Hello!
Have a trouble with signing Linux kernel images for iMX8QXP.
Image generation and sign passes without errors. I`m using guide - https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/ahab/guides/mx8_mx8x_secure_boot.t... to sign Linux kernel image.
Tools:
uuu (Universal Update Utility) for nxp imx chips -- libuuu_1.4.139-0-g1a8f760
UBOOT builded with AHAB support - U-Boot 2019.04mmv_14-07-2021 (Jul 14 2021 - 18:39:06 +0300) Kontron SMARC-sAMX8X Release develop aarch64-linux-gnu-gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0 GNU ld (GNU Binutils for Ubuntu) 2.34 (uboot_samx8x-R13 - BSP)
https://source.codeaurora.org/external/imx/imx-mkimage (imx_5.4.3_2.0.0)
imx-scfw-porting-kit-1.4.0
imx-seco-3.7.5
https://source.codeaurora.org/external/imx/imx-atf.git (imx_5.4.3_2.0.0)
Code Signing Tool release version 3.2.0 (Ubuntu 20.04.2 repository package)
Linux kernel image - SMARC-sAMX8X_Yocto-BSP_R13/images.tar/images/Image (5.4.3-2.0.0+g1675c67c9170)
CSF:
[Header]
Target = AHAB
Version = 1.0
[Install SRK]
# SRK table generated by srktool
File = "../SRK_1_2_3_4_table.bin"
# Public key certificate in PEM format
Source = "../crts/SRK1_sha384_secp384r1_v3_ca_crt.der"
# Index of the public key certificate within the SRK table (0 .. 3)
Source index = 0
# Type of SRK set (NXP or OEM)
Source set = OEM
# bitmask of the revoked SRKs
Revocations = 0x0
[Install Certificate]
# Public key certificate in PEM or DER format
File = "../crts/SGK1_1_sha384_secp384r1_v3_usr_crt.der"
Permissions = 0x1
[Authenticate Data]
# Binary to be signed generated by mkimage
File = "flash.bin"
# Offsets = Container header Signature block (printed out by mkimage)
Offsets = 0x0 0x110
If to parse resulting signed Image (mkimage_imx8 --soc=QX --parse=Image.signed) everything looks OK:
But when I try to check secure boot on SD card with written signed kernel using
sudo ~/bin/uuu sd_flash.signed.bin
IN UBOOT:
=> run loadimage
=> auth_cntr ${loadaddr}
I`m getting error:
Authenticate OS container at 0x80280000
Error: Wrong container header
AHAB:
What am I doing wrong?
@MistX
Hello,
also, please use app note AN12312: Secure Boot on i.MX 8 and i.MX 8X Families using AHAB
https://www.nxp.com/webapp/Download?colCode=AN12312
Regards,
Yuri.
Unfortunately, It does not help.
Are there any special uboot build options (not described in docs) for loading signed Linux images?
Ok, I have changed the SD-card, but it helped a little.
I can`t boot or auth signed Linux image.
Also found that Linux image actualy does not load with load command in uboot. May be problem with SD-card driver in uboot...
=> run loadimage
** fs_devread read error - block
SD Card - Samsung EVO Plus 64Gb
=> mmc info
Device: FSL_SDHC
Manufacturer ID: 1b
OEM: 534d
Name: EC1S5
Bus Speed: 50000000
Mode : SD High Speed (50MHz)
Rd Block Len: 512
SD version 3.0
High Capacity: Yes
Capacity: 59.7 GiB
Bus Width: 4-bit
Erase Group Size: 512 Bytes
=> ext4ls mmc 1:1 /boot
<DIR> 4096 .
<DIR> 4096 ..
93547 kontron-samx8x-dxp.dtb
27935232 Image-5.4.3-2.0.0+gf0616714e7cf
<SYM> 12 Image
93963 kontron-samx8x-qxp-m4.dtb
93947 kontron-samx8x-qxp.dtb
92535 kontron-samx8x-dx-m4.dtb
93563 kontron-samx8x-dxp-m4.dtb
92519 kontron-samx8x-dx.dtb
28312576 Image.signed