FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Secure boot on i.MX8MP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Secure boot on i.MX8MP

‎09-06-2023 11:56 PM
4,135 Views
gaurav_bankar
Contributor II

Hello, 

   I want to create secure boot on my customized i.MX8MP SoC using Yocto Project. I am using meta-secure-imx layer from Denx which contains the uboot-hab-sign bbclass. I have inherited the class in my uboot bbappend recipe. I have also added CONFIG_HAB_IMX in my defconfig. Also added this in uboot 

# HAB Settings
HAB_ENABLE= "1"
HAB_DIR = "${BSPDIR}/cst-3.3.2"
SRKTAB = "${HAB_DIR}/crts/SRK_1_2_3_4_table.bin"
CSFK = "${HAB_DIR}/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
SIGN_CERT = "${HAB_DIR}/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"

  Using the CST-3.3.2  tool I have created all the keys. After I build uboot I get the following error 

bitbake u-boot-imx
Loading cache: 100% |##########################################################| Time: 0:00:01
Loaded 5137 entries from dependency cache.
Parsing recipes: 100% |########################################################| Time: 0:00:01
Parsing of 3526 .bb files complete (3525 cached, 1 parsed). 5138 targets, 557 skipped, 1 masked, 0 errors.
NOTE: Resolving any missing task queue dependencies

Build Configuration:
BB_VERSION = "1.48.0"
BUILD_SYS = "x86_64-linux"
NATIVELSBSTRING = "ubuntu-18.04"
TARGET_SYS = "aarch64-poky-linux"
MACHINE = "taswp500"
DISTRO = "fsl-imx-xwayland"
DISTRO_VERSION = "5.10-gatesgarth"
TUNE_FEATURES = "aarch64 armv8a crc cortexa53 crypto"
TARGET_FPU = ""
meta
meta-poky = "HEAD:943ef2fad8428f002850e3655a3312e13d0dcb2c"
meta-oe
meta-multimedia
meta-python = "HEAD:ac4ccd2fbbb599d75ca4051911fcbaca39dbe6d7"
meta-freescale = "HEAD:668ba2168b7574d7ef1af364f11025c7d16f02dc"
meta-freescale-3rdparty = "HEAD:b85d08a55cb833bfc4e8b5034ff804286c67620e"
meta-freescale-distro = "HEAD:11be3f01962df8436c5c7b0d61cd3dbd1b872905"
meta-tas = "HEAD:53ebf59b74cfd7618f0308e3e15a7c864f9748e8"
meta-bsp
meta-sdk
meta-ml = "HEAD:f26acd2ade40e1c075aa48f52927180056b440c4"
meta-nxp-demo-experience = "HEAD:67086a771dc58b53c6bb0c53ce1c718852753678"
meta-browser = "HEAD:ee3be3b5986a4aa0e73df2204a625ae1fe5df37e"
meta-rust = "HEAD:53bfa324891966a2daf5d36dc13d4a43725aebed"
meta-clang = "HEAD:61faae011fb95712064f2c58abe6293f0daeeab5"
meta-gnome
meta-networking
meta-filesystems = "HEAD:ac4ccd2fbbb599d75ca4051911fcbaca39dbe6d7"
meta-qt5 = "HEAD:8d5672cc6ca327576a814d35dfb5d59ab24043cb"
meta-python2 = "HEAD:c43c29e57f16af4e77441b201855321fbd546661"
meta-swupdate = "HEAD:744d6b96fc0290a7df9045e60c734c4924abfd4a"
meta-virtualization = "HEAD:9fe997733d9bad4ac24dfb41e91a0e06b9e82791"
meta-java = "HEAD:984f25b6deb5fe4acf82d51c04b2c1392a542723"
meta-se05x-tas = "HEAD:ac68b7b35d7136881912eb7a6b4d01d06e422acc"
meta-secure-imx = "dunfell:20d409a5e75758a8df7bb07e086a36377fbe16d9"

