U-boot CAAM Secure Boot issue

cancel
Showing results for 
Search instead for 
Did you mean: 

U-boot CAAM Secure Boot issue

629 Views
lockit282
Contributor III

Secure boot on IMX8mm.  I have successfully followed the Android security manual and I have HAB4 and AVB (Android Verified Boot) working on the evk board (IMX8mm mini).  I have now ported to our custom board and I am getting an initial failure on the CAAM. I believe it may have something to do with the clocks as I hesitated to upgrade them.  The issue is I am not exactly able to see in the code where this function is (I think it may be one of the binaries). Question what change to I need to make to get this to initialize correctly?  Log below -- initial error in bold:

Authenticate image from DDR location 0x401fcdc0...

welcome to lk/MP

boot args 0x2000000 0xbe000000 0x2000 0x0
generic_arm64_map_regs: failed -5 name=gic
initializing trusty (Built: 09:53:15 Aug 6 2019)
Initializing Trusted OS SMC handler
avb: 285: Initializing AVB App
int rebuild_hset_all(struct uctx *):250: Rebuilding all handles set
hwcrypto: 222: Initializing
caam_drv: 315: job failed (0x2000055b)
hwrng_caam: 44: Init HWRNG service provide

Thanks in advance imx8mm u-boot 

Tags (1)
6 Replies

401 Views
jamesbone
NXP TechSupport
NXP TechSupport

Have you try testing if all , the memory blocks are working correctly,  since it is a custom board,  maybe something related to the HW, should be the problem. Since it seems that you follow the steps in the EVK board.

0 Kudos

401 Views
lockit282
Contributor III

Turns out it was not a HW issue -- I needed a few more updates on the linux kernel

0 Kudos

401 Views
lockit282
Contributor III

Thank you for your response -- My problems mostly are getting the bootloader running -- as it does on the imx8mini.  I believe I have made all the code changes necessary, but it is obvious I am missing something.  The first is the boot from our custom board with the failures highlighted and the 2nd is the evk mini running properly.  I would appreciate if you could potentially point me to the code where the issue may be.  I am thinking it could be the board initialization from the CAMM:

Custom Board -- fails

boot args 0x2000000 0xbe000000 0x2000 0x0
generic_arm64_map_regs: failed -5 name=gic
initializing trusty (Built: 09:53:15 Aug 6 2019)
Initializing Trusted OS SMC handler
avb: 285: Initializing AVB App
int rebuild_hset_all(struct uctx *):250: Rebuilding all handles set
hwcrypto: 222: Initializing
caam_drv: 315: job failed (0x2000055b)
hwrng_caam: 44: Init HWRNG service provider
hwrng_srv: 256: Start HWRNG service
int rebuild_hset_all(struct uctx *):250: Rebuilding all handles set
hwcrypto_caam: 85: Init HWCRYPTO service provider
hwcrypto_srv: 360: Start HWCRYPTO service
hwkey_caam: 213: Init HWKEY service provider
hwkey_caam: 182: Invalid magic
hwkey_srv: 351: Start HWKEY service
hwcrypto: 237: enter main event loop
int rebuild_hset_all(struct uctx *):250: Rebuilding all handles set
trusty_gatekeeper: 291: Initializing
int rebuild_hset_all(struct uctx *):250: Rebuilding all handles set
int rebuild_hset_all(struct uctx *):250: Rebuilding all handles set



EVK Mini -- (Runs Perfectly) -- boots kernel

boot args 0x2000000 0xbe000000 0x2000 0x0
generic_arm64_map_regs: failed -5 name=gic
initializing trusty (Built: 09:53:15 Aug 6 2019)
Initializing Trusted OS SMC handler
avb: 285: Initializing AVB App
int rebuild_hset_all(struct uctx *):250: Rebuilding all handles set
hwcrypto: 222: Initializing
hwrng_caam: 44: Init HWRNG service provider
hwrng_srv: 256: Start HWRNG service
int rebuild_hset_all(struct uctx *):250: Rebuilding all handles set
hwcrypto_caam: 85: Init HWCRYPTO service provider
hwcrypto_srv: 360: Start HWCRYPTO service
hwkey_caam: 213: Init HWKEY service provider
hwkey_srv: 351: Start HWKEY service
hwcrypto: 237: enter main event loop
int rebuild_hset_all(struct uctx *):250: Rebuilding all handles set
trusty_gatekeeper: 291: Initializing
int rebuild_hset_all(struct uctx *):250: Rebuilding all handles set
int rebuild_hset_all(struct uctx *):250: Rebuilding all handles set


