FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

U-boot FIT image verification failed when HAB is enabled

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

U-boot FIT image verification failed when HAB is enabled

‎11-28-2021 08:45 PM
3,874 Views
robertliu
Contributor I

Hi,

I enabled the HAB (CONFIG_IMX_HAB) and FIT image verification in u-boot. It also has CAAM related options and "CONFIG_RSA_FREESCALE_EXP" enabled automatically. However,  u-boot failed to verify my signed FIT image. I also forced the FIT image verification to use "mod_exp_sw" and it worked well.

The error message was "fsl_mod_exp: RSA failed to verify: -1". It seems the error was happened in "drivers/crypto/fsl/jr.c: run_descriptor_jr_idx()" when it was calling "jr_dequeue()".

Is there anything I can verify the CAAM and fsl_rsa_mod are working on my device?

My environment:
- i.mx8m mini
- atf + op-tee enabled
- u-boot is the upstream v2021.07 version from the hardware vendor
- sha256 and rsa204 are used for FIT image signatures.

Thank you

Labels (1)
0 Kudos
Reply
4 Replies

‎11-30-2021 12:08 AM
3,849 Views
robertliu
Contributor I

Hi @Yuri 

The post you provided is not the same as my issue. U-boot did load the kernel FIT image successfully. The verification was failed in CAAM (fsl_mod_exp() of u-boot).

So I was wondering if it's possible to test CAAM in u-boot, or if there's any document showing how to access CAAM.

Thanks,

0 Kudos
Reply

‎04-10-2024 05:05 AM
2,958 Views
Bayou
Contributor II

Well, for anybody stumbling on this thread:

In U-Boot 2020.04 I had the problem the FIT image verification with iminfo was OK, but bootm did not find the signature. I do not want to use the HAB certificates, but instead only rely on FIT signature.

I've enabled CONFIG_SPL_RSA and CONFIG_RSA_SOFTWARE_EXP and patched lib/rsa/rsa-verify.c:rsa_verify_key to move back to software checking as such:

ret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf);
printf("%s: error rsa_mod_exp\n", __func__);
if (ret) {
        printf("%s: attempting rsa_mod_exp_sw instead \n", __func__);
        ret = rsa_mod_exp_sw(sig, sig_len, prop, buf);
}

 

This seems to work.

0 Kudos
Reply

‎12-22-2021 12:01 AM
3,804 Views
Yuri
NXP Employee
NXP Employee

@robertliu 
Hello,

   I am afraid we do not have special CAAM tests in U-boot.

Regards,
Yuri.

 

0 Kudos
Reply

‎11-29-2021 10:16 PM
3,861 Views
Yuri
NXP Employee
NXP Employee

@robertliu 
Hello,

   the following may be helpful:

https://community.nxp.com/t5/i-MX-Processors/Is-there-a-way-to-sign-a-FIT-image-as-a-whole-for-HAB/m...

 

Regards,
Yuri.

 

0 Kudos
Reply