Secure boot documentation for IMX8-plus EVK

pramodsmvdu · ‎10-10-2023

Dear experts,

I would like to try the secure boot feature on iMX8-plus evolution kit platform.

could you please point me to correct documentation to enable all configuration in Linux, uboot and about the tools to sign the code executable binaries.

please do share if there is any technical video with the instruction available.

Best Regards,

Pramod

pramodsmvdu · ‎10-18-2023

Hi @hector_delgado,

In addition to my previous question-

When I try to copy cst file to respective folder to avoid the error.

I see these extra QA Issue: Architecture did not match

pramod@Ubuntu20:~/secure_boot_bsp/sources/meta-phytec$ bitbake nxp-cst
Loading cache: 100% |##########################################################################################################################################################################| Time: 0:00:00
Loaded 5335 entries from dependency cache.
Parsing recipes: 100% |########################################################################################################################################################################| Time: 0:00:00
Parsing of 3637 .bb files complete (3636 cached, 1 parsed). 5333 targets, 294 skipped, 1 masked, 0 errors.
NOTE: Resolving any missing task queue dependencies

Build Configuration:
BB_VERSION = "1.50.0"
BUILD_SYS = "x86_64-linux"
NATIVELSBSTRING = "universal"
TARGET_SYS = "aarch64-phytec-linux"
MACHINE = "phyboard-pollux-imx8mp-3"
DISTRO = "ampliphy-vendor-secure"
DISTRO_VERSION = "BSP-Yocto-NXP-i.MX8MP-PD22.1.1"
TUNE_FEATURES = "aarch64 armv8a crc cortexa53 crypto"
TARGET_FPU = ""
meta
meta-poky = "HEAD:269265c00091fa65f93de6cad32bf24f1e7f72a3"
meta-oe
meta-networking
meta-python
meta-multimedia
meta-filesystems
meta-perl
meta-gnome = "HEAD:f44e1a2b575826e88b8cb2725e54a7c5d29cf94a"
meta-bsp
meta-sdk
meta-ml = "HEAD:cc4c2d1c845b48fdec989f089aee3c13d2b1e15b"
meta-chromium = "HEAD:8be1d3a0ba0cf32e61144900597207af5698c10d"
meta-clang = "HEAD:b0d805060791006d651efd3d7ae3dd5add8f70fe"
meta-freescale = "HEAD:f0be684f01b53482cb43e016a5c5c1faf3ae448e"
meta-freescale-3rdparty = "HEAD:f8150f3b37cb83cba1f9e2378e57bb63e02d4610"
meta-freescale-distro = "HEAD:e6daa26ba1f748326546063d63a085ae671827d9"
meta-nxp-demo-experience = "HEAD:9dcc11ea9f525cffedbb28895e0abb443e56c3e0"
meta-python2 = "HEAD:8db9e4f6ceae33d7a4f55453d31e69f9858af4eb"
meta-qt5 = "HEAD:43f8f539d40070a70fe89136db89bf5bb1dfe7ed"
meta-virtualization = "HEAD:7f719ef40896b6c78893add8485fda995b00d51d"
meta-rauc = "HEAD:b344adecae6cef9a26b3c5b6a7bb344d18c074a6"
meta-phytec = "HEAD:f023740382f01e85151a67843a08d9d965503961"
meta-ampliphy = "HEAD:d761395629c0f8f0d06f9fd6fe128fdb001fdfec"
meta-security
meta-tpm = "HEAD:c40e1e84da9624b9096a463dbed3b301c01c268e"

