Error using CONFIG_AUTOBOOT_STOP_STR_SHA256 in U-Boot

pgentili · ‎10-08-2020

Hi everyone,

I'm trying to activate the U-Boot's "Stop autobooting via SHA256 encrypted password" feature on iMX8M Mini. The problem is that, when U-Boot is autobooting, every time I press I button I get this error:

Error: Address arguments are not aligned
CAAM was not setup properly or it is faulty

Do you know how to fix it?

Thanks.

igorpadykov · ‎10-18-2020

Hi Paolo

--------------

Yes, there is a way to force the AUTOBOOT_STO_STR_SHA256 to be performed by sw that we must change the uboot code manually. The modification is below:

diff --git a/common/hash.c b/common/hash.c
index 413a5bf..cc1609c 100644
--- a/common/hash.c
+++ b/common/hash.c
@@ -171,7 +171,7 @@ static struct hash_algo hash_algo[] = {
.digest_size = SHA256_SUM_LEN,
.chunk_size = CHUNKSZ_SHA256,
#ifdef CONFIG_SHA_HW_ACCEL
- .hash_func_ws = hw_sha256,
+ .hash_func_ws = sha256_csum_wd,
#else
.hash_func_ws = sha256_csum_wd,
#endif

--------------

Best regards
igor

View solution in original post

igorpadykov · ‎10-12-2020

HI pgentili

I checked internally and some questions arised below:

--------------

Does the customer must use CAAM to do sha256 operation? In our BSP, we don't enable CAAM by default, the CONFIG_AUTOBOOT_STOP_STR_SHA256 feature can be achieved by software.

So can you tell me the configuration that customer does? Do they have to use CAAM to do sha256?

--------------

Best regards
igor

pgentili · ‎10-16-2020

Hi,

we have FSL_CAAM = y and therefore SHA_HW_ACCEL = y because it's required by SECURE_BOOT which is mandatory in our product.

What do you suggest to do? Is there any way to force the AUTOBOOT_STO_STR_SHA256 to be performed by sw?

Regards
Paolo

igorpadykov · ‎10-18-2020

Hi Paolo

--------------

Yes, there is a way to force the AUTOBOOT_STO_STR_SHA256 to be performed by sw that we must change the uboot code manually. The modification is below:

diff --git a/common/hash.c b/common/hash.c
index 413a5bf..cc1609c 100644
--- a/common/hash.c
+++ b/common/hash.c
@@ -171,7 +171,7 @@ static struct hash_algo hash_algo[] = {
.digest_size = SHA256_SUM_LEN,
.chunk_size = CHUNKSZ_SHA256,
#ifdef CONFIG_SHA_HW_ACCEL
- .hash_func_ws = hw_sha256,
+ .hash_func_ws = sha256_csum_wd,
#else
.hash_func_ws = sha256_csum_wd,
#endif

--------------

Best regards
igor

pgentili · ‎10-19-2020

Hi,
thanks for your help but your solution is not working.

The error regarding CAAM is gone but I cannot stop the autoboot process typing the password. I tried switching back to CONFIG_AUTOBOOT_STOP_STR (w/o encryption) and it's working fine.

Any idea why it cannot use CAAM at that stage?

Thanks
Paolo

igorpadykov · ‎10-19-2020

internal feedback:

-----------------

Does the customer set SHA256 result of their keys in the CONFIG_AUTOBOOT_STOP_STR_SHA256?

Let me give an example. If I want to use char 'a' to stop autoboot, I need to set the CONFIG_AUTOBOOT_STOP_STR_SHA256 to 'ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb'(the sha256 result of char 'a'), like the attached picture.

Now our BSP hasn't supported CAAM to do sha256 in uboot phase. The method I told you in last reply is to change the sha256 operation to achieve by software method.

-----------------

Best regards
igor

pgentili · ‎10-20-2020

There you go, that was the problem.

Thanks!
Paolo

Error using CONFIG_AUTOBOOT_STOP_STR_SHA256 in U-Boot

Error using CONFIG_AUTOBOOT_STOP_STR_SHA256 in U-Boot

i.MX 8M | i.MX 8M Mini | i.MX 8M Nano