帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Cannot read certificate data, secure boot on IMX8MP

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

Cannot read certificate data, secure boot on IMX8MP

‎01-10-2025 05:50 AM
1,029 次查看
MatejI
Contributor I

Hello,

I have a simple question about generating keys and hashes for efuses on IMX8MP. I followed the instructions in CST_UG.pdf and run ./hab4_pki_tree.sh, which with default settings based on Figure 12. Then, I follow with:

../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e
SRK_1_2_3_4_fuse.bin -d sha256 -c
./SRK1_sha256_2048_65537_v3_ca_crt.pem,./SRK2_sha256_2048_65537_v3_ca_crt.pem
,./SRK3_sha256_2048_65537_v3_ca_crt.pem,./SRK4_sha256_2048_65537_v3_ca_crt.pe
m -f 1

However, I got this error: [ERROR] SRKTOOL: Error! Failed to read certificate data from ./SRK1_sha256_2048_65537_v3_ca_crt.pem

 

In crts folder, I got only CA1_sha256_2048_65537_v3_ca_crt.pem and SRK1_sha256_2048_65537_v3_usr_crt.pem, not SRK3_sha256_2048_65537_v3_ca_crt.pem. What am I missing?

 

Thank you.

 

Matej I.

0 项奖励
回复
3 回复数

‎01-12-2025 11:17 PM
999 次查看
Harvey021
NXP TechSupport
NXP TechSupport

hi,

Please try the command line below, then should be no such error. The Figure 12 that you refer should be the number of SRK with 1 and CA flag with n.

And the command line for SRK TABLE and SRK fuse generation that you refer are for SRK with 4 and CA flag with y.

../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c SRK1_sha256_2048_65537_v3_usr_crt.pem -f 1

I'd would suggest to select 4 for the number of SRK and CA flag with y.

 

Regards

Harvey

0 项奖励
回复

‎01-14-2025 05:33 AM
978 次查看
MatejI
Contributor I

So if I understand, first I call:

````

./hab4_pki_tree.sh

````

with rsa, 2048, and 4 keys. Then I switch to ../crts folder and run:

````

../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c SRK1_sha256_2048_65537_v3_usr_crt.pem,SRK2_sha256_2048_65537_v3_usr_crt.pem,SRK3_sha256_2048_65537_v3_usr_crt.pem,SRK4_sha256_2048_65537_v3_usr_crt.pem -f 1

````

which generates fuse table. Then I use Yocto build from Toradex (IMX8MP with Mallow board, tdx-reference-multimedia image). I am referring to this: https://github.com/toradex/meta-toradex-security/blob/kirkstone-6.x.y/docs/README-secure-boot-imx.md...

No more keys has to be added or generated, right? Now I build the yocto and in Uboot console, I fuse the keys, e.g., like this:

fuse prog -y 6 0 0x8AE322B2
fuse prog -y 6 1 0xDF2939A3
fuse prog -y 6 2 0x9DA80323
fuse prog -y 6 3 0x3B024EF2
fuse prog -y 7 0 0xA53091
fuse prog -y 7 1 0x55304E7A
fuse prog -y 7 2 0xFB8FF259
fuse prog -y 7 3 0x9CE57582

Right now, the build fails but it may be due to yocto configuration. Is the process of generating keys for fusing correct?

 

Thank you.

 

Best regards

Matej I.

0 项奖励
回复

‎01-14-2025 07:56 PM
960 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Yes, it‘s usually not necessary to add more. The process of generating keys for fusing is correct.

For build issue, please raise a case to Toradex if you need further assistance.

 

Regards

Harvey

 

 

0 项奖励
回复