ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Cannot read certificate data, secure boot on IMX8MP

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

Cannot read certificate data, secure boot on IMX8MP

‎01-10-2025 05:50 AM
1,022件の閲覧回数
MatejI
Contributor I

Hello,

I have a simple question about generating keys and hashes for efuses on IMX8MP. I followed the instructions in CST_UG.pdf and run ./hab4_pki_tree.sh, which with default settings based on Figure 12. Then, I follow with:

../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e
SRK_1_2_3_4_fuse.bin -d sha256 -c
./SRK1_sha256_2048_65537_v3_ca_crt.pem,./SRK2_sha256_2048_65537_v3_ca_crt.pem
,./SRK3_sha256_2048_65537_v3_ca_crt.pem,./SRK4_sha256_2048_65537_v3_ca_crt.pe
m -f 1

However, I got this error: [ERROR] SRKTOOL: Error! Failed to read certificate data from ./SRK1_sha256_2048_65537_v3_ca_crt.pem

 

In crts folder, I got only CA1_sha256_2048_65537_v3_ca_crt.pem and SRK1_sha256_2048_65537_v3_usr_crt.pem, not SRK3_sha256_2048_65537_v3_ca_crt.pem. What am I missing?

 

Thank you.

 

Matej I.

0 件の賞賛
返信
3 返答(返信)

‎01-12-2025 11:17 PM
992件の閲覧回数
Harvey021
NXP TechSupport
NXP TechSupport

hi,

Please try the command line below, then should be no such error. The Figure 12 that you refer should be the number of SRK with 1 and CA flag with n.

And the command line for SRK TABLE and SRK fuse generation that you refer are for SRK with 4 and CA flag with y.

../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c SRK1_sha256_2048_65537_v3_usr_crt.pem -f 1

I'd would suggest to select 4 for the number of SRK and CA flag with y.

 

Regards

Harvey

0 件の賞賛
返信

‎01-14-2025 05:33 AM
971件の閲覧回数
MatejI
Contributor I

So if I understand, first I call:

````

./hab4_pki_tree.sh

````

with rsa, 2048, and 4 keys. Then I switch to ../crts folder and run:

````

../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c SRK1_sha256_2048_65537_v3_usr_crt.pem,SRK2_sha256_2048_65537_v3_usr_crt.pem,SRK3_sha256_2048_65537_v3_usr_crt.pem,SRK4_sha256_2048_65537_v3_usr_crt.pem -f 1

````

which generates fuse table. Then I use Yocto build from Toradex (IMX8MP with Mallow board, tdx-reference-multimedia image). I am referring to this: https://github.com/toradex/meta-toradex-security/blob/kirkstone-6.x.y/docs/README-secure-boot-imx.md...

No more keys has to be added or generated, right? Now I build the yocto and in Uboot console, I fuse the keys, e.g., like this:

fuse prog -y 6 0 0x8AE322B2
fuse prog -y 6 1 0xDF2939A3
fuse prog -y 6 2 0x9DA80323
fuse prog -y 6 3 0x3B024EF2
fuse prog -y 7 0 0xA53091
fuse prog -y 7 1 0x55304E7A
fuse prog -y 7 2 0xFB8FF259
fuse prog -y 7 3 0x9CE57582

Right now, the build fails but it may be due to yocto configuration. Is the process of generating keys for fusing correct?

 

Thank you.

 

Best regards

Matej I.

0 件の賞賛
返信

‎01-14-2025 07:56 PM
953件の閲覧回数
Harvey021
NXP TechSupport
NXP TechSupport

Yes, it‘s usually not necessary to add more. The process of generating keys for fusing is correct.

For build issue, please raise a case to Toradex if you need further assistance.

 

Regards

Harvey

 

 

0 件の賞賛
返信