- NXP Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- Vigiles
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Signing Linux kernel (5.4.3-2.0.0) problem on iMX8QXP
Signing Linux kernel (5.4.3-2.0.0) problem on iMX8QXP
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Signing Linux kernel (5.4.3-2.0.0) problem on iMX8QXP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
Have a trouble with signing Linux kernel images for iMX8QXP.
Image generation and sign passes without errors. I`m using guide - https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/ahab/guides/mx8_mx8x_secure_boot.t... to sign Linux kernel image.
Tools:
uuu (Universal Update Utility) for nxp imx chips -- libuuu_1.4.139-0-g1a8f760
UBOOT builded with AHAB support - U-Boot 2019.04mmv_14-07-2021 (Jul 14 2021 - 18:39:06 +0300) Kontron SMARC-sAMX8X Release develop aarch64-linux-gnu-gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0 GNU ld (GNU Binutils for Ubuntu) 2.34 (uboot_samx8x-R13 - BSP)
https://source.codeaurora.org/external/imx/imx-mkimage (imx_5.4.3_2.0.0)
imx-scfw-porting-kit-1.4.0
imx-seco-3.7.5
https://source.codeaurora.org/external/imx/imx-atf.git (imx_5.4.3_2.0.0)
Code Signing Tool release version 3.2.0 (Ubuntu 20.04.2 repository package)
Linux kernel image - SMARC-sAMX8X_Yocto-BSP_R13/images.tar/images/Image (5.4.3-2.0.0+g1675c67c9170)
CSF:
[Header]
Target = AHAB
Version = 1.0
[Install SRK]
# SRK table generated by srktool
File = "../SRK_1_2_3_4_table.bin"
# Public key certificate in PEM format
Source = "../crts/SRK1_sha384_secp384r1_v3_ca_crt.der"
# Index of the public key certificate within the SRK table (0 .. 3)
Source index = 0
# Type of SRK set (NXP or OEM)
Source set = OEM
# bitmask of the revoked SRKs
Revocations = 0x0
[Install Certificate]
# Public key certificate in PEM or DER format
File = "../crts/SGK1_1_sha384_secp384r1_v3_usr_crt.der"
Permissions = 0x1
[Authenticate Data]
# Binary to be signed generated by mkimage
File = "flash.bin"
# Offsets = Container header Signature block (printed out by mkimage)
Offsets = 0x0 0x110
If to parse resulting signed Image (mkimage_imx8 --soc=QX --parse=Image.signed) everything looks OK:
Input container binary to be parsed: Image.signed
CONTAINER FUSE VERSION: 0x00
CONTAINER SW VERSION: 0x0000
*********************************
* *
* CONTAINER 1 *
* *
*********************************
Length: 0X420 (1056)
Tag: 0X87
Version: 0
Flags: 0X2
Num images: 2
Fuse version: 0
SW version: 0
Sig blk offset: 0X110
IMAGE 1 (Bootloader)
Offset: 0X2000
Size: 0X1AE7400 (28210176)
Load Addr: 0X80280000
Entry Addr: 0X80280000
Flags: 0X143 (IMG TYPE: Executable | CORE ID: CORE_CA53 | HASH TYPE: SHA384 | ENCRYPTED: NO)
Metadata: 0X1355FC
Hash: 96fbf2e504d3a2ca3b1b887c2695029ba630c137ade7446bf94dcfdede27a1b87974751773c6635006a1cbcf1b67959c (SHA384)
IMAGE 2 (Data)
Offset: 0X1AE9400
Size: 0X17000 (94208)
Load Addr: 0X83000000
Entry Addr: 0
Flags: 0X144 (IMG TYPE: Data | CORE ID: CORE_CA53 | HASH TYPE: SHA384 | ENCRYPTED: NO)
Metadata: 0
Hash: 80701691b3a4457fd729b0d2d7db88600fff3d0eb1739c88660230fa2521d803240091ad2e299962678e0e8ddabd6764 (SHA384)
But when I try to check secure boot on SD card with written signed kernel using
sudo ~/bin/uuu sd_flash.signed.bin
IN UBOOT:
=> run loadimage
=> auth_cntr ${loadaddr}
I`m getting error:
Authenticate OS container at 0x80280000
Error: Wrong container header
## Checking Image at 80280000 ...
Unknown image format!
AHAB:
Lifecycle: 0x0020, NXP closed
sc_seco_get_event: idx: 0, res:3
No SECO Events Found!
What am I doing wrong?
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@MistX
Hello,
also, please use app note AN12312: Secure Boot on i.MX 8 and i.MX 8X Families using AHAB
https://www.nxp.com/webapp/Download?colCode=AN12312
Regards,
Yuri.
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, It does not help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are there any special uboot build options (not described in docs) for loading signed Linux images?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I have changed the SD-card, but it helped a little.
I can`t boot or auth signed Linux image.
Booting from SD card ...
Run CMD11 1.8V switch
switch to partitions #0, OK
mmc1 is current device
28082176 bytes read in 630 ms (42.5 MiB/s)
93947 bytes read in 12 ms (7.5 MiB/s)
Bad Linux ARM64 Image magic!
=> run loadimage
28082176 bytes read in 614 ms (43.6 MiB/s)
=> iminfo
## Checking Image at 80280000 ...
Unknown image format!
=> auth_cntr ${loadaddr}
Authenticate OS container at 0x80280000
"Synchronous Abort" handler, esr 0x96000147
elr: 0000000080021548 lr : 0000000080025d10 (reloc)
elr: 00000000ffe8b548 lr : 00000000ffe8fd10
x0 : 0000000000000000 x1 : 0000000000000040
x2 : 0000000000000040 x3 : 000000000000003f
x4 : 0000000081d35400 x5 : 0000000000000020
x6 : 00000000ffebc83c x7 : 00000000fd676690
x8 : 00000000fd676658 x9 : 0000000000000008
x10: 00000000ffffffd0 x11: 0000000000000010
x12: 0000000000000000 x13: 0000000000000200
x14: 0000000000000000 x15: 0000000000000020
x16: 00000000ffebc83c x17: 0000000000000000
x18: 00000000fd687d98 x19: 0000000080280010
x20: 00000000fff1a708 x21: 0000000080280000
x22: 0000000000000000 x23: 00000000fff0077f
x24: 0000000000000002 x25: 0000000000000000
x26: 0000000000000000 x27: 0000000000000000
x28: 00000000fd6b9330 x29: 00000000fd676630
Resetting CPU ...
### ERROR ### Please RESET the board ###
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also found that Linux image actualy does not load with load command in uboot. May be problem with SD-card driver in uboot...
=> run loadimage
** fs_devread read error - block
SD Card - Samsung EVO Plus 64Gb
=> mmc info
Device: FSL_SDHC
Manufacturer ID: 1b
OEM: 534d
Name: EC1S5
Bus Speed: 50000000
Mode : SD High Speed (50MHz)
Rd Block Len: 512
SD version 3.0
High Capacity: Yes
Capacity: 59.7 GiB
Bus Width: 4-bit
Erase Group Size: 512 Bytes
=> ext4ls mmc 1:1 /boot
<DIR> 4096 .
<DIR> 4096 ..
93547 kontron-samx8x-dxp.dtb
27935232 Image-5.4.3-2.0.0+gf0616714e7cf
<SYM> 12 Image
93963 kontron-samx8x-qxp-m4.dtb
93947 kontron-samx8x-qxp.dtb
92535 kontron-samx8x-dx-m4.dtb
93563 kontron-samx8x-dxp-m4.dtb
92519 kontron-samx8x-dx.dtb
28312576 Image.signed
