LS1043ARDB Secure Boot Yocto

aismail102 · ‎01-18-2021

Objective : Bring-up a stock image via secure boot

Hardware : LS1043ARDB

Image : LS1043ARDB Stock Image

Build Tool : Yocto

Details : I have been able to successfully bring-up the bootloader securely by doing the following:

Followed instructions in section 5.4 in LDSDUG for Yocto to create the secure boot image firmware
Wrote the secure boot firmware to an SD on block 8
Partitioned the SD card with 4 partitions (Partition 2 is boot and Partition 4 is root)
Placed the boot script, secboot_hdrs, device tree, and kernel (.bin) image in partition 2
Place SD onto the dev board and run
Write OTPK and SRKH registers via CCS
Exit hold off

Results: The bootloader comes up, detects a boot script and fails to verify the bootscript (Error 4). See below for the actual output:

NOTICE: Fixed DDR on board

NOTICE: 2 GB DDR4, 32-bit, CL=11, ECC off
NOTICE: BL2: v1.5(release):LSDK-20.04-update-290520
NOTICE: BL2: Built : 13:52:31, May 18 2020
NOTICE: INITIALIZING SEC
NOTICE: Verifying RSA
NOTICE: Verifying hash
NOTICE: Verifying RSA
NOTICE: Verifying hash
NOTICE: BL31: v1.5(release):LSDK-20.04-update-290520
NOTICE: BL31: Built : 13:52:31, May 18 2020
NOTICE: Welcome to LS1043 BL31 Phase

U-Boot 2019.10+fsl+g1e55b2f9e7 (May 26 2020 - 06:54:57 +0000)

SoC: LS1043AE Rev1.1 (0x87920011)
Clock Configuration:
CPU0(A53):1600 MHz CPU1(A53):1600 MHz CPU2(A53):1600 MHz
CPU3(A53):1600 MHz
Bus: 400 MHz DDR: 1600 MT/s FMAN: 500 MHz
Reset Configuration Word (RCW):
00000000: 08100010 0a000000 00000000 00000000
00000010: 14550002 80004012 60640000 c1002000
00000020: 00000000 00000000 00000000 00038800
00000030: 00000000 00001100 00000096 00000001
Model: LS1043A RDB Board
Board: LS1043ARDB, boot from SD
CPLD: V2.0
PCBA: V6.0
SERDES Reference Clocks:
SD1_CLK1 = 156.25MHZ, SD1_CLK2 = 100.00MHZ
DRAM: 1.9 GiB (DDR4, 32-bit, CL=11, ECC off)
Using SERDES1 Protocol: 5205 (0x1455)
SEC0: RNG instantiated
FSL_SDHC: 0

MMC read: dev # 0, block # 18944, count 128 ...
Firmware 'Microcode version 0.0.1 for LS1021a r1.0' for 1021 V1.0
QE: uploading microcode 'Microcode for LS1021a r1.0' version 0.0.1
Flash: 128 MiB
NAND: 512 MiB
MMC: EEPROM: NXID v1
In: serial
Out: serial
Err: serial
Net:
MMC read: dev # 0, block # 18432, count 128 ...
Fman1: Uploading microcode version 106.4.18
PHY reset timed out
PCIe0: pcie@3400000 disabled
PCIe1: pcie@3500000 Root Complex: no link
PCIe2: pcie@3600000 Root Complex: no link
FM1@DTSEC1, FM1@DTSEC2, FM1@DTSEC3 [PRIME], FM1@DTSEC4, FM1@DTSEC5, FM1@DTSEC6, FM1@TGEC1
switch to partitions #0, OK
mmc0 is current device
Scanning mmc 0:1...
Scanning mmc 0:2...
Found U-Boot script /ls1043ardb_boot.scr
965 bytes read in 12 ms (78.1 KiB/s)
ERROR :: 4 :: Wrong barker code in header
SEC_MON state transitioning to Soft Fail.
SEC_MON state transitioning to Non Secure.
Generating reset request
resetting ...

There are three things I am confused about:

I placed the secure boot headers in partition 2, as described in the LSDK memory layout. Is this enough for the secure boot process to verify the boot script?
The LSDK memory layout also points out 0x3000 is where the secure boot headers are placed. How do I place the secure boot headers here? Do I need to concatenate all the secure boot headers into one binary? If yes, in what order? Or does order not matter?
Is there additional step required for signing the bootscript that I am missing?

aismail102 · ‎01-21-2021

The cause of this error is a missing secure boot header for the boot script. I discovered in the u-boot source (header file with boot configuration) defines the name of the boot script and the boot script secure boot header. The bootloader scans the mmc for the boot script file and loads into RAM into a location defined by the u-boot source. The bootloader then scans for the boot script secure boot header and verifies the boot script. With this realization, I placed the boot script secure header in the same partition as the boot script. The bootloader was able to execute boot script after verification.

Also, I would like to add all of this effort was completed using the Yocto project, which was painful at times. The LSDK Yocto User Guide explains how to build the secure boot components, however, it required time to investigate how the recipes create the secure boot image. There is a script that creates the secure boot image that likely needs some work to accommodate fuse provisioning and placing the boot script header in its proper place. I even had issues installing the secure boot firmware image onto a SD card.

View solution in original post

aismail102 · ‎01-21-2021

The cause of this error is a missing secure boot header for the boot script. I discovered in the u-boot source (header file with boot configuration) defines the name of the boot script and the boot script secure boot header. The bootloader scans the mmc for the boot script file and loads into RAM into a location defined by the u-boot source. The bootloader then scans for the boot script secure boot header and verifies the boot script. With this realization, I placed the boot script secure header in the same partition as the boot script. The bootloader was able to execute boot script after verification.

Also, I would like to add all of this effort was completed using the Yocto project, which was painful at times. The LSDK Yocto User Guide explains how to build the secure boot components, however, it required time to investigate how the recipes create the secure boot image. There is a script that creates the secure boot image that likely needs some work to accommodate fuse provisioning and placing the boot script header in its proper place. I even had issues installing the secure boot firmware image onto a SD card.

carloswei · ‎04-24-2023

Marked