I am working on getting uboot to load a secure kernel on a Boundary Devices Nitrogen8MM. I have already worked through the instructions at https://boundarydevices.com/high-assurance-boot-hab-i-mx8m-edition/ and eveything is working with a sigend uboot.
According to BoundaryDevices, they have been told by NXP that the next step is to get booti to auth the kernel by using this patch: https://github.com/boundarydevices/u-boot-imx6/commit/a20a5ee3c0 However, it's not working.
When I auth the kernel by hand using hab_auth_img, it appears to work just fine:
=> load mmc 1 ${loadaddr} Image
30009696 bytes read in 679 ms (42.1 MiB/s)
=> hab_auth_img ${loadaddr} ${filesize} 0x01c9d000
Authenticate image from DDR location 0x40480000...
Secure boot enabled
HAB Configuration: 0xcc, HAB State: 0x99
No HAB Events Found!
=>
But when just booting I get this:
Authenticating Image...
Authenticate image from DDR location 0x40800000...
Error: Invalid IVT structure
Allowed IVT structure:
IVT HDR = 0x4X2000D1
IVT ENTRY = 0xXXXXXXXX
IVT RSV1 = 0x0
IVT DCD = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF = 0xXXXXXXXX
IVT CSF = 0xXXXXXXXX
IVT RSV2 = 0x0
Authenticate Image Fail, Please check
Error loading kernel image
And, of course, if I don't use the patch then it boots just fine, but I need to auth the kernel before leading.
What am I missing?
已解决! 转到解答。
I've done some digging and the issue seems to be that IVT_SEFT and IVT_INITAL don't match in validate_ivt(). I added some debuggin statements and found this:
Allowed IVT structure:
IVT HDR = 0x4X2000D1
IVT ENTRY = 0xXXXXXXXX
IVT RSV1 = 0x0
IVT DCD = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF = 0xXXXXXXXX
IVT CSF = 0xXXXXXXXX
IVT RSV2 = 0x0
Found values:
IVT_ENTRY: 0x40480000
IVT_RSV1: 0x0
IVT_DCD: 0x0
IVT_SELF: 0x4211d000
IVT_INITAL: 0x4249d000
IVT_CSF: 0x4211d020
IVT_RSV2: 0x0
So, they are off by 0x380000 which is a suspiciously round number, but I can't figure out where it comes from.