U-Boot 2018.03-00001-g547dbe8632-dirty (Mar 04 2020 - 07:14:36 -0800)

CPU: Freescale i.MX8MMQ rev1.0 1800 MHz (running at 1200 MHz)
CPU: Commercial temperature grade (0C to 95C) at 26C
Reset cause: POR
Model: FSL i.MX8MM EVK board
DRAM: 2 GiB
TCPC: Vendor ID [0x1fc9], Product ID [0x5110], Addr [I2C1 0x52]
SNK.Power3.0 on CC2
PDO 0: type 0, 5000 mV, 3000 mA [E]
PDO 1: type 0, 9000 mV, 3000 mA []
PDO 2: type 0, 15000 mV, 3000 mA []
PDO 3: type 0, 20000 mV, 2250 mA []
Requesting PDO 0: 5000 mV, 3000 mA
Source accept request
PD source ready!
tcpc_pd_receive_message: Polling ALERT register, TCPC_ALERT_RX_STATUS bit failed, ret = -62
Power supply on USB2
TCPC: Vendor ID [0x1fc9], Product ID [0x5110], Addr [I2C1 0x50]
MMC: FSL_SDHC: 0, FSL_SDHC: 1
Loading Environment from MMC... *** Warning - bad CRC, using default environment

Failed (-5)
In: serial
Out: serial
Err: serial

BuildInfo:
- ATF b8bc8a4
- U-Boot 2018.03-00001-g547dbe8632-dirty

flash target is MMC:1
Net:
Warning: ethernet@30be0000 using MAC address from ROM
eth0: ethernet@30be0000
libtipc.c: INFO Initializing Trusty device
trusty_dev.c: INFO selected trusty api version: 3 (requested 3)
libtipc.c: INFO Initializing Trusty IPC device
libtipc.c: INFO Initializing RPMB storage proxy service
int fs_init_from_super(struct fs *, const struct super_block *, _Bool):316: loaded super block version 0
libtipc.c: INFO Initializing Trusty AVB client
libtipc.c: INFO Initializing Trusty Keymaster client
libtipc.c: INFO Initializing Trusty Hardware Crypto client
Fastboot: Normal
Normal Boot
Hit any key to stop autoboot: 0
verify OK, boot 'boot_a'
WRW AVB partition name dtbo
loading anroid kernel
wrw img Kernel load addr 0x40480000 size 31129 KiB
kernel @ 40480000 (31875584)
ramdisk @ 43600000 (7488081)
fdt @ 43400000 (45820)
## Flattened Device Tree blob at 43400000
Booting using the fdt blob at 0x43400000
Using Device Tree in place at 0000000043400000, end 000000004340e2fb

Starting kernel ...

[ 0.000000] Booting Linux on physical CPU 0x0

0 Kudos

121 Views
rob_mclean
Contributor III

I know it has been a long time since you posted this question. 

Did you figure out your problem with the CAAM driver in the Trusty OS?  If so what was the solution?

0 Kudos

401 Views
lockit282
Contributor III

Well I have gotten a bit further - and it looks like I still have a few errors.  I am wondering if there is anyone monitoring this forum -- as any help would be greatly appreciated.  I am confused by this section of the manual, and as an aside it should be grammatically and syntactically corrected so that it is clear: From the. Android Security manual:

"3.4.3 Trusty OS Linux driver configuration

The Trusty OS supports to output the logs to UART or TIPC log channel. The Trusty OS Linux driver supports to carry the logs from the Trusty OS by TIPC channel. By default, this feature is enabled in the reference image.

In the Trusty OS Linux driver trusty-log, when it is enabled, the Trusty OS shuts down the UART output log port. The UART driver in the Trusty OS outputs characters synchronously and it costs much IO time.

The trusty-log driver is configured in the device tree as follows:

trusty-log {

compatible = "android,trusty-log-v1"; };"

From what I am interpreting and what I am seeing on the debug port is trusty forces the output to a synchronous serial port.  Therefore do I need to insert the above into my device tree and additionally do I need to add CONFIG_CONSOLE_TTY_BASE

trusty/hardware/nxp/target/$SOC_NAME/rules.mk. -- this does not exist -- where is it located in the current android source tree.

Thanks in advance

401 Views
chenguoyin
NXP Employee
NXP Employee

trusty code is use another manifests to download. It is not included in default android code. Please refer the user guide doc to download the trusty OS code.

0 Kudos