- NXP Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- Vigiles
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
-
- Home
- :
- QorIQ Processing Platforms
- :
- QorIQ
- :
- Re: LS1043ARDB Secure Boot Yocto
LS1043ARDB Secure Boot Yocto
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Objective : Bring-up a stock image via secure boot
Hardware : LS1043ARDB
Image : LS1043ARDB Stock Image
Build Tool : Yocto
Details : I have been able to successfully bring-up the bootloader securely by doing the following:
- Followed instructions in section 5.4 in LDSDUG for Yocto to create the secure boot image firmware
- Wrote the secure boot firmware to an SD on block 8
- Partitioned the SD card with 4 partitions (Partition 2 is boot and Partition 4 is root)
- Placed the boot script, secboot_hdrs, device tree, and kernel (.bin) image in partition 2
- Place SD onto the dev board and run
- Write OTPK and SRKH registers via CCS
- Exit hold off
Results: The bootloader comes up, detects a boot script and fails to verify the bootscript (Error 4). See below for the actual output:
NOTICE: Fixed DDR on board
NOTICE: 2 GB DDR4, 32-bit, CL=11, ECC off
NOTICE: BL2: v1.5(release):LSDK-20.04-update-290520
NOTICE: BL2: Built : 13:52:31, May 18 2020
NOTICE: INITIALIZING SEC
NOTICE: Verifying RSA
NOTICE: Verifying hash
NOTICE: Verifying RSA
NOTICE: Verifying hash
NOTICE: BL31: v1.5(release):LSDK-20.04-update-290520
NOTICE: BL31: Built : 13:52:31, May 18 2020
NOTICE: Welcome to LS1043 BL31 Phase
U-Boot 2019.10+fsl+g1e55b2f9e7 (May 26 2020 - 06:54:57 +0000)
SoC: LS1043AE Rev1.1 (0x87920011)
Clock Configuration:
CPU0(A53):1600 MHz CPU1(A53):1600 MHz CPU2(A53):1600 MHz
CPU3(A53):1600 MHz
Bus: 400 MHz DDR: 1600 MT/s FMAN: 500 MHz
Reset Configuration Word (RCW):
00000000: 08100010 0a000000 00000000 00000000
00000010: 14550002 80004012 60640000 c1002000
00000020: 00000000 00000000 00000000 00038800
00000030: 00000000 00001100 00000096 00000001
Model: LS1043A RDB Board
Board: LS1043ARDB, boot from SD
CPLD: V2.0
PCBA: V6.0
SERDES Reference Clocks:
SD1_CLK1 = 156.25MHZ, SD1_CLK2 = 100.00MHZ
DRAM: 1.9 GiB (DDR4, 32-bit, CL=11, ECC off)
Using SERDES1 Protocol: 5205 (0x1455)
SEC0: RNG instantiated
FSL_SDHC: 0
MMC read: dev # 0, block # 18944, count 128 ...
Firmware 'Microcode version 0.0.1 for LS1021a r1.0' for 1021 V1.0
QE: uploading microcode 'Microcode for LS1021a r1.0' version 0.0.1
Flash: 128 MiB
NAND: 512 MiB
MMC: EEPROM: NXID v1
In: serial
Out: serial
Err: serial
Net:
MMC read: dev # 0, block # 18432, count 128 ...
Fman1: Uploading microcode version 106.4.18
PHY reset timed out
PCIe0: pcie@3400000 disabled
PCIe1: pcie@3500000 Root Complex: no link
PCIe2: pcie@3600000 Root Complex: no link
FM1@DTSEC1, FM1@DTSEC2, FM1@DTSEC3 [PRIME], FM1@DTSEC4, FM1@DTSEC5, FM1@DTSEC6, FM1@TGEC1
switch to partitions #0, OK
mmc0 is current device
Scanning mmc 0:1...
Scanning mmc 0:2...
Found U-Boot script /ls1043ardb_boot.scr
965 bytes read in 12 ms (78.1 KiB/s)
ERROR :: 4 :: Wrong barker code in header
SEC_MON state transitioning to Soft Fail.
SEC_MON state transitioning to Non Secure.
Generating reset request
resetting ...
There are three things I am confused about:
- I placed the secure boot headers in partition 2, as described in the LSDK memory layout. Is this enough for the secure boot process to verify the boot script?
- The LSDK memory layout also points out 0x3000 is where the secure boot headers are placed. How do I place the secure boot headers here? Do I need to concatenate all the secure boot headers into one binary? If yes, in what order? Or does order not matter?
- Is there additional step required for signing the bootscript that I am missing?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The cause of this error is a missing secure boot header for the boot script. I discovered in the u-boot source (header file with boot configuration) defines the name of the boot script and the boot script secure boot header. The bootloader scans the mmc for the boot script file and loads into RAM into a location defined by the u-boot source. The bootloader then scans for the boot script secure boot header and verifies the boot script. With this realization, I placed the boot script secure header in the same partition as the boot script. The bootloader was able to execute boot script after verification.
Also, I would like to add all of this effort was completed using the Yocto project, which was painful at times. The LSDK Yocto User Guide explains how to build the secure boot components, however, it required time to investigate how the recipes create the secure boot image. There is a script that creates the secure boot image that likely needs some work to accommodate fuse provisioning and placing the boot script header in its proper place. I even had issues installing the secure boot firmware image onto a SD card.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The cause of this error is a missing secure boot header for the boot script. I discovered in the u-boot source (header file with boot configuration) defines the name of the boot script and the boot script secure boot header. The bootloader scans the mmc for the boot script file and loads into RAM into a location defined by the u-boot source. The bootloader then scans for the boot script secure boot header and verifies the boot script. With this realization, I placed the boot script secure header in the same partition as the boot script. The bootloader was able to execute boot script after verification.
Also, I would like to add all of this effort was completed using the Yocto project, which was painful at times. The LSDK Yocto User Guide explains how to build the secure boot components, however, it required time to investigate how the recipes create the secure boot image. There is a script that creates the secure boot image that likely needs some work to accommodate fuse provisioning and placing the boot script header in its proper place. I even had issues installing the secure boot firmware image onto a SD card.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
