FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Enable Secure boot imx8mq

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Enable Secure boot imx8mq

‎12-14-2022 05:35 AM
880 Views
saurav-pandya
Contributor III

Hi,

I am working on imx8mq board. I am trying to enable secure boot.

Please help to secure u-boot , kernel and device tree file.

 

Thanks,

Saurav

0 Kudos
Reply
4 Replies

‎12-20-2022 10:56 PM
845 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi, 

[Change in csf_additional_images.txt

Blocks = 0x40480000 0x0 0x02443000 "Image_pad_ivt.bin"]

It seems your ivt not signed. 

 

Best regards

Harvey

 

 

0 Kudos
Reply

‎12-20-2022 11:07 PM
841 Views
saurav-pandya
Contributor III

Hi @Harvey021 ,

Problem is resolved.

 

csf_additional_images.txt

Blocks = 0x40480000 0x00x02443000"Image_pad_ivt.bin"]

in this size value is wrong.

 

Thanks,

Saurav

0 Kudos
Reply

‎12-19-2022 07:58 PM
857 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi @saurav-pandya 

To enable secure boot for u-boot and extend to root of trust for kernel and device tree. 

You can follow up the link: (habv4\imx\doc - uboot-imx - i.MX U-Boot (codeaurora.org)) where you will find all documents for enabling secure boot.

Best regards

Harvey

 

0 Kudos
Reply

‎12-19-2022 10:06 PM
852 Views
saurav-pandya
Contributor III

Hi @Harvey021 ,

 

I have successfully boot with secure u-boot. Now I am working for secure kernel. I followed below step for secure kernel, still got issue.

$ od -x -j 0x10 -N 0x4 --endian=little Image

0000020 3000 0244
0000024

$ objcopy -I binary -O binary --pad-to 0x2443000 --gap-fill=0x00 Image Image_pad.bin

Create ivt file

./genIVT

cat Image_pad.bin ivt.bin > Image_pad_ivt.bin

Change in csf_additional_images.txt

Blocks = 0x40480000 0x0 0x02443000 "Image_pad_ivt.bin"

Create signed image

./cst --i csf_additional_images.txt --o csf_Image.bin

cat Image_pad_ivt.bin csf_Image.bin > Image_signed.bin

Test with signed image

u-boot=> hab_auth_img 0x40480000 0x2443000 0x428C3000
hab fuse not enabled

Authenticate image from DDR location 0x40480000...
bad magic magic=0x1f length=0xc098 version=0x1
bad length magic=0x1f length=0xc098 version=0x1
bad version magic=0x1f length=0xc098 version=0x1
Error: Invalid IVT structure

Allowed IVT structure:
IVT HDR = 0x4X2000D1
IVT ENTRY = 0xXXXXXXXX
IVT RSV1 = 0x0
IVT DCD = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF = 0xXXXXXXXX
IVT CSF = 0xXXXXXXXX
IVT RSV2 = 0x0

Please help on same.

Thanks,

Saurav

 

 

0 Kudos
Reply