Where to find the iMX8X Secure Boot OS Container Address

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Where to find the iMX8X Secure Boot OS Container Address

Jump to solution
1,917 Views
Gandalf-kern
Contributor IV

Able to sign the imx-boot-apalis-imx8x-sd.bin-flash or imx-boot file using the NXP cst tool and flash the image to RAM.  Was able to fuse the keys and when checked the SECO event status, after a reboot and reflash, using ahab_status there were no SECO events. This suggests all was successful.

I now need to check the OS container address using the uboot command auth_cntr addr to confirm before closing.

1) Where is the OS container address, or where can I find it for the iMX8X yocto default build with AHAB enabled and using secure boot?  

The comment in the iMX8 machine conf file seems to suggest that the container is flashed at an offset of 0, but then the actual offset seems to be handled automatically. And offset 0 doesn't indicate a OS container when checked in u-boot.

In the imx-boot log.do_compile the line "container image offset (aligned):12000". So maybe this is the "real" offset/address of the boot container, but no indication from u-boot that this is correct address when using the aut_cntr command.

2) Is the OS container address the start address of the imx-boot container, or what is the OS container address?

 

3) The imx-boot OS container includes the DDR memory timings, the SCU firmware, the ATF and U-Boot as well as any potential Cortex-M4 auxiliary firmware, but it does not include the kernel and rootfs, is this correct?

Tags (1)
0 Kudos
Reply
1 Solution
1,875 Views
Gandalf-kern
Contributor IV

  “auth_cnrt” command needs a address where you load your signed kernel image into. You can find below env variables in NXP release u-boot.

       "cntr_addr=0x98000000\0"   \

       "cntr_file=os_cntr_signed.bin\0" \

       "loadcntr=fatload mmc ${mmcdev}:${mmcpart} ${cntr_addr} ${cntr_file}\0" \

       "auth_os=auth_cntr ${cntr_addr}\0" \

We have detail steps in NXP release u-boot: doc/imx/ahab/ . You can refer them for your development.

Note: 

1.     The signed kernel image is encapsulated by container format, but there is only one container in this image.  It is different with the boot image which has two containers.

2.     The address 0x98000000 could be any address that is valid in DDR. It is just used as a buffer for image loading from storage media (like SD/eMMC). The real kernel address is specified in the container. “auth_cntr” will parse the container and copy the kernel image payload to that real kernel address. You don’t need to tell this real kernel address to auth_cntr. 

 

According to the i.MX 8, i.MX 8X Secure Boot guide using AHAB to authenticate the OS container, one can specify either sec_boot=yes in the U-Boot environment variable or also authenticate the OS image by running the U-Boot command auth_cntr <Container address> which is the DDR load address of the signed kernel image (i.e., the OS container).

View solution in original post

0 Kudos
Reply
4 Replies
1,905 Views
igorpadykov
NXP Employee
NXP Employee
0 Kudos
Reply
1,892 Views
Gandalf-kern
Contributor IV

Thank you igor, but unfortunately the documentation does not address the questions.  Please see the following and my response. https://community.nxp.com/t5/i-MX-Processors/Questions-about-IMX8QXP-Seboot-function/td-p/1070824

0 Kudos
Reply
1,884 Views
igorpadykov
NXP Employee
NXP Employee

also one can look at Chapter 5 System Boot, in particular Figure 5-1. Layout of Boot Device

i.MX 8DualXPlus/8QuadXPlus Applications Processor Reference Manual

 

Best regards
igor

0 Kudos
Reply
1,876 Views
Gandalf-kern
Contributor IV

  “auth_cnrt” command needs a address where you load your signed kernel image into. You can find below env variables in NXP release u-boot.

       "cntr_addr=0x98000000\0"   \

       "cntr_file=os_cntr_signed.bin\0" \

       "loadcntr=fatload mmc ${mmcdev}:${mmcpart} ${cntr_addr} ${cntr_file}\0" \

       "auth_os=auth_cntr ${cntr_addr}\0" \

We have detail steps in NXP release u-boot: doc/imx/ahab/ . You can refer them for your development.

Note: 

1.     The signed kernel image is encapsulated by container format, but there is only one container in this image.  It is different with the boot image which has two containers.

2.     The address 0x98000000 could be any address that is valid in DDR. It is just used as a buffer for image loading from storage media (like SD/eMMC). The real kernel address is specified in the container. “auth_cntr” will parse the container and copy the kernel image payload to that real kernel address. You don’t need to tell this real kernel address to auth_cntr. 

 

According to the i.MX 8, i.MX 8X Secure Boot guide using AHAB to authenticate the OS container, one can specify either sec_boot=yes in the U-Boot environment variable or also authenticate the OS image by running the U-Boot command auth_cntr <Container address> which is the DDR load address of the signed kernel image (i.e., the OS container).

0 Kudos
Reply