Initialising tasks: 100% |#####################################################################################################################################################################| Time: 0:00:05
Sstate summary: Wanted 82 Local 63 Network 0 Missed 19 Current 285 (76% match, 94% complete)
NOTE: Executing Tasks
ERROR: nxp-cst-3.3.2-r0 do_package_qa: QA Issue: Architecture did not match (x86-64, expected AArch64) in /usr/bin/cst
Architecture did not match (x86-64, expected AArch64) in /usr/bin/srktool [arch]
ERROR: nxp-cst-3.3.2-r0 do_package_qa: QA Issue: /usr/bin/srktool contained in package nxp-cst requires libdl.so.2(GLIBC_2.2.5)(64bit), but no providers found in RDEPENDS_nxp-cst? [file-rdeps]
ERROR: nxp-cst-3.3.2-r0 do_package_qa: QA Issue: /usr/bin/srktool contained in package nxp-cst requires libc.so.6(GLIBC_2.3)(64bit), but no providers found in RDEPENDS_nxp-cst? [file-rdeps]
ERROR: nxp-cst-3.3.2-r0 do_package_qa: QA Issue: /usr/bin/srktool contained in package nxp-cst requires libc.so.6(GLIBC_2.7)(64bit), but no providers found in RDEPENDS_nxp-cst? [file-rdeps]
ERROR: nxp-cst-3.3.2-r0 do_package_qa: QA Issue: /usr/bin/srktool contained in package nxp-cst requires libc.so.6(GLIBC_2.15)(64bit), but no providers found in RDEPENDS_nxp-cst? [file-rdeps]
ERROR: nxp-cst-3.3.2-r0 do_package_qa: QA Issue: /usr/bin/srktool contained in package nxp-cst requires libc.so.6(GLIBC_2.4)(64bit), but no providers found in RDEPENDS_nxp-cst? [file-rdeps]
ERROR: nxp-cst-3.3.2-r0 do_package_qa: QA Issue: /usr/bin/srktool contained in package nxp-cst requires libc.so.6(GLIBC_2.2.5)(64bit), but no providers found in RDEPENDS_nxp-cst? [file-rdeps]
ERROR: nxp-cst-3.3.2-r0 do_package_qa: QA Issue: /usr/bin/srktool contained in package nxp-cst requires libc.so.6(GLIBC_2.3.4)(64bit), but no providers found in RDEPENDS_nxp-cst? [file-rdeps]
ERROR: nxp-cst-3.3.2-r0 do_package_qa: QA run found fatal errors. Please consider fixing them.
ERROR: Logfile of failure stored in: /home/pramod/secure_boot_bsp/build/tmp/work/cortexa53-crypto-phytec-linux/nxp-cst/3.3.2-r0/temp/log.do_package_qa.823747
ERROR: Task (/home/pramod/secure_boot_bsp/sources/poky/../meta-phytec/recipes-devtools/nxp-cst/nxp-cst_3.3.2.bb:do_package_qa) failed with exit code '1'
NOTE: Tasks Summary: Attempted 1175 tasks of which 1168 didn't need to be rerun and 1 failed.
NOTE: Writing buildhistory
NOTE: Writing buildhistory took: 3 seconds

Summary: 1 task failed:
/home/pramod/secure_boot_bsp/sources/poky/../meta-phytec/recipes-devtools/nxp-cst/nxp-cst_3.3.2.bb:do_package_qa
Summary: There were 9 ERROR messages shown, returning a non-zero exit code.

please assit me with correct package path, yocto recipe to fix this problem. as these error are blocking me to proceed.

Thank you !

pramodsmvdu · ‎10-18-2023

May be the cst tool is missing a binary compiled for arm64 bit to be used on imx8 plus platform ? any special package available which can be used to fix the error in mentioned related to the architecture ?

hector_delgado · ‎10-26-2023

Hi @pramodsmvdu ,

I hope you're doing well!

I'll be creating another case for your follow up questions. You'll be receiving an email with relevant information. Thank you.

Best regards,
Hector.

pramodsmvdu · ‎10-18-2023

Hi @hector_delgado,

Thanks for your message. I am able to receive the security reference manual.

I am trying to build the bsp using yocto DISTRO = "ampliphy-vendor-secure"

pramod@Ubuntu20:~/secure_boot_bsp/sources/meta-phytec/recipes-devtools/nxp-cst$ bitbake phytec-security-bundle
Loading cache: 100% |##########################################################################################################################################################################| Time: 0:00:00
Loaded 5335 entries from dependency cache.
Parsing recipes: 100% |########################################################################################################################################################################| Time: 0:00:00
Parsing of 3637 .bb files complete (3636 cached, 1 parsed). 5333 targets, 294 skipped, 1 masked, 0 errors.
NOTE: Resolving any missing task queue dependencies

Build Configuration:
BB_VERSION = "1.50.0"
BUILD_SYS = "x86_64-linux"
NATIVELSBSTRING = "universal"
TARGET_SYS = "aarch64-phytec-linux"
MACHINE = "phyboard-pollux-imx8mp-3"
DISTRO = "ampliphy-vendor-secure"
DISTRO_VERSION = "BSP-Yocto-NXP-i.MX8MP-PD22.1.1"
TUNE_FEATURES = "aarch64 armv8a crc cortexa53 crypto"
TARGET_FPU = ""
meta
meta-poky = "HEAD:269265c00091fa65f93de6cad32bf24f1e7f72a3"
meta-oe
meta-networking
meta-python
meta-multimedia
meta-filesystems
meta-perl
meta-gnome = "HEAD:f44e1a2b575826e88b8cb2725e54a7c5d29cf94a"
meta-bsp
meta-sdk
meta-ml = "HEAD:cc4c2d1c845b48fdec989f089aee3c13d2b1e15b"
meta-chromium = "HEAD:8be1d3a0ba0cf32e61144900597207af5698c10d"
meta-clang = "HEAD:b0d805060791006d651efd3d7ae3dd5add8f70fe"
meta-freescale = "HEAD:f0be684f01b53482cb43e016a5c5c1faf3ae448e"
meta-freescale-3rdparty = "HEAD:f8150f3b37cb83cba1f9e2378e57bb63e02d4610"
meta-freescale-distro = "HEAD:e6daa26ba1f748326546063d63a085ae671827d9"
meta-nxp-demo-experience = "HEAD:9dcc11ea9f525cffedbb28895e0abb443e56c3e0"
meta-python2 = "HEAD:8db9e4f6ceae33d7a4f55453d31e69f9858af4eb"

meta-qt5 = "HEAD:43f8f539d40070a70fe89136db89bf5bb1dfe7ed"
meta-virtualization = "HEAD:7f719ef40896b6c78893add8485fda995b00d51d"
meta-rauc = "HEAD:b344adecae6cef9a26b3c5b6a7bb344d18c074a6"
meta-phytec = "HEAD:f023740382f01e85151a67843a08d9d965503961"
meta-ampliphy = "HEAD:d761395629c0f8f0d06f9fd6fe128fdb001fdfec"
meta-security
meta-tpm = "HEAD:c40e1e84da9624b9096a463dbed3b301c01c268e"

