secure boot failed on P4080DS

yi_li · ‎06-17-2016

Hello,

I have been working on getting secure boot working with a p4080ds and U-Boot, I seem to be having issues with the validation of my image.Steps like this:

1.Use SDK2.0 cst generate keys.

./gen_keys 2048

generate srk.pub and srk.pri.

2.generate csf header file by input_uboot_secure

copy <SDK folder>/build_p4080ds/tmp/deploy/images/p4080ds/u-boot-secure-boot-2016.01+fslgit-r0.bin to cst folder.

ln -sf u-boot-secure-boot-2016.01+fslgit-r0.bin u-boot.bin

./uni_sign input_files/uni_sign/p3_p4_p5/input_uboot_secure

generate hdr_uboot.out and key hash 034d229fc108433e5e2da56d1842a39eb42bf90add643f7a7219e546698c67a7

3.generate otpmk

./gen_otpmk_drbg 1

OTPMK[255:0] is:

f26e5dbcea6d99fcdbf6d81caed1a720180c342c7ccf1acfc93b4fa24922dbb4

NAME | BITS | VALUE

_________|______________|____________

OTPMKR 0 | 31- 0 | 4922dbb4

OTPMKR 1 | 63- 32 | c93b4fa2

OTPMKR 2 | 95- 64 | 7ccf1acf

OTPMKR 3 | 127- 96 | 180c342c

OTPMKR 4 | 159-128 | aed1a720

OTPMKR 5 | 191-160 | dbf6d81c

OTPMKR 6 | 223-192 | ea6d99fc

OTPMKR 7 | 255-224 | f26e5dbc

4.load the u-boot-secure-boot-2016.01+fslgit-r0.bin and rcw_13g_sben_1500mhz_rev2.bin to board.

u-boot-secure-boot-2016.01+fslgit-r0.bin in folder <SDK folder>/build_p4080ds/tmp/deploy/images/p4080ds/

rcw_13g_sben_1500mhz_rev2.bin in folder

<SDK folder>/build_p4080ds/tmp/deploy/images/p4080ds/rcw/p4080ds/R_PPSXN_0x10

commands like this:

load u-boot:

tftp 100000 u-boot.bin

erase ebf40000 +c0000

cp.b 100000 ebf40000 c0000

load csf_header:

tftp 100000 hdr_uboot.out

erase ebf20000 +500

cp.b 100000 ebf20000 500

load rcw:

tftp 1000000 rcw_13g_sben_1500mhz_rev2.bin

erase ec000000 +150

cp.b 1000000 ec000000 150

5.Write public key hash in address fe0e807c

mm fe0e807c

SFP SRKHR0 = 034d229f

SFP SRKHR1 = c108433e

SFP SRKHR2 = 5e2da56d

SFP SRKHR3 = 1842a39e

SFP SRKHR4 = b42bf90a

SFP SRKHR5 = dd643f7a

SFP SRKHR6 = 7219e546

SFP SRKHR7 = 698c67a7

6.Write otpmk

mm fe0e807c

OTPMKR 0 | 31- 0 | 4922dbb4

OTPMKR 1 | 63- 32 | c93b4fa2

OTPMKR 2 | 95- 64 | 7ccf1acf

OTPMKR 3 | 127- 96 | 180c342c

OTPMKR 4 | 159-128 | aed1a720

OTPMKR 5 | 191-160 | dbf6d81c

OTPMKR 6 | 223-192 | ea6d99fc

OTPMKR 7 | 255-224 | f26e5dbc

This operation is failed, md fe0e807c all value is 0.

7.set SW7[2],boot this u-boot.

Nothing output.

Attachments are my rcw configure and input_uboot_secure.

Please tell me,what is wrong with this,thank you very much.

Best Regards.

Original Attachment has been moved to: rcw_13g_sben_1500mhz_rev2.rcw.zip

Original Attachment has been moved to: input_uboot_secure.zip

yipingwang · ‎06-24-2016

Hello Yi Li,

There is problem in the input file used to sign u-boot image, please use the file input_files/uni_sign/p3_p4_p5/input_uboot_secure provided in cst package in SDK 2.0, I have attached it for you, just use it directly without modification.

