ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

how to create IVT_boot_data.bin for i.MX 8MP

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

how to create IVT_boot_data.bin for i.MX 8MP

‎07-23-2024 01:45 AM
244件の閲覧回数
radish_luo
Contributor I

I tried to check the image signiture in development mode in U-boot environment.

we used following commands to do it:

 

usb start

fatls usb 0:1

 

Fatload usb 0:1 0x80000000 signed-Image_pad_ivt.bin

fatload usb 0:1 0x81000000 SRK_1_2_3_4_table.bin

hab_auth_img 0x80000000 33557548

 

The output was:

Invalid IVT Structure.

 

 

To create the image we used the yocto with following procedure.

We had downloaded IMX_CST_TOOL_NEW.tgz and after compile it, we executed these commands:

 

cd /home/test/cst

cd keys

./hab4_pki_tree.sh

no

rsa

2048

5

4

yes

 

 

cd ../crts

 

../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_2048_65537_v3_ca_crt.pem,./SRK2_sha256_2048_65537_v3_ca_crt.pem,./SRK3_sha256_2048_65537_v3_ca_crt.pem,./SRK4_sha256_2048_65537_v3_ca_crt.pem -f 1

 1.png

Then we start to creaate image using YOCTO:

mkdir ~/bin

curl http://commondatastorage.googleapis.com/git-repo-downloads/repo  > ~/bin/repo

chmod a+x ~/bin/repo

PATH=${PATH}:~/bin

 

mkdir <folder_name>

cd <folder_name>

repo init -u https://github.com/nxp-imx/imx-manifest -b imx-linux-mickledore -m imx-6.1.55-2.2.0_security-reference-design.xml

repo sync

 

DISTRO=fsl-imx-xwayland MACHINE=imx8mpevk source imx-setup-release.sh -b <name>

bitbake-layers add-layer ../sources/meta-nxp-security-reference-design/meta-secure-boot

Add CST in CST_PATH in local.conf.

echo "CST_PATH = \"/home/test/cst\"" >> conf/local.conf

bitbake imx-image-multimedia-secure-boot

bitbake imx-boot-signature

bitbake linux-imx-signature

 

I had expected to get signed image and I got.

 2.png3.png4.png

Then we started to load images to board using serial download port and it was successful.

But we tried to check signed image in development mode and we got error as I mentioned.

According to document AN4581 it explains how to generate srk_fuse and srk_table. However it talks about Creating the CSF description file but it doesn’t explain how to create IVT.bin.

I didn’t find anything about it in: i.MX Porting Guide, i.MX Linux User's Guide, IMX8MPSRM or other documents including : AN12056 or AN12263. By the way, these documents explains DEK_blob and hab_rvt that as I have found they are old, also the commands like hab_rvt.authenticate_image and hab_rvt.entry() doesn’t exist anymore.

 

In conclusion, I need to know how to create IVT_boot_data.bin, how to do padding for image, and how to sign an image… It’s better to say a complete steps to create chain trust and check it before burning the efuse.

Thanks

ラベル(1)
タグ(1)
0 件の賞賛
返信
1 返信

‎07-24-2024 07:28 PM
210件の閲覧回数
Harvey021
NXP TechSupport
NXP TechSupport

Without burning SRK hash, will not get complete authentication, like will not be able to authenticate SRK table against fuses, but Target will still authenticate image that signed by automation against the keys.

Regards

Harvey

0 件の賞賛
返信