i.MX8 X OS container encryption issue

Joomar · ‎11-30-2023

I prepared os_cntr_signed.bin booting well

3 elements are embedded in this container: dtb/linux/rootfs

After encrypting it with cst-3.3.2 the os_cntr_signed.bin cannot boot.

AHAB indicates "Error: authenticate img 2 failed, return -5". SECO Event is 0x0088A929 => A9 Unknown Indicator

Encryption seems ok for img0 and img1 but not for img 2 (rootfs).

In the CST process [Install Secret Key] Image Indexes = 0xFFFFFFFF

is there a restriction with rootfs?

Joomar · ‎02-02-2024

Hi Hector,

After updating imx-seco >= 3.7.5 that solved the issue.

Thank you for your help

在原帖中查看解决方案

Joomar · ‎12-08-2023

Hi Hector,

is it possible to provide previous cst-3.3.1 version to compare?

hector_delgado · ‎01-05-2024

Hi @Joomar ,

I hope you're doing well and sorry for the late reply, I somehow missed this last comment.

Please try using CST 3.4.0 (released today). Search | NXP Semiconductors

The first result in the search should be IMX_CST_TOOL_NEW (just double check that under the file it says Rev 3.4.0). Also, I'd recommend reading the release notes (specially the known issues section). Let me know if this works for you.

Best regards,
Hector.

Joomar · ‎01-22-2024

Hi Hector,

Thank you for your help.

Unfortunatly, same issue with cst-3.4.0.

Nothing is mentionned on CST Release note about an eventual rootfs encryption restriction.

The CST off line process is OK but on the target if the Image2 is encrypted that cannot boot.

hector_delgado · ‎02-02-2024

Hi @Joomar ,

What errors are being shown when trying to boot image2 (if any are shown)? And how are you flashing said image?

Best regards,
Hector.

Joomar · ‎02-02-2024

Hi Hector,

After updating imx-seco >= 3.7.5 that solved the issue.

Thank you for your help

Joomar · ‎12-04-2023

After encryption the Flags associated to img0 (Flags=0x943) img1 (Flags=0x944) img2 (Flags=0x944)

Testing os container without encrypting img2 only => [Install Secret Key] Image Indexes = 0xFFFFFFFB

Then img0 (Flags=0x943) img1 (Flags=0x944) img2 (Flags=0x144 => no encryption).

In this case the binary boots well.

Why the DEK blob inserted in the binary works well for img0 and img1 ? and not for img2?

Do you have an idea what is wrong?

The RSA key length is 2048 then 3 images should be supported.

hector_delgado · ‎12-05-2023

Hi @Joomar ,

I hope you're doing well!

Have you reviewed the following guide from our U-Boot repo? uboot-imx/doc/imx/ahab/guides/sign_os_cntr.txt at lf_v2022.04 · nxp-imx/uboot-imx · GitHub

Also could you confirm exactly the i.MX you're using? And is it a custom board or one of our EVKs?

Thank you.

Best regards,
Hector.