Create Entries for SG Table in the format { IMAGE_NAME,SRC_ADDR, DST_ADDR }

In SDK 2.0 build environment, you could use "bitbake cst -c patch -f" command to get the source folder in build_p4080ds/tmp/work/ppce500mc-fsl-linux/cst/git-r0/git/.

Have a great day,
Yiping

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

View solution in original post

yipingwang · ‎06-22-2016

Hello Yi Li,

I found some problems in above description.

1. ESBC u-boot header deployment address is not correct, it should be "ECB00000" for the alternate bank.

Please refer to SDK 2.0 document QorIQ SDK 2.0 Documentation->Boot Loaders->U-Boot->Secure Boot->PBL Based Platforms->Address Map used for demo from infocenter Submit Form.

2. You need to modify the default RCW for secure boot, please enabled RCW[SB_EN] bit, and add the following PBI commands.

#LAW for ESBC

09000cd0 00000000

09138000 00000000 (Flush command)

09000cd4 c0000000

09138000 00000000 (Flush command)

09000cd8 81f0001d

09138000 00000000(FLUSH command)

# Scratch Register

090e0200 c0b00000

You could use QCVS tool to generate the PBL file or use "rcw" package provided in QorIQ Linux SDK with the following bitbake commands.

$bitbake rcw -c cleansstate

$bitbake rcw -c patch

Go to the source folder build_p4080ds/tmp/work/p4080ds-fsl-linux/rcw/git-r0/git to do modification for secure boot.

$bitbake rcw

3. Please refer the following commands to write SRKHR registers.

ccs::write_mem 0 0xfe0e807c 4 0 0x3b506e83

ccs::write_mem 0 0xfe0e8080 4 0 0x3ed21c97

ccs::write_mem 0 0xfe0e8084 4 0 0x9fd090e8

ccs::write_mem 0 0xfe0e8088 4 0 0x95f59446

ccs::write_mem 0 0xfe0e808c 4 0 0xddef3d09

ccs::write_mem 0 0xfe0e8090 4 0 0x38defd62

ccs::write_mem 0 0xfe0e8094 4 0 0x9ae2a9be

ccs::write_mem 0 0xfe0e8098 4 0 0x654e2b2f

ccs::write_mem 0 0xfe0e809c 4 0 0x99999999 (OEM UID)

ccs::write_mem 0 0xfe0e00e4 4 0 0x00000001 (FSL UID)

OTPMK reigers address should be E_805C

During the designing stage, we suggest users to write the public key hash value to the shadow registers rather than writing to the fuse array permanently. It means after reset these shadow register values will be reset to 0.

So you could use this method to deploy required images to bank 4 at bank0 and write SRKHR register values, then use u-boot command "pixis_reset altbank" to switch to bank4 from bank0.

4. If your problem remains, please refer to the step by step troubleshooting to find the cause of your problem.

Please refer to SDK 2.0 document U-BOOT->Secure Boot->PBL Based Platforms->Troubleshooting.

Have a great day,
Yiping

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

yi_li · ‎06-23-2016

Hi Yiping ,

Are you in China or HongKong , Could you please let us communicate to you directly ?

yi_li · ‎06-23-2016

Hi, Yiping ,

According to your infomation ,we have make the new image and header files ,but the uboot cannot boot up . the wrong message was below, we don't know how to generate the sg_table , here is

>RUN>dml 0xfe0e0204

0FE0E0204: 00001000 00000000 00000000 00000000 ................

0FE0E0214: 00000000 00000000 00000000 00000000 ................

0x1000

ESBC_HEADER_SG_ENTRIES_NOT

_IN_3_5G

Address in SG entry in not in 3.5G

could you please tell us how to generate sg_table.out and how to set the SG_TABLE_ADDR and the

OUTPUT_SG_BIN . Thank you very much.

---------------------------------------------------
# Specify the platform. [Mandatory]
# Choose Platform - 1010/1040/2041/3041/4080/5020/5040/9131/9132/9164/4240/C290
PLATFORM=4080
# ESBC Flag. Specify ESBC=0 to sign u-boot and ESBC=1 to sign ESBC images.(default is 0)
ESBC=0
---------------------------------------------------
# Entry Point/Image start address field in the header.[Mandatory]
# (default=ADDRESS of first file specified in images)
ENTRY_POINT=cffffffc
---------------------------------------------------
# Specify the file name of the keys seperated by comma.
# The number of files and key select should lie between 1 and 4 for 1040 and C290.
# For rest of the platforms only one key is required and key select should not be provided.

