I followed every single step of the following guide, but my device doesn't boot. My device is closed and signing works perfect but when i try to encrypt it just doesn't work. Can somebody help me out please?
in doc/imx/hab/habv4/guides/mx6_mx7_encrypted_boot.txt ( i skipped some parts
+==========================================================+ + i.MX6, i.MX7 U-Boot Encrypted Boot guide using HABv4 + +==========================================================+ CONFIG_FAT_WRITE=y CONFIG_CMD_DEKBLOB=y CONFIG_CDM_PRIBLOB=y - Kconfig File systems -> Enable FAT filesystem support-> Enable FAT filesystem write support ARM architecture -> Support the 'dek_blob' command ARM architecture -> Support the set_priblob_bitfield command 1.3 Compile the CST to enable the encrypting feature ---------------------------------------------------- The encrypting feature is not enabled by default. You need to execute the following commands to enable it: $ sudo apt-get install libssl-dev openssl $ cd <CST install directory>/code/back_end/src $ gcc -o cst_encrypted -I ../hdr -L ../../../linux64/lib *.c -lfrontend -lcrypto $ cp cst_encrypted ../../../<where your original CST executable is> 1.4.1 csf_u-boot_enc.txt ------------------------- - Modify the Authenticate Data command to only cover IVT and DCD: Blocks = 0x877ff400 0x00000000 0x00000c00 "u-boot-dtb.imx" Blob Address = Authenticate Start Address + Padding + length = 0x877ff400 + 0x2000 + 0x9ec00 = 0x878a0000 $ cp u-boot-dtb.imx u-boot-dtb.imx-enc Block = (Authenticate start addr + 0xc00) 0xc00 (length - 0xc00) u-boot-dtb.imx-enc = (0x877ff400 + 0xc00) 0xc00 (0x9ec00 - 0xc00) u-boot-dtb.imx-enc = 0x87800000 0xc00 0x9e000 u-boot-dtb.imx-enc 1.4.2 csf_u-boot_sign_enc.txt ----------------------------- Blocks = 0x877ff400 0x000 0x0009ec00 "u-boot-dtb.imx-enc" Key = "dek-dummy.bin" Blocks = 0x87800000 0x00000c00 0x9e000 "u-boot-dtb.imx-dummy" 1.5 Encrypt the U-Boot image ---------------------------- The image is encrypted using the Code Signing Tool. It generates also a CSF binary and a dek.bin file, which will be used on the future steps below. - Create the CSF binary file and encrypt the U-Boot image $ ./cst_encrypted -i csf_u-boot_enc.txt -o csf_u-boot_enc.bin 1.6 Sign the encrypted U-Boot image ----------------------------------- $ ./cst_encrypted -i csf_u-boot_sign_enc.txt -o csf_u-boot_sign_enc.bin 1.7 Swap Nonce/MAC from csf_u-boot_enc.bin to csf_u-boot_sign_enc.bin --------------------------------------------------------------------- First, calculate Nonce/MAC size based on MAC bytes value in CSF. As Mac bytes is 16: Nonce/MAC size = Nonce size + MAC bytes + CSF header for Nonce/Mac = 12 + 16 + 8 = 36 bytes Then, calculate Nonce/MAC offset in CSF: MAC offset = csf_u-boot-enc.bin size - Nonce/MAC size = 3972 - 36 = 3936 Bytes In the next step, extract Nonce/NAC from the first CSF: $ dd if=csf_u-boot_enc.bin of=noncemac.bin bs=1 skip=3936 count=36 Finally, replace the MAC of csf_u-boot_sign_enc.bin with the extracted one: $ dd if=noncemac.bin of=csf_u-boot_sign_enc.bin bs=1 seek=3936 count=36 1.8 Generate encryptedu-boot with no dek ---------------------------------------- First, pad the CSF to 0x2000: $ objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0xff csf_u-boot_sign_enc.bin csf_u-boot_sign_enc_padded.bin Then, append this file to the encrypted U-Boot image: $ cat u-boot-dtb.imx-enc csf_u-boot_sign_enc_padded.bin > u-boot_encrypted_no_dek.bin Pad this new file to width+offset (0x9ec00 + 0x2000 = 0xa0c00): $ objcopy -I binary -O binary --pad-to 0xa0c00 --gap-fill=0x00 u-boot_encrypted_no_dek.bin u-boot_encrypted_no_dek_padded.bin 1.9 Generate the DEK Blob ------------------------- Run the following commands: => mmc list FSL_SDHC: 0 (SD) #index to use for mmc in following commands => fatload mmc 0 0x80800000 dek.bin => dek_blob 0x80800000 0x80801000 128 => fatwrite mmc 0 0x80801000 dek_blob.bin 0x48 1.10 Finalize the encrypted U-Boot image ---------------------------------------- $ cat u-boot_encrypted_no_dek_padded.bin dek_blob.bin > u-boot_encrypted.bin If the image does not boot, please verify the size of your U-Boot image, the length specified into CSF and the padding values.
