FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

i.MX7D failed to boot from encrypted u-boot image

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.MX7D failed to boot from encrypted u-boot image

‎04-24-2019 02:31 AM
1,736 Views
bobbychen197805
Contributor II

I've follow the document AN4581/AN12056 try to build a encrypted and signed u-boot image for i.MX7D board.

The signed image (AN4581) is completed and work fine, but encrypted image (AN12056) don't work.

The device is closed by program SEC_CONFIG[1] fuse and can boot form a correct signed image, next I try to build a encrypted and signed u-boot image by follow the procedure in document AN12056 but failed.

The image can't boot device, and console print nothing.

The detailed steps as follow:

  1. Done the procedure in AN4581 and boot the device with signed u-boot.
  2. Compile the CST to enable the encrypting feature.
  3. Modify file "csf_u-boot_enc.txt" and "csf_u-boot_sign_enc.txt".
  4. Encrypt the U-Boot image.
    • $ ./cst_encrypted -i csf_u-boot_enc.txt -o csf_u-boot_enc.bin
  5. Sign the encrypted U-Boot image.
    • $ ./cst_encrypted -i csf_u-boot_sign_enc.txt -o csf_u-boot_sign_enc.bin
  6. Swap Nonce/MAC from csf_u-boot_enc.bin to csf_u-boot_sign_enc.bin.
    • $ dd if=csf_u-boot_enc.bin of=noncemac.bin bs=1 skip=3936 count=36
    • $ dd if=noncemac.bin of=csf_u-boot_sign_enc.bin bs=1 seek=3936 count=36
  7. Generate encryptedu-boot with no dek.
    • $ objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0xff csf_u-boot_sign_enc.bin csf_u-boot_sign_enc.bin.pad
    • $ cat u-boot-dtb.imx-enc csf_u-boot_sign_enc.bin.pad > u-boot_encrypted_no_dek.bin
    • $ objcopy -I binary -O binary --pad-to 0x95c00 --gap-fill=0x00 u-boot_encrypted_no_dek.bin u-boot_encrypted_no_dek_padded.bin
  8. Generate the DEK Blob.
    • $ cp dek.bin /mnt/mmc
    • boot device by sd card and into u-boot CLI.
    • => fatload mmc 0 0x80800000 dek.bin; dek_blob 0x80800000 0x80801000 128; fatwrite mmc 0 0x80801000 dek_blob.bin 0x48
  9. Finalize the encrypted U-Boot image.
    • $ cp /mnt/mmc/dek_blob.bin ./
    • cat u-boot_encrypted_no_dek_padded.bin dek_blob.bin > u-boot_encrypted.bin
    • sudo dd if=u-boot_encrypted.bin of=/dev/sdc bs=512 seek=2 conv=fsync
  10. Boot device and nothing show on console.

I have no idea about how to debug it due to I can't to trace ROM code or download the HAB log. Any suggestion?

Labels (2)
Labels
encrypted_uboot.zip
Reply
2 Replies

‎04-25-2019 01:28 AM
1,551 Views
Yuri
NXP Employee
NXP Employee

Hello,

 

  Please double check if U-boot configuration meets section 4.2 (Requirements)

of app note AN12056.

 


Have a great day,
Yuri

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

‎04-25-2019 02:21 AM
1,551 Views
bobbychen197805
Contributor II

Hi Yuri, I think the problem has be solved by update source code to version "imx_v2018.03_4.14.98_2.0.0_ga". Thanks for your reply.

Reply