- NXP Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- Vigiles
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
-
- Home
- :
- Product Forums
- :
- Other NXP Products
- :
- Where to find the iMX8X Secure Boot OS Container Address
Where to find the iMX8X Secure Boot OS Container Address
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Able to sign the imx-boot-apalis-imx8x-sd.bin-flash or imx-boot file using the NXP cst tool and flash the image to RAM. Was able to fuse the keys and when checked the SECO event status, after a reboot and reflash, using ahab_status there were no SECO events. This suggests all was successful.
I now need to check the OS container address using the uboot command auth_cntr addr to confirm before closing.
1) Where is the OS container address, or where can I find it for the iMX8X yocto default build with AHAB enabled and using secure boot?
The comment in the iMX8 machine conf file seems to suggest that the container is flashed at an offset of 0, but then the actual offset seems to be handled automatically. And offset 0 doesn't indicate a OS container when checked in u-boot.
In the imx-boot log.do_compile the line "container image offset (aligned):12000". So maybe this is the "real" offset/address of the boot container, but no indication from u-boot that this is correct address when using the aut_cntr command.
2) Is the OS container address the start address of the imx-boot container, or what is the OS container address?
3) The imx-boot OS container includes the DDR memory timings, the SCU firmware, the ATF and U-Boot as well as any potential Cortex-M4 auxiliary firmware, but it does not include the kernel and rootfs, is this correct?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
“auth_cnrt” command needs a address where you load your signed kernel image into. You can find below env variables in NXP release u-boot.
"cntr_addr=0x98000000\0" \
"cntr_file=os_cntr_signed.bin\0" \
"loadcntr=fatload mmc ${mmcdev}:${mmcpart} ${cntr_addr} ${cntr_file}\0" \
"auth_os=auth_cntr ${cntr_addr}\0" \
We have detail steps in NXP release u-boot: doc/imx/ahab/ . You can refer them for your development.
Note:
1. The signed kernel image is encapsulated by container format, but there is only one container in this image. It is different with the boot image which has two containers.
2. The address 0x98000000 could be any address that is valid in DDR. It is just used as a buffer for image loading from storage media (like SD/eMMC). The real kernel address is specified in the container. “auth_cntr” will parse the container and copy the kernel image payload to that real kernel address. You don’t need to tell this real kernel address to auth_cntr.
According to the i.MX 8, i.MX 8X Secure Boot guide using AHAB to authenticate the OS container, one can specify either sec_boot=yes in the U-Boot environment variable or also authenticate the OS image by running the U-Boot command auth_cntr <Container address> which is the DDR load address of the signed kernel image (i.e., the OS container).
igorpadykov
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi tlsmith3777
one can look at uboot documentation
https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/ahab?h=imx_v2020.04_5.4.70_2.3.0
and AN12312 Secure Boot on i.MX 8 and i.MX 8X Families using AHAB
Best regards
igor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you igor, but unfortunately the documentation does not address the questions. Please see the following and my response. https://community.nxp.com/t5/i-MX-Processors/Questions-about-IMX8QXP-Seboot-function/td-p/1070824
igorpadykov
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
also one can look at Chapter 5 System Boot, in particular Figure 5-1. Layout of Boot Device
i.MX 8DualXPlus/8QuadXPlus Applications Processor Reference Manual
Best regards
igor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
“auth_cnrt” command needs a address where you load your signed kernel image into. You can find below env variables in NXP release u-boot.
"cntr_addr=0x98000000\0" \
"cntr_file=os_cntr_signed.bin\0" \
"loadcntr=fatload mmc ${mmcdev}:${mmcpart} ${cntr_addr} ${cntr_file}\0" \
"auth_os=auth_cntr ${cntr_addr}\0" \
We have detail steps in NXP release u-boot: doc/imx/ahab/ . You can refer them for your development.
Note:
1. The signed kernel image is encapsulated by container format, but there is only one container in this image. It is different with the boot image which has two containers.
2. The address 0x98000000 could be any address that is valid in DDR. It is just used as a buffer for image loading from storage media (like SD/eMMC). The real kernel address is specified in the container. “auth_cntr” will parse the container and copy the kernel image payload to that real kernel address. You don’t need to tell this real kernel address to auth_cntr.
According to the i.MX 8, i.MX 8X Secure Boot guide using AHAB to authenticate the OS container, one can specify either sec_boot=yes in the U-Boot environment variable or also authenticate the OS image by running the U-Boot command auth_cntr <Container address> which is the DDR load address of the signed kernel image (i.e., the OS container).
