i.MX8 X OS container encryption issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.MX8 X OS container encryption issue

Jump to solution
1,166 Views
Joomar
Contributor II

I prepared os_cntr_signed.bin booting well

3 elements are embedded in this container: dtb/linux/rootfs

After encrypting it with cst-3.3.2 the os_cntr_signed.bin cannot boot.

AHAB indicates "Error: authenticate img 2 failed, return -5". SECO Event is 0x0088A929 => A9 Unknown Indicator

Encryption seems ok for img0 and img1 but not for img 2 (rootfs).

In the CST process [Install Secret Key] Image Indexes = 0xFFFFFFFF

is there a restriction with rootfs?

 

0 Kudos
Reply
1 Solution
858 Views
Joomar
Contributor II

Hi Hector,

After updating imx-seco >= 3.7.5 that solved the issue.

Thank you for your help

 

View solution in original post

0 Kudos
Reply
7 Replies
1,080 Views
Joomar
Contributor II

Hi Hector,

is it possible to provide previous cst-3.3.1 version to compare?

0 Kudos
Reply
932 Views
hector_delgado
NXP TechSupport
NXP TechSupport

Hi @Joomar ,

I hope you're doing well and sorry for the late reply, I somehow missed this last comment.

Please try using CST 3.4.0 (released today). Search | NXP Semiconductors

The first result in the search should be IMX_CST_TOOL_NEW (just double check that under the file it says Rev 3.4.0). Also, I'd recommend reading the release notes (specially the known issues section). Let me know if this works for you.

Best regards,
Hector.

0 Kudos
Reply
895 Views
Joomar
Contributor II

Hi Hector,

Thank you for your help.

Unfortunatly, same issue with cst-3.4.0.

Nothing is mentionned on CST Release note about an eventual rootfs encryption restriction.

The CST off line process is OK but on the target if the Image2 is encrypted that cannot boot.

 

0 Kudos
Reply
864 Views
hector_delgado
NXP TechSupport
NXP TechSupport

Hi @Joomar ,

What errors are being shown when trying to boot image2 (if any are shown)? And how are you flashing said image?

Best regards,
Hector.

0 Kudos
Reply
859 Views
Joomar
Contributor II

Hi Hector,

After updating imx-seco >= 3.7.5 that solved the issue.

Thank you for your help

 

0 Kudos
Reply
1,136 Views
Joomar
Contributor II

After encryption the Flags associated to img0 (Flags=0x943) img1 (Flags=0x944) img2 (Flags=0x944)

Testing os container without encrypting img2 only => [Install Secret Key] Image Indexes = 0xFFFFFFFB

Then img0 (Flags=0x943) img1 (Flags=0x944) img2 (Flags=0x144 => no encryption).

In this case the binary boots well.

Why the DEK blob inserted in the binary works well for img0 and img1 ? and not for img2?

Do you have an idea what is wrong?

The RSA key length is 2048 then 3 images should be supported.

 

0 Kudos
Reply
1,106 Views
hector_delgado
NXP TechSupport
NXP TechSupport

Hi @Joomar ,

I hope you're doing well!

Have you reviewed the following guide from our U-Boot repo? uboot-imx/doc/imx/ahab/guides/sign_os_cntr.txt at lf_v2022.04 · nxp-imx/uboot-imx · GitHub

Also could you confirm exactly the i.MX you're using? And is it a custom board or one of our EVKs?

Thank you.

Best regards,
Hector.

0 Kudos
Reply