# USAGE (for 4080/5020/5040/3041/2041/1010/913x): PRI_KEY = <key1.pri>
# USAGE (for 1040/C290/9164/4240): PRI_KEY = <key1.pri>, <key2.pri>, <key3.pri>, <key4.pri>

# PRI_KEY (Default private key :srk.pri) - [Optional]
PRI_KEY=srk.pri
# PUB_KEY (Default public key :srk.pub) - [Optional]
PUB_KEY=srk.pub
# Please provide KEY_SELECT(between 1 to 4) (Required for 1040/C290/9164/4240 only) - [Optional]
KEY_SELECT=
---------------------------------------------------
# Specify SG table address, only for (2041/3041/4080/5020/5040) with ESBC=0 - [Optional]
SG_TABLE_ADDR=
---------------------------------------------------
# Specify the target where image will be loaded. (Default is NOR_16B) - [Optional]
# Only required for Non-PBL Devices (1010/1040/9131/9132i/C290)
# Select from - NOR_8B/NOR_16B/NAND_8B_512/NAND_8B_2K/NAND_8B_4K/NAND_16B_512/NAND_16B_2K/NAND_16B_4K/SD/MMC/SPI
IMAGE_TARGET=
---------------------------------------------------
# Specify IMAGE, Max 8 images are possible. DST_ADDR is required only for Non-PBL Platform. [Mandatory]
# USAGE : IMAGE_NO = {IMAGE_NAME, SRC_ADDR, DST_ADDR}
IMAGE_1={u-boot.bin,eff40000,efffffff}
IMAGE_2={,,}
IMAGE_3={,,}
IMAGE_4={,,}
IMAGE_5={,,}
IMAGE_6={,,}
IMAGE_7={,,}
IMAGE_8={,,}
---------------------------------------------------
# Specify OEM AND FSL ID to be populated in header. [Optional]
# e.g FSL_UID=11111111
FSL_UID=00000001
OEM_UID=99999999
---------------------------------------------------
# Specify the file names of csf header and sg table. (Default :hdr.out) [Optional]
OUTPUT_HDR_FILENAME=hdr_uboot.out

# Specify the file names of hash file and sign file.
HASH_FILENAME=img_hash.out
INPUT_SIGN_FILENAME=sign.out

# Specify the signature size.It is mandatory when neither public key nor private key is specified.
# Signature size would be [0x80 for 1k key, 0x100 for 2k key, and 0x200 for 4k key].
SIGN_SIZE=0x100
---------------------------------------------------
# Specify the output file name of sg table. (Default :sg_table.out). [Optional]
# Please note that OUTPUT SG BIN is only required for 2041/3041/4080/5020/5040 when ESBC flag is not set.
OUTPUT_SG_BIN=
---------------------------------------------------
# Following fields are Required for 4240/9164/1040/C290 only

# Specify House keeping Area
# Required for 42409164/1040/C290 only when ESBC flag is not set. [Mandatory]
HK_AREA_POINTER=
HK_AREA_SIZE=
---------------------------------------------------
# Following field Required for 4240/9164/1040/C290 only
# Specify Secondary Image Flag. (0 or 1) - [Optional]
# (Default is 0)
SEC_IMAGE=
---------------------------------------------------

yipingwang · ‎06-24-2016

Hello Yi Li,

There is problem in the input file used to sign u-boot image, please use the file input_files/uni_sign/p3_p4_p5/input_uboot_secure provided in cst package in SDK 2.0, I have attached it for you, just use it directly without modification.

Create Entries for SG Table in the format { IMAGE_NAME,SRC_ADDR, DST_ADDR }

In SDK 2.0 build environment, you could use "bitbake cst -c patch -f" command to get the source folder in build_p4080ds/tmp/work/ppce500mc-fsl-linux/cst/git-r0/git/.

Have a great day,
Yiping

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------