iMX8M-Mini - ISSUE while signing kernel image for extending chain of trust

autoamp · ‎01-29-2021

Hello,

Am in process of setting up secure boot for iMX8M-Mini.

Am following guide available at mx8m_secure_boot.txt and docu from boundry-devices here.

I have managed to create signed flash.bin. Now to extend root of trust, we also need to sign & authenticate kernel image. Detailed procedure for this is given in section 2 of the guide in above link.

One of the step for signing image is to create csf using csf_additional_images.txt to generate Image_Signed.bin.

Now in csf_additional_images we need to enter Start Address, Offset, Length and file under [Authentic Data] section.

How and where to get the given information? for more info refer this example.

frix · ‎02-07-2022

Hi autoamp,

Have you managed to solve your problem? I've run into exactly the same issue today after I've signed u-boot and enabled the security fuses.

My i.MX8M Mini CPU loads u-boot correctly. Then it loads the linux kernel & device tree dtb into RAM and complains about a hab failure

on the kernel image. I didn't realise that enabling HAB for u-boot will automatically require a signed kernel image as well. Regardless, signing the kernel with the additional steps did not work.

If it will help I can post all my steps for signing the kernel image, showing the sizes and offsets that I've used.

Regards,

Frix

Yuri · ‎02-04-2021

@autoamp
Hello,

1. Please check your U-Boot environment for the correct kernel Load Address.

U-boot> printenv loadaddr

2. The offset is zero.

3. The Image must be padded first, the padding size can be read from image header with “od” command.

od -t x4 -j 0x10 -N 0x4 Image

The tool “objcopy” can be used for padding the image. For example, the size read from image header
is 0x13b7000.

objcopy -I binary -O binary --pad-to 0x13b7000 --gap-fill=0x5A Image Image_pad.bin

Regards,
Yuri.