Cannot read certificate data, secure boot on IMX8MP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cannot read certificate data, secure boot on IMX8MP

1,028 Views
MatejI
Contributor I

Hello,

I have a simple question about generating keys and hashes for efuses on IMX8MP. I followed the instructions in CST_UG.pdf and run ./hab4_pki_tree.sh, which with default settings based on Figure 12. Then, I follow with:

../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e
SRK_1_2_3_4_fuse.bin -d sha256 -c
./SRK1_sha256_2048_65537_v3_ca_crt.pem,./SRK2_sha256_2048_65537_v3_ca_crt.pem
,./SRK3_sha256_2048_65537_v3_ca_crt.pem,./SRK4_sha256_2048_65537_v3_ca_crt.pe
m -f 1

However, I got this error: [ERROR] SRKTOOL: Error! Failed to read certificate data from ./SRK1_sha256_2048_65537_v3_ca_crt.pem

 

In crts folder, I got only CA1_sha256_2048_65537_v3_ca_crt.pem and SRK1_sha256_2048_65537_v3_usr_crt.pem, not SRK3_sha256_2048_65537_v3_ca_crt.pem. What am I missing?

 

Thank you.

 

Matej I.

0 Kudos
Reply
3 Replies

998 Views
Harvey021
NXP TechSupport
NXP TechSupport

hi,

Please try the command line below, then should be no such error. The Figure 12 that you refer should be the number of SRK with 1 and CA flag with n.

And the command line for SRK TABLE and SRK fuse generation that you refer are for SRK with 4 and CA flag with y.

../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c SRK1_sha256_2048_65537_v3_usr_crt.pem -f 1

I'd would suggest to select 4 for the number of SRK and CA flag with y.

 

Regards

Harvey

0 Kudos
Reply

977 Views
MatejI
Contributor I

So if I understand, first I call:

````

./hab4_pki_tree.sh

````

with rsa, 2048, and 4 keys. Then I switch to ../crts folder and run:

````

../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c SRK1_sha256_2048_65537_v3_usr_crt.pem,SRK2_sha256_2048_65537_v3_usr_crt.pem,SRK3_sha256_2048_65537_v3_usr_crt.pem,SRK4_sha256_2048_65537_v3_usr_crt.pem -f 1

````

which generates fuse table. Then I use Yocto build from Toradex (IMX8MP with Mallow board, tdx-reference-multimedia image). I am referring to this: https://github.com/toradex/meta-toradex-security/blob/kirkstone-6.x.y/docs/README-secure-boot-imx.md...

No more keys has to be added or generated, right? Now I build the yocto and in Uboot console, I fuse the keys, e.g., like this:

fuse prog -y 6 0 0x8AE322B2
fuse prog -y 6 1 0xDF2939A3
fuse prog -y 6 2 0x9DA80323
fuse prog -y 6 3 0x3B024EF2
fuse prog -y 7 0 0xA53091
fuse prog -y 7 1 0x55304E7A
fuse prog -y 7 2 0xFB8FF259
fuse prog -y 7 3 0x9CE57582

Right now, the build fails but it may be due to yocto configuration. Is the process of generating keys for fusing correct?

 

Thank you.

 

Best regards

Matej I.

0 Kudos
Reply

959 Views
Harvey021
NXP TechSupport
NXP TechSupport

Yes, it‘s usually not necessary to add more. The process of generating keys for fusing is correct.

For build issue, please raise a case to Toradex if you need further assistance.

 

Regards

Harvey

 

 

0 Kudos
Reply