Hello .
I have stucked at command :
$ gcc -o cst_encrypted -I ../hdr -L ../../../linux64/lib *.c -lfrontend -lcrypto
/tmp/ccuAQQCf.o: In function `sk_X509_new_null':
adapt_layer_openssl.c:(.text+0x5): undefined reference to `OPENSSL_sk_new_null'
/tmp/ccuAQQCf.o: In function `sk_X509_push':
adapt_layer_openssl.c:(.text+0x2a): undefined reference to `OPENSSL_sk_push'
/tmp/ccuAQQCf.o: In function `sk_X509_pop_free':
adapt_layer_openssl.c:(.text+0x4f): undefined reference to `OPENSSL_sk_pop_free'
/tmp/ccuAQQCf.o: In function `gen_sig_data_ecdsa':
adapt_layer_openssl.c:(.text+0xa4f): undefined reference to `EVP_PKEY_get0_EC_KEY'
adapt_layer_openssl.c:(.text+0xa8d): undefined reference to `EVP_PKEY_get0_EC_KEY'
adapt_layer_openssl.c:(.text+0xbda): undefined reference to `ECDSA_SIG_get0'
/tmp/cc2DOb8b.o: In function `generate_hash':
openssl_helper.c:(.text+0x1f): undefined reference to `EVP_MD_CTX_new'
/tmp/cc2DOb8b.o: In function `sign_data':
openssl_helper.c:(.text+0x4b3): undefined reference to `EVP_MD_CTX_new'
openssl_helper.c:(.text+0x520): undefined reference to `EVP_MD_CTX_free'
openssl_helper.c:(.text+0x5a6): undefined reference to `EVP_MD_CTX_free'
openssl_helper.c:(.text+0x5c5): undefined reference to `EVP_MD_CTX_free'
/tmp/cc2DOb8b.o: In function `ver_sig_data':
openssl_helper.c:(.text+0xc8b): undefined reference to `EVP_PKEY_get0_RSA'
openssl_helper.c:(.text+0xd49): undefined reference to `ECDSA_SIG_set0'
openssl_helper.c:(.text+0xd78): undefined reference to `EVP_PKEY_get0_EC_KEY'
../../../linux64/lib/libfrontend.a(srk_helper.o): In function `srk_entry_pkcs1':
srk_helper.c:(.text+0x90): undefined reference to `EVP_PKEY_get0_RSA'
srk_helper.c:(.text+0xa8): undefined reference to `RSA_get0_key'
../../../linux64/lib/libfrontend.a(srk_helper.o): In function `srk_entry_ec':
srk_helper.c:(.text+0x564): undefined reference to `EVP_PKEY_get0_EC_KEY'
srk_helper.c:(.text+0x5d3): undefined reference to `EVP_PKEY_get0_EC_KEY'
/usr/bin/ld: ../../../linux64/lib/libfrontend.a(err.o): unrecognized relocation (0x2a) in section `.text'
/usr/bin/ld: final link failed: Bad value
collect2: error: ld returned 1 exit status
Thanks in advance ,
Pramod
Hi Omar
one can create service request for obtaining encrypted boot example
How to submit a new question for NXP Support
Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------