ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Verified-boot in bsp 43

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

Verified-boot in bsp 43

‎06-25-2025 07:24 AM
598件の閲覧回数
Jayashree
Contributor II

Hello,

I’m working on BSP 43 and currently enabling Verified Boot via local.conf to perform kernel image verification.
However, when I attempt to load an external U-Boot script via TFTP, "tftp <filename>" the file gets loaded into the loadaddr, and then when i execute it through "source ${loadaddr}",
I encounter an error: Wrong image for source command.

The same steps when followed without verified-boot, it is successfully executed.


Any insights or suggestions on this would be appreciated.

0 件の賞賛
返信
5 返答(返信)

‎06-26-2025 11:44 AM
563件の閲覧回数
carlos_o
NXP TechSupport
NXP TechSupport

Hi @Jayashree 

Thanks for your post

Please help me giving more information about your setup

Could you share if you are using S32G2 or S32G3?
The image you are building is for SD or QSPI? 
Which version of HSE are you using?

0 件の賞賛
返信

‎06-28-2025 02:42 AM
536件の閲覧回数
Jayashree
Contributor II

Hello,

Here are the answers to your questions:

  • Are you using S32G2 or S32G3?
    → S32G3

  • Is the image built for SD or QSPI?
    → SD

  • Which version of HSE are you using?
    → The version of HSE doesn't significantly impact this issue, but I'm using HSE FW 0.2.51.

Observations from the past few days:

  • The “Wrong image format for source command” error originates from source.c.

  • When Verified Boot is enabled, CONFIG_FIT gets enabled as well. Since my script is not in FIT format, it falls back to the default case.

  • To work around this, I forced U-Boot to read the script in uImage format, even with Verified Boot enabled.

  • I also noticed that the verify variable is automatically set to -1, causing the kernel image and DTB to boot without verification.

  • When I stopped at U-Boot and manually set verify=yes, the verification step did take place, and the image booted as expected.

  • However, when I attempted to patch the verify variable to automate this flow, I encountered an error.

    I would appreciate your guidance on how to correctly automate this behavior within the U-Boot flow.

     
    9db3f03e-2c23-4dd4-ac76-414fd778ab1c.jpg
    manually adding verify=yes (working)

    79a2545d-2930-40ef-bf5a-08695ee7ed98.jpg
    this is when i patched verify=yes and tried to boot (It fails even when I manually set verify to yes.

 

タグ(1)
0 件の賞賛
返信

‎07-02-2025 02:07 PM
492件の閲覧回数
carlos_o
NXP TechSupport
NXP TechSupport

Hi @Jayashree 

Apologies for the late reply.

Could you please confirm that you are adding DISTRO_FEATURES:append = " verifiedboot" to your conf/local.conf file in the Yocto build directory?

I'm working to replicate the issue at my end.

0 件の賞賛
返信

‎07-03-2025 08:08 PM
484件の閲覧回数
Jayashree
Contributor II

I'm happy to share that I’ve identified the issue.

Yes, I am adding
DISTRO_FEATURES:append = " verifiedboot"
to the conf/local.conf file in the Yocto build directory.

The problem was that the verify variable was getting set to -1, which caused the kernel and DTB to load without verification. I’ve created a patch to set verify=yes, and perform a reset and with this change, everything is now working as expected.

0 件の賞賛
返信

‎07-04-2025 02:29 PM
475件の閲覧回数
carlos_o
NXP TechSupport
NXP TechSupport

Thanks for share your resolution of the issue!

0 件の賞賛
返信