Hi,
ls1088a rdb, sd boot mode.
I based on Layerscape Linux Distribution POC User Guide Rev. L5.15.71-2.2.0 — 17 February 2023
Could you please describe how I can sign u-boot binaries manually?
I generate bl2_sd.pbl and fip_uboot.bin (as well as rcw_1600_sd.rcw [without SB_EN =1], rcw_1600_sd.bin and u-boot.bin) due to bitbake qoriq-atf. I know that can generate it as secure, but I need to do it manually.
As far as I know, for it the uni_sign is used, but I don't understand what is flow.
Am I correct?
The input file for both hash and u-boot signing
/* Copyright (c) 2015 Freescale Semiconductor, Inc.
*/
ESBC=1
---------------------------------------------------
# Specify the platform. [Mandatory]
# Choose Platform -
# TRUST 3.0: LS2085
# TRUST 3.1: LS2088, LS1088
PLATFORM=LS1088
---------------------------------------------------
# Entry Point/Image start address field in the header.[Mandatory]
# (default=ADDRESS of first file specified in images)
# Address can be 64 bit
ENTRY_POINT=80400000
---------------------------------------------------
# Specify the Key Information.
# PUB_KEY [Mandatory] Comma Seperated List
# Usage: <srk1.pub> <srk2.pub> .....
PUB_KEY=srk.pub
# KEY_SELECT [Mandatory]
# USAGE (for TRUST 3.x): (between 1 to
KEY_SELECT=1
# PRI_KEY [Mandatory] Single Key Used for Signing
# USAGE: <srk.pri>
PRI_KEY=srk.pri
---------------------------------------------------
# Specify IMAGE, Max 8 images are possible.
# DST_ADDR is required only for Non-PBL Platform. [Mandatory]
# USAGE : IMAGE_NO = {IMAGE_NAME, SRC_ADDR, DST_ADDR}
# Address can be 64 bit
IMAGE_1={u-boot.bin,80400000,ffffffff}
IMAGE_2={,,}
IMAGE_3={,,}
IMAGE_4={,,}
IMAGE_5={,,}
IMAGE_6={,,}
IMAGE_7={,,}
IMAGE_8={,,}
---------------------------------------------------
# Specify OEM AND FSL ID to be populated in header. [Optional]
# e.g FSL_UID_0=11111111
FSL_UID_0=
FSL_UID_1=
OEM_UID_0=
OEM_UID_1=
OEM_UID_2=
OEM_UID_3=
OEM_UID_4=
---------------------------------------------------
# Specify the output file names [Optional].
# Default Values chosen in Tool
OUTPUT_HDR_FILENAME=hdr_uboot.out
IMAGE_HASH_FILENAME=
RSA_SIGN_FILENAME=
---------------------------------------------------
# Specify The Flags. (0 or 1) - [Optional]
MP_FLAG=0
ISS_FLAG=1
LW_FLAG=0
---------------------------------------------------
# Specify VERBOSE as 1, if you want to Display Header Information [Optional]
VERBOSE=1
The u-boot.bin wasn't modified, but I got hdr_uboot.out.
Thanks a lot.
Thank you for contacting NXP support!
Follow these steps to compile and deploy TF-A binaries (bl2_.pbl) on the required boot mode.
1-COMPILE PBL BINARY FROM RCW SOURCE FILE
You have to create a new directory to compile the binaries that you need to create a TF-A binary
You need to compile the rcw_<boot_mode>.bin binary to build the bl2_<boot_mode>.pbl binary.
Clone the rcw repository and compile the PBL binary.
Inside of the directory called “RR_FQPP_1455” you can see some binaries in the with the next nomenclature:
rcw_<freq>.bin
Where “freq” is the frequency in MHz of the processor.
2-COMPILE U-BOOT BINARY
You need to compile the u-boot.bin binary to build the fip.bin binary.
Clone the u-boot repository and compile the U-Boot binary for TF-A
3 Compile TF-A binaries (bl2_.pbl and fip.bin)
The compiled BL2 binaries, bl2.bin and bl2_<boot mode>.pbl are available at atf/build/<platform>/release/.
NOTE: For any update in the BL2 source code or RCW binary, the bl2_<boot mode>.pbl binary needs to be recompiled.
3.1 HOW TO COMPILE BL2 BINARY
To build BL2 binary with OPTEE, run this command:
$ make PLAT=<platform> bl2 SPD=opteed BOOT_MODE=<boot_mode> BL32=<optee_binary> pbl RCW=<path_to_rcw_binary>/<rcw_binary_for_specific_boot_mode>
The compiled BL2 binaries, bl2.bin and bl2_<boot_mode>.pbl are available at atf/build/<platform>/release/. For any update in the BL2 source code or RCW binary, the bl2_<boot_mode>.pbl binary needs to be recompiled.