Initialising tasks: 100% |#####################################################| Time: 0:00:00
Sstate summary: Wanted 8 Found 0 Missed 8 Current 162 (0% match, 95% complete)
NOTE: Executing Tasks
ERROR: u-boot-imx-1_2020.04-r0 do_sign_uboot: Execution of '/media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280' failed with exit code 1:
+++ fdtget /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/git/taswp500_4g_boot_defconfig/u-boot.itb /images/atf load
Couldn't open blob from '/media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/git/taswp500_4g_boot_defconfig/u-boot.itb': No such file or directory
++ val=
WARNING: /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280:416 exit 1 from 'atf_loadaddr=$(fit_get_loadaddr ${bd}/u-boot.itb "atf")'
WARNING: Backtrace (BB generated script):
#1: get_atf_loadaddr, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 416
#2: set_variables, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 308
#3: sign_uboot_common, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 169
#4: do_sign_uboot, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 152
#5: main, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 601

Backtrace (metadata-relative locations):
#1: get_atf_loadaddr, /media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-secure-imx/classes/uboot-hab-sign.bbclass, line 71
#2: set_variables, /media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-secure-imx/classes/uboot-hab-sign.bbclass, line 109
#3: sign_uboot_common, /media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-secure-imx/classes/uboot-hab-sign.bbclass, line 542
#4: do_sign_uboot, /media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-secure-imx/classes/uboot-hab-sign.bbclass, line 561
ERROR: Logfile of failure stored in: /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/log.do_sign_uboot.8280
Log data follows:
| DEBUG: Executing shell function do_sign_uboot
| +++ fdtget /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/git/taswp500_4g_boot_defconfig/u-boot.itb /images/atf load
| Couldn't open blob from '/media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/git/taswp500_4g_boot_defconfig/u-boot.itb': No such file or directory
| ++ val=
| WARNING: /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280:416 exit 1 from 'atf_loadaddr=$(fit_get_loadaddr ${bd}/u-boot.itb "atf")'
| WARNING: Backtrace (BB generated script):
| #1: get_atf_loadaddr, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 416
| #2: set_variables, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 308
| #3: sign_uboot_common, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 169
| #4: do_sign_uboot, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 152
| #5: main, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 601
| ERROR: Execution of '/media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280' failed with exit code 1:
| +++ fdtget /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/git/taswp500_4g_boot_defconfig/u-boot.itb /images/atf load
| Couldn't open blob from '/media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/git/taswp500_4g_boot_defconfig/u-boot.itb': No such file or directory
| ++ val=
| WARNING: /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280:416 exit 1 from 'atf_loadaddr=$(fit_get_loadaddr ${bd}/u-boot.itb "atf")'
| WARNING: Backtrace (BB generated script):
| #1: get_atf_loadaddr, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 416
| #2: set_variables, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 308
| #3: sign_uboot_common, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 169
| #4: do_sign_uboot, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 152
| #5: main, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 601
|
| Backtrace (metadata-relative locations):
| #1: get_atf_loadaddr, /media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-secure-imx/classes/uboot-hab-sign.bbclass, line 71
| #2: set_variables, /media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-secure-imx/classes/uboot-hab-sign.bbclass, line 109
| #3: sign_uboot_common, /media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-secure-imx/classes/uboot-hab-sign.bbclass, line 542
| #4: do_sign_uboot, /media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-secure-imx/classes/uboot-hab-sign.bbclass, line 561
ERROR: Task (/media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-myir/meta-bsp/recipes-bsp/u-boot/u-boot-imx_2020.04.bb:do_sign_uboot) failed with exit code '1'
NOTE: Tasks Summary: Attempted 692 tasks of which 682 didn't need to be rerun and 1 failed.
NOTE: Writing buildhistory
NOTE: Writing buildhistory took: 3 seconds

Summary: 1 task failed:
/media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-myir/meta-bsp/recipes-bsp/u-boot/u-boot-imx_2020.04.bb:do_sign_uboot
Summary: There was 1 ERROR message shown, returning a non-zero exit code.

In short the error is u-boot.itb': No such file or directory . Can you help me to solve this?

0 Kudos
Reply
9 Replies

‎10-17-2023 05:44 AM
3,776 Views
gaurav_bankar
Contributor II

Hello @arrivederccimamasita , 

   With your help I was able to overcome the invalid IVT structure error but still I get secure boot disabled and get hab events. 