Initialising tasks: 100% |#####################################################################################################################################################################| Time: 0:00:10
Sstate summary: Wanted 831 Local 446 Network 0 Missed 385 Current 1772 (53% match, 85% complete)
NOTE: Executing Tasks
ERROR: nxp-cst-native-3.3.2-r0 do_install: Execution of '/home/pramod/secure_boot_bsp/build/tmp/work/x86_64-linux/nxp-cst-native/3.3.2-r0/temp/run.do_install.732518' failed with exit code 1
ERROR: Logfile of failure stored in: /home/pramod/secure_boot_bsp/build/tmp/work/x86_64-linux/nxp-cst-native/3.3.2-r0/temp/log.do_install.732518
Log data follows:
| DEBUG: Executing shell function do_install
| install: cannot stat '/home/pramod/secure_boot_bsp/build/tmp/work/x86_64-linux/nxp-cst-native/3.3.2-r0/cst-3.3.2/linux64/bin/cst': No such file or directory
| WARNING: exit code 1 from a shell command.
| ERROR: Execution of '/home/pramod/secure_boot_bsp/build/tmp/work/x86_64-linux/nxp-cst-native/3.3.2-r0/temp/run.do_install.732518' failed with exit code 1
ERROR: Task (virtual:native:/home/pramod/secure_boot_bsp/sources/poky/../meta-phytec/recipes-devtools/nxp-cst/nxp-cst_3.3.2.bb:do_install) failed with exit code '1'
NOTE: Tasks Summary: Attempted 1832 tasks of which 1829 didn't need to be rerun and 1 failed.
NOTE: Writing buildhistory
NOTE: Writing buildhistory took: 4 seconds

Summary: 1 task failed:
virtual:native:/home/pramod/secure_boot_bsp/sources/poky/../meta-phytec/recipes-devtools/nxp-cst/nxp-cst_3.3.2.bb:do_install
Summary: There was 1 ERROR message shown, returning a non-zero exit code.

I get this /home/pramod/secure_boot_bsp/build/tmp/work/x86_64-linux/nxp-cst-native/3.3.2-r0/cst-3.3.2/linux64/bin/cst': No such file or directory

.

Please note that i am using the cst tool https://wiki.phytec.com/pages/releaseview.action?pageId=573603855 version 3.3.2 which is downloaded from this link provided from this page.

I updated my recipe to resolve the license checksum issue.. with correct md5sum from this downloaded tool.

could you please assist why I am getting this error /home/pramod/secure_boot_bsp/build/tmp/work/x86_64-linux/nxp-cst-native/3.3.2-r0/cst-3.3.2/linux64/bin/cst': No such file or directory ?

any pointer to correct tool package or bitbake recipe to resolve this error ?

hector_delgado · ‎10-11-2023

Hi @pramodsmvdu ,

I hope you're doing great!

I recommend the following:

1. CST 3.2.1 (Code Signing Tool): https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL_NEW&appType=license

2. Inside the download for the CST, there's a User's Guide and a document for HABv4 (High Assurance Boot).

3. Application Note AN4581 - i.MX Secure Boot on HABv4 Supported Devices (https://www.nxp.com/webapp/Download?colCode=AN4581&location=null)

4. i.MX 8M Plus Security Reference Manual (https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=IMX8MPSRM&appType=moderated)

Let me know if this was of any help!

Best regards,
Hector.

pramodsmvdu · ‎10-12-2023

Dear @hector_delgado,
Thank you for the pointer. I will take some time to go through this documentation.
the documentation mentioned on point 4 (i.MX 8M Plus Security Reference Manual) , needed approval .
I have made one request already . waiting for my luck for the approval.
let me know if you can email/message that document .

Best regards,
Pramod

hector_delgado · ‎10-16-2023

Hi @pramodsmvdu .

I hope you're doing great! Unfortunately, this file can't be shared directly without an NDA and/or having it requested through a local FAE (distributor). Refer to Non-Disclosure Agreement FAQs | NXP Semiconductors for more information.

Best regards,
Hector.

Secure boot documentation for IMX8-plus EVK

Secure boot documentation for IMX8-plus EVK

i.MX 8 Family | i.MX 8QuadMax (8QM) | 8QuadPlus

i.MX53

Security

Yocto Project