Do I sign only one dtb file?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Do I sign only one dtb file?

Jump to solution
2,439 Views
gregorydavies
Contributor II

Do I need to sign all the dtb files, or just one?

I'm working on securing Yocto linux 3.14.52 on an iMX6 SoloX. I've followed the security workshop, and successfully signed u-boot, zImage, and imx6sx-sdb.dtb, and they all work great with no HAB errors.

What about the rest of the dtb files in the boot partition (ex. imx6sx-sdb-btwifi.dtb)? They don't appear to be loaded into memory at the time when the kernel and imx6sx-sdb.dtb are checked, so I don't have a location in memory to point to, to verify them. Are hashes of the other dtb files contained in imx6sx-sdb.dtb, so none of them can changed without an updated signature? All the posts I've read made it sound like there's only one dtb file at all, but my yocto build produces many of them. Is there some additional work to sign the rest of them?

Labels (2)
1 Solution
2,021 Views
BiyongSUN
NXP Employee
NXP Employee

It is for the difference board of hardware design.

This sdcard image can be using for different board of hardware design. Just change the dtb file. no need to change Linux kernel.

Some iomux pad is conflict if you use the bt wifi or sai. that is why need the different dtb file.

You can find it in the bsp release notes:

Untitled.png

If you still don't understand what I said, I think you'd better to check google. what is device tree and how to use the device tree.

View solution in original post

6 Replies
2,021 Views
jamesbone
NXP TechSupport
NXP TechSupport

Hello Greg,

Yes only one DTB file needs to be sign,  this DTB file that you sign it is the configuration file for the Kernel to understand the behavior of the PADS and PINS of the device so we have different options, to different scenarios but only one need to be sign.


Have a great day,
Jaime

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos
Reply
2,021 Views
gregorydavies
Contributor II

Thanks James,

That answers most of my question. Maybe you answered the rest, but the wording doesn't make it clear. What is the purpose of the other dtb files that are included in Boot partition of the the .sdcard image? Are the other dtb files ever used after the first one is loaded?

0 Kudos
Reply
2,021 Views
BiyongSUN
NXP Employee
NXP Employee

The dtb file is to use for the different boards(hardware design).

The only change is to use different dtb with the same uboot, kernel, rootfs.

If you check the uboot boot args you will see the how the uboot and kernel use the dtb.

Please see the highlight in RED.

baudrate=115200
boot_fdt=try
bootcmd=mmc dev ${mmcdev};if mmc rescan; then if run loadbootscript; then run bootscript; else if run loadimage; then run mmcboot; else run netboot; fi; fi; else run netboot; fi
bootcmd_mfg=run mfgtool_args;bootz ${loadaddr} ${initrd_addr} ${fdt_addr};
bootdelay=1
bootscript=echo Running bootscript from mmc ...; source
console=ttymxc0
emmcdev=2
epdc_waveform=epdc_splash.bin
ethact=FEC
ethaddr=00:04:9f:03:ce:30
ethprime=FEC
fdt_addr=0x18000000
fdt_file=imx6q-sabresd.dtb
fdt_high=0xffffffff
image=zImage
initrd_addr=0x12C00000
initrd_high=0xffffffff
ip_dyn=yes
loadaddr=0x12000000
loadbootscript=fatload mmc ${mmcdev}:${mmcpart} ${loadaddr} ${script};
loadfdt=fatload mmc ${mmcdev}:${mmcpart} ${fdt_addr} ${fdt_file}
loadimage=fatload mmc ${mmcdev}:${mmcpart} ${loadaddr} ${image}
mfgtool_args=setenv bootargs console=ttymxc0,115200 rdinit=/linuxrc g_mass_storage.stall=0 g_mass_storage.removable=1 g_mass_storage.file=/fat g_mass_storage.ro=1 g_mass_storage.idVendor=0x066F g_mass_storage.idProduct=0x37FF g_mass_storage.iSerialNumber="" enable_wait_mode=off
mmcargs=setenv bootargs console=${console},${baudrate} ${smp} root=${mmcroot}
mmcautodetect=yes
mmcboot=echo Booting from mmc ...; run mmcargs; if test ${boot_fdt} = yes || test ${boot_fdt} = try; then if run loadfdt; then bootz ${loadaddr} - ${fdt_addr}; else if test ${boot_fdt} = try; then bootz; else echo WARN: Cannot load the DT; fi; fi; else bootz; fi;
mmcdev=1
mmcpart=1
mmcroot=/dev/mmcblk2p2 rootwait rw
netargs=setenv bootargs console=${console},${baudrate} ${smp} root=/dev/nfs ip=dhcp nfsroot=${serverip}:${nfsroot},v3,tcp
netboot=echo Booting from net ...; run netargs; if test ${ip_dyn} = yes; then setenv get_cmd dhcp; else setenv get_cmd tftp; fi; ${get_cmd} ${image}; if test ${boot_fdt} = yes || test ${boot_fdt} = try; then if ${get_cmd} ${fdt_addr} ${fdt_file}; then bootz ${loadaddr} - ${fdt_addr}; else if test ${boot_fdt} = try; then bootz; else echo WARN: Cannot load the DT; fi; fi; else bootz; fi;
script=boot.scr
update_emmc_firmware=if test ${ip_dyn} = yes; then setenv get_cmd dhcp; else setenv get_cmd tftp; fi; if ${get_cmd} ${update_sd_firmware_filename}; then if mmc dev ${emmcdev} 1; then setexpr fw_sz ${filesize} / 0x200; setexpr fw_sz ${fw_sz} + 1; mmc write ${loadaddr} 0x2 ${fw_sz}; fi; fi
update_sd_firmware=if test ${ip_dyn} = yes; then setenv get_cmd dhcp; else setenv get_cmd tftp; fi; if mmc dev ${mmcdev}; then if ${get_cmd} ${update_sd_firmware_filename}; then setexpr fw_sz ${filesize} / 0x200; setexpr fw_sz ${fw_sz} + 1; mmc write ${loadaddr} 0x2 ${fw_sz}; fi; fi

Environment size: 2678/8188 bytes

0 Kudos
Reply
2,021 Views
gregorydavies
Contributor II

Maybe I'm not asking the right question. I understand how and why imx6sx-sabresd.dtb is used. When I write the .sdcard image, it includes other files such as:

  • im6sx-sdb-btwifi.dtb
  • im6sx-sdb-emmc.dtb
  • im6sx-sdb-m4.dtb
  • im6sx-sdb-sai.dtb

I don't understand the purpose of these files. Under what circumstances would they be used?

0 Kudos
Reply
2,022 Views
BiyongSUN
NXP Employee
NXP Employee

It is for the difference board of hardware design.

This sdcard image can be using for different board of hardware design. Just change the dtb file. no need to change Linux kernel.

Some iomux pad is conflict if you use the bt wifi or sai. that is why need the different dtb file.

You can find it in the bsp release notes:

Untitled.png

If you still don't understand what I said, I think you'd better to check google. what is device tree and how to use the device tree.

2,021 Views
gregorydavies
Contributor II

Thank you that clears it up. There's a lot of information about device trees on Google, but not many succinct descriptions if you don't already know how they work.

0 Kudos
Reply