    

u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xdd 0xc0
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xcd 0xc0
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x34 0x45 0x33 0x18 0xc0 0x00
0xca 0x00 0x2c 0x00 0x02 0xc5 0x1d 0x00
0x00 0x00 0x13 0x50 0x40 0x1f 0xcd 0xc0
0x00 0x00 0x10 0x20 0x40 0x20 0x00 0x00
0x00 0x0c 0x89 0x00 0x40 0x2c 0x89 0x00
0x00 0x00 0x79 0xe0 0x00 0x97 0x00 0x00
0x00 0x00 0xb1 0x50

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x34 0x45 0x33 0x18 0xc0 0x00
0xca 0x00 0x2c 0x00 0x02 0xc5 0x1d 0x00
0x00 0x00 0x13 0x50 0x40 0x1f 0xcd 0xc0
0x00 0x00 0x10 0x20 0x40 0x20 0x00 0x00
0x00 0x0c 0x89 0x00 0x40 0x2c 0x89 0x00
0x00 0x00 0x79 0xe0 0x00 0x97 0x00 0x00
0x00 0x00 0xb1 0x50

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

u-boot=>

I have added the these two while building uboot

CONFIG_SECURE_BOOT=y
CONFIG_IMX_HAB=y

Preview file
36 KB
0 Kudos
Reply

‎11-01-2023 01:14 AM
3,650 Views
gaurav_bankar
Contributor II

Hello, 

   Adding to my previous posts I have detailed description of the events by using the HAB API doc. I have attached it in this reply.  

   I understood that the issue is of invalid signature and assertion. But I cant figure out how to solve it. 

   It simply says that the from following x location y length of data block has invalid signature. 

Tags (2)
Preview file
2 KB
0 Kudos
Reply

‎10-10-2023 11:36 PM
3,810 Views
gaurav_bankar
Contributor II

Hello @arrivederccimamasita,

   Thank you for the update. Yes, I am trying out with meta-variscite-hab now. I have build the image but getting error in the hab_auth_img step

1. Do i have to authenticate manually ? the linux-variscite bbappend recipe suggests so

2. The final image which I am generating does not include the signed image (image+ivt+csf). It just includes the Image. how do I include the signed image?  

0 Kudos
Reply

‎10-13-2023 03:08 AM
3,797 Views
arrivederccimamasita
Contributor III
Hi @gaurav_bankar

with u-boot you can call booti command for booting after loading signed image and dtb, internally booti will call hab_auth_img for you.

If you want to load the signed image i suggest to add a line as cp ${IMG}_signed ${IMG} at the final of do_sign_kernel_{HAB_VER} task, this will overwrite the original kernel image with the signed one. At deploy task for linux-imx Image will be deployed in image folder
Reply

‎10-05-2023 07:07 AM
3,876 Views
arrivederccimamasita
Contributor III

Hello @Harvey021,

I am facing a similar situation. Using denx meta-secure-imx layer expects that u-boot.its was created but maybe your current version of the enviroment is usinf imx-mkimage for flash.bin generation. According to DENX imx-mkimage its deprecated so doesnt handle your situation.

If you are only interested in u-boot and kernel authentication try the meta-variscite-hab that use the tasks logs to get the ATF load address instead of using the .itb file. Continuing the trust chain to rootfs its mistery for me yet, im not finishing to implement the DM-verity in my validation process

0 Kudos
Reply

‎09-25-2023 03:44 AM
3,974 Views
gaurav_bankar
Contributor II

Hello @Harvey021 , 

   I would like to know if fit image for uboot and kernel is the same or different? Do I need to sign my bootloader ( In my case it is imx-boot-fspi.bin-flash_flexspi ) as a separate fit image or there is one single fit image including uboot+kernel+fdt. 

   I am a bit confused here. 

0 Kudos
Reply

‎09-25-2023 07:37 PM
3,944 Views
Harvey021
NXP TechSupport
NXP TechSupport

You can refer to the uboot-imx/doc/imx/habv4/guides/mx8m_secure_boot.txt at lf_v2022.04 · nxp-imx/uboot-imx · GitHub where you can see the fit image after spl. There is no such way provided to sign them together.

 

Best regards

Harvey

0 Kudos
Reply

‎09-11-2023 03:46 AM
4,039 Views
gaurav_bankar
Contributor II

Hello, 

   Do you know how can I build u-boot.itb ? 

0 Kudos
Reply

‎09-08-2023 12:07 AM
4,086 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi @gaurav_bankar 

We don't provide secure boot by Yocto build. Would suggest to post the issue in denx or have a try prosupport (Professional Engineering Services | NXP Semiconductors)

For the error, from my understanding, the u-boot.itb not built as required. 

 

Best regards

Harvey

0 Kudos
Reply