M7 boot with secure boot feature enabled on RDB3 SDK BSP43

hittzt · ‎02-05-2025

Hi,

I noticed that SDK BSP43 has been released, and I am testing M7 boot with secure boot enabled on RDB3 v1.1 silicon, but the board boot failed after excuting hse-secboot command and rebooting, command is following:

hse-secboot -s -d /dev/mmcblk0 -b sd --bl2_bin bl2_w_dtb.bin --bl2_key /etc/keys/secboot/bl2_rsa2048_public.pem /etc/keys/secboot/bl2_rsa2048_public.pem --bl31_key -:0x010700 --bl33_key -:0x010700 --bl2_sign bl2-signature.bin

The HSE firmware version is 0.2.51.0 for Gen3 v1.1 SOC, so would you please help to tell how to test this case, is there any other settings or configures?

Thanks,

Zhantao

chenyin_h · ‎02-07-2025

Hello, @hittzt

Thanks for the reply.

Yes, from my understanding, the secure boot example shown in BSP UM is for default settings.

BR

Chenyin

View solution in original post

chenyin_h · ‎02-07-2025

Hello, @hittzt

Thanks for the reply.

Yes, from my understanding, the secure boot example shown in BSP UM is for default settings.

BR

Chenyin

chenyin_h · ‎02-07-2025

Hello, @hittzt

Thanks for your confirmation.

I tested it without m7boot added to the local.conf, and seems there are no issues, the possible reason for the issue you met seems to be secure boot verification fail.

While you added m7boot to the local.conf, then a small m7 bootloader would be appended, the boot image could be changed to the bl2_w_dtb.s32-sdcard.m7 instead of the original one, but when booted to Linux, while enabling secure boot, the command is like:

hse-secboot -s -d /dev/mmcblk0 --bl2_key /etc/keys/secboot/bl2_rsa2048_public.pem --bl31_key -:0x010700 --bl33_key -:0x010700 --bl2_sign /etc/keys/secboot/bl2-signature.bin-sdcard --bl2_bin /etc/keys/secboot/bl2_w_dtb.bin-sdcard

Which does not match the boot image specified.

From my understanding, the default secboot operation steps are only reference for default settings, if there are some additional configurations added, there may be issues.

BR

Chenyin

hittzt · ‎02-07-2025

Hi @chenyin_h,

Thanks for your reply.

It is reasonable that the default command: “hse-secboot -s -d /dev/mmcblk0 --bl2_key /etc/keys/secboot/bl2_rsa2048_public.pem --bl31_key -:0x010700 --bl33_key -:0x010700 --bl2_sign /etc/keys/secboot/bl2-signature.bin-sdcard --bl2_bin /etc/keys/secboot/bl2_w_dtb.bin-sdcard” is only for normal secure boot, not for m7 case.

So it is to say that we can not enable m7 and secure boot at same time currently, or else, the issue will show, right?

Thanks,

Zhantao

chenyin_h · ‎02-06-2025

Thanks, @hittzt

I have checked the log, and do not see M7 bootloader information, which version M7 bootloader is used? any applications running on M7 side?

And, may I know if you have tested it with A53 standalone boot without M7 involved? I just tested it only with BSP, and found no issues on my local RDB3.

BR

Chenyin

hittzt · ‎02-06-2025

Hi @chenyin_h,

I followed the steps in SDK BSP43 user manual section "3.1.6 Building Images with M7 as Boot Target" to test the m7 boot, and there seems no other commands or settings when booting the board with the output image.

For this test, I just add the following lines in project conf/local.conf:

DISTRO_FEATURES:append = " m7boot secboot"
NXP_FIRMWARE_LOCAL_DIR = "<0.2.51.0 hse firmware path>"

And then I used the output image "fsl-image-auto-s32g399ardb3.sdcard" to boot up the board and test as the log shows.

If I missed something please tell me.

Thanks,

Zhantao

chenyin_h · ‎02-05-2025

Hello, @hittzt

Thanks for your post.

Would you mind testing it with the following command on your board to check if it is correct?

"/etc/keys/secboot/secboot_script.sh sd /dev/mmcblk0 /etc/keys/secboot/bl2_w_dtb.bin-sdcard /etc/keys/secboot/bl2-signature.bin-sdcard"

BR

Chenyin

hittzt · ‎02-06-2025

Yes, I tested it using the command in reference manual:

/etc/keys/secboot/secboot_script.sh sd /dev/mmcblk0 \
> /etc/keys/secboot/bl2_w_dtb.bin-sdcard \
> /etc/keys/secboot/bl2-signature.bin-sdcard

And the whole test log is attached.

Thanks,

Zhantao