG table address, only for (2041/3041/4080/5020/5040) with ESBC=0 - [Optional]
SG_TABLE_ADDR=
---------------------------------------------------
# Specify the target where image will be loaded. (Default is NOR_16B) - [Optional]
# Only required for Non-PBL Devices (1010/1040/9131/9132i/C290)
# Select from - NOR_8B/NOR_16B/NAND_8B_512/NAND_8B_2K/NAND_8B_4K/NAND_16B_512/NAND_16B_2K/NAND_16B_4K/SD/MMC/SPI
IMAGE_TARGET=
---------------------------------------------------
# Specify IMAGE, Max 8 images are possible. DST_ADDR is required only for Non-PBL Platform. [Mandatory]
# USAGE : IMAGE_NO = {IMAGE_NAME, SRC_ADDR, DST_ADDR}
IMAGE_1={u-boot-spl.bin,10000a00,ffffffff}
IMAGE_2={,,}
IMAGE_3={,,}
IMAGE_4={,,}
IMAGE_5={,,}
IMAGE_6={,,}
IMAGE_7={,,}
IMAGE_8={,,}
---------------------------------------------------
# Specify OEM AND FSL ID to be populated in header. [Optional]
# e.g FSL_UID=11111111
FSL_UID=
FSL_UID_1=
OEM_UID=
OEM_UID_1=
---------------------------------------------------
# Specify the file names of csf header and sg table. (Default :hdr.out) [Optional]
OUTPUT_HDR_FILENAME=hdr_uboot-spl.out
# Specify the file names of hash file and sign file.
HASH_FILENAME=img_hash.out
INPUT_SIGN_FILENAME=sign.out
# Specify the signature size.It is mandatory when neither public key nor private key is specified.
# Signature size would be [0x80 for 1k key, 0x100 for 2k key, and 0x200 for 4k key].
SIGN_SIZE=
---------------------------------------------------
# Specify the output file name of sg table. (Default :sg_table.out). [Optional]
# Please note that OUTPUT SG BIN is only required for 2041/3041/4080/5020/5040 when ESBC flag is not set.
OUTPUT_SG_BIN=
---------------------------------------------------
# Following fields are Required for 4240/9164/1040/C290 only
# Specify House keeping Area
# Required for 4240/9164/1040/C290 only when ESBC flag is not set. [Mandatory]
HK_AREA_POINTER=
HK_AREA_SIZE=
---------------------------------------------------
# Following field Required for 4240/9164/1040/C290 only
# Specify Secondary Image Flag. (0 or 1) - [Optional]
# (Default is 0)
SEC_IMAGE=0
# Specify Manufacturing Protection Flag. (0 or 1) - [Optional]
# Required only for LS1(Default is 0)
MP_FLAG=1
---------------------------------------------------
VERBOSE=1

Additional information:

- the board is a ls1021atwr

- I copied u-boot-spl.bin to the CST directory before using the uni_sign command

- srk.pri/pub have been genrated using gen_keys 4096

- I'm attempting a secure boot via SD card, so I created a file with RCW/PBI/CST/u-boot-spl.bin/u-boo.bin flashed onto the SD card.

- The PBL copies the CST/u-boot-spl.bin/u-boot.bin part from SD to OCRAM at address 0x10000000, so u-boot-spl.bin is at 0x10000a00

- OTPMK is burnt on the fuses

- RSA Hash is written in mirror registers using ccs

- Once this isdone, I release core0 and let the secure boot happen.

From this setting, I had some issues. ISBC successfully check the barker word, but returned the error "too may image file (> 8)". Using ccs, I saw that the endianness of the SG table was wrong, so I changed the endianness of the CST but the barker word. Then I got the error "key modulus is 0", so I realized I needed to only changed the endianness of some part of the header. Now I get a "Wrong hash computation".

I think this endianness issue comes from the fact that I am attempting secure boot from SD, so the PBI commands that copy from SD to OCRAM might mess with the endianness. In order to test a scenario known to work, I am attempting booting from the NOR (done yesterday), and I'll try secure boot from the NOR today.

Best,

Vincent

PS: to create the image I flash on the SD card, I do the following commands, extracted from u-boot makefile:

$ # create CSF header
$ uni_sign input_file
$ # append CSF header and SPL
$ cat hdr_uboot-spl.out u-boot-spl.bin > u-boot-spl-with-hdr.bin
$ # append RCW/PBI generated commands to SPL
$ mkimage -n $(UBOOT_SRC)/$(CONFIG_SYS_FSL_PBL_RCW) \
        -R $(UBOOT_SRC)/$(CONFIG_SYS_FSL_PBL_PBI) -T pblimage \
        -A $(ARCH) -a 0x10000000 -d u-boot-spl-with-hdr.bin u-boot-spl.pbl
$ # padding
$ objcpy -I binary -O binary --pad-to=$(CONFIG_SPL_PAD_TO) \
                          --gap-fill=0xff u-boot-spl.pbl u-boot-spl.pbl.padded
$ # adding u-bot.img
$ cat u-boot-spl.pbl.padded u-boot.img > signed-u-boot-with-spl.bin

Thank you for the information I'll try it right away.

However I am very new to Yocto and using NXP SDK 1.9, and I don't know how to tell bitbake (or modify the recipe) to add the ARCH=arm parameter.