To compile the BL2 binary without OPTEE:
make PLAT=<platform> bl2 BOOT_MODE=<boot_mode> pbl RCW=<path_to_rcw_binary>/<rcw_binary_for_specific_boot_mode>
3.2 HOW TO COMPILE FIP BINARY
To build FIP binary with OPTEE and without trusted board boot, run this command:
$ make PLAT=<platform> fip BL33=<path_to_u-boot_binary>/u-boot.bin SPD=opteed BL32=<path_to_optee_binary>/tee.bin
To compile the FIP binary without OPTEE and without trusted board boot:
make PLAT=<platform> fip BL33=<path_to_u-boot_binary>/u-boot.bin
The compiled BL31 and FIP binaries, bl31.bin, fip.bin, are available at atf/build/<platform>/release/. For any update in
the BL31, BL32, or BL33 binaries, the fip.bin binary needs to be recompiled
That is a little example to signin images on LS1043ARDB.
Command to generate public/private key pair
./gen_keys SIZE NAME
SIZE refers to size of public key in bits. (Modulus size).
Sizes supported -- 1024, 2048, 4096. The generated keys are in PEM format.
../cst/gen_keys 1024 -p srk.pri -k srk.pub
===============================================================
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)
===============================================================
Generated SRK pair stored in :
PUBLIC KEY srk.pub
PRIVATE KEY srk.pri
The gen_otpmk utility in the Code Signing Tool can be used to generate a 256b random number and insert the hamming code, or simply perform the hamming code insertion for a user defined 256b.
>./gen_otpmk --help
Usage: ./gen_otpmk <trust_arch> [string]
string : 32 byte string
e.g. gen_otpmk 1 1111111122222222333333334444444455555555666666667777777788888888
>./gen_otpmk 2 1111111122222222333333334444444455555555666666667777777788888888
Code Signing Commands for Images: Create CSF Header
Ls -l input_files/uni_sign/ls1043
total 12
-rw-rw-r-- 3 user_lab user_lab 3490 Jan 27 00:34 input_bootscript_secure
-rw-rw-r-- 3 user_lab user_lab 3537 Jan 27 00:34 input_kernel_secure
-rw-rw-r-- 3 user_lab user_lab 3604 Jan 27 00:34 input_uboot_nor_secure
u-boot Image
./input_files/uni_sign/ls1043/input_uboot_nor_secure
The input fields are specified in input_uboot_secure file. Please ensure that the filename mentioned in the input_uboot_secure is same as copied in the cst directory.
Linux Kernel and Root file system
./input_files/uni_sign/ls1043/input_kernel_secure
kernel-fsl-ls1043a-rdb.dtb-ls1043ardb.itb would be validated form u-boot. The flash address used here is according to the address map of u-boot. Please ensure that filename mentioned in the input_uimage_secure is same as copied in the cst directory.
Boot Script
./input_files/uni_sign/ls1043/input_bootscript_secure
Please make sure that filename mentioned in the bootscript is same as copied in the cst directory
Sign the image with CST tools
$ cd /home/user_lab/Linux-LS1043A-SDK-V0.4-20150826-yocto-RDS-20151209/build_ls1043ardb_release/tmp/sysroots/x86_64-linux/usr/bin/cst
$ ll input_files/uni_sign/ls1043
total 12
-rw-rw-r-- 3 user_lab user_lab 3490 Jan 12 08:27 input_bootscript_secure
-rw-rw-r-- 3 user_lab user_lab 3537 Jan 12 08:27 input_kernel_secure
-rw-rw-r-- 3 user_lab user_lab 3604 Jan 12 08:27 input_uboot_nor_secure
$ vi input_files/uni_sign/ls1043/input_kernel_secure
Modify “IMAGE_1={kernel-fsl-ls1043a-rdb.dtb-ls1043ardb.itb,81000000,ffffffff}”
$ vi input_files/uni_sign/ls1043/input_uboot_nor_secure
Modify “IMAGE_1={u-boot-ls1043ardb.bin,60100000,ffffffff}”
$ vi input_files/uni_sign/ls1043/input_bootscript_secure
Note: bootscript is used when you have chain of trust.
CST tool generates the following SHA-256 hash in a binary hash of hex bytes, not string hash of text!
$./uni_sign --hash input_uboot_secure
./uni_sign --hash input_files/uni_sign/ls1043/input_uboot_nor_secure
We have some documents that maybe can be useful, please open a case mentioning me following the link:
you must have a valid NDA to receive that files.
Thank you for your answer. It is really very helpful information.
1. ./gen_otpmk 2 generates OTPMK fuse values. The "2" means that target platform is big-endian one. As far as I know, I must swap this values before fusing because I use a little-endian host machine to generate it. Am I correct?
2. Same with SRKH values. Please confirm it.
3. What should I do with RCW?
3.1 How can I sign it?
3.2 Do I have to sign it before creating .pbl or after?
4.1 FIP file consists at least from BL31 and BL33 (u-boot). Is u-boot signed before creating FIP?
4.2 Where can I get signed by my key BL31?
Thanks a lot for your help!
For RCW should be the same direction for cf the sign it is at the same time as u-boot.bin.
The BL31 is signed on fip.bin in that contains bl31 and bl33.
This is the map for the RCW sign.
We have a very explained tutorial for LS1043 but I can't publish that file here, please open a case following the link and mention my name on the case to provide you with the file.