Hello Guys,
I was successfull in getting Secure Boot running through u-boot-imx-2013 (https://community.nxp.com/thread/428505 ) and we recently moved to u-boot-denx-2015 for multi stage booting as we have read some reports about speed and effciency. Fortunately, we got the multi stage boot working. Now, we want to get the Secure Boot working also in this multi-stage booting. I am not sure this is the place to ask the current question but I am sure many people here can guide me here than else where. So, please bear with me.
Working - Normal Multi-stage Boot: This works like a charm
1. There are two main files SPL and u-boot.img
2. They are flashed onto the sd card
sudo dd if=SPL of=/dev/sdc bs=1k seek=1
sudo dd if=u-boot.img of=/dev/sdc bs=1k seek=69
3. seek=1 which means 0x400 (1KB) is to be left free and SPL has to be flashed
4. seek=69 means that SPL cannot be great than 68KB. After that it is u-boot.img
Not Working - Secure Multi-stage Boot:
- SPL is only 39936 Bytes (0x9C00) but devices like sd card and flash needs to be padded with 0x1000 (4KB). So, it is padded. 40960 Bytes (0xA000) is the new size.
- SPL hexdump looks like this SPL
- The SPL starts with IVT and therefore the Authenticate data of CSF file is as follows
- The CSF bin generated by CST is added to SPL.pad to generate SPL-signed.bin. This SPL-signed.bin is further padded to the size 0x1000
- I flashed the new SPL-signed.bin.pad and u-boot.img as in the Normal Multi-stage boot. Unfortunately it doesnt work.
Questions?
- Is there any mistake in my above process to get secure boot running?
- I only sign the SPL image and not u-boot.img as I assume that the ROM only check the first part of the boot loader which is SPL in the current case. Is this wrong?
- How do I know at what RAM address is the u-boot.img is loaded to? Where in the code could that be written?
Ask me anything for more info, I would be happy to receive help from you guys.
Greets,
Satya
Hello Everyone,
I solved it through a contributor to u-boot, Sven Ebenfeld.
Solution:
Change the DCD address in IVT to 0x0. For the moment I just hacked it using hex editor but this has to be changed in the code. That means my new SPL.imx looks as follows
Output:
Why did it work? Possible Explanation:
DCD is actually information about initialising RAM which I assume is done by the firmware part, the second stage of bootloader (u-boot.img). So, there is no necessity of it being mentioned in the IVT data structure. So, changing DCD address to 0x0 doesn't effect the booting in any way.
Greets & Thanks,
Satya
Hello Fabio, Hello Igor
Thanks for the link. I had a look deeply into the link and it has nothing to do with my problem. The patches in the link are for SPL (1st stage bootloader) to authenticate u-boot.img (2nd stage bootloader). On the other hand, my problem is with ROM Boot authenticating the SPL. This is one step before and had to do with the way ROM Boot authenticates the 1st image, i.e. SPL
My SPL.imx is as follows
The HAB error is
It's actually at DCD data. The error means the following
0x33 - failure
0x06 - Invalid Command - command malformed
0xC0 - Error occured while executing CSF or DCD, in our case DCD
0x00 - Any Engine
Data - "CC 00 04 04" which means
CC - Write Data
00 04 - Length of DCD which is 4 Bytes
04 - Width of addresses which is 32bit or 4 Bytes.
Can you guys tell me why this occurs? Is it a mistake that the length of DCD data is only 4 Bytes and the rest is empty? Did any one check their SPL's DCD data?
Greets,
Satya
Hello Everyone,
I solved it through a contributor to u-boot, Sven Ebenfeld.
Solution:
Change the DCD address in IVT to 0x0. For the moment I just hacked it using hex editor but this has to be changed in the code. That means my new SPL.imx looks as follows
Output:
Why did it work? Possible Explanation:
DCD is actually information about initialising RAM which I assume is done by the firmware part, the second stage of bootloader (u-boot.img). So, there is no necessity of it being mentioned in the IVT data structure. So, changing DCD address to 0x0 doesn't effect the booting in any way.
Greets & Thanks,
Satya
