iMX8MQ-EVK: CST-3.3.1 signing flash.bin error

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决

iMX8MQ-EVK: CST-3.3.1 signing flash.bin error

跳至解决方案
7,233 次查看
Julie3
Contributor II

Hi,

I am currently working on iMX8MQ-EVK board (OPTEE included), and I would like to close/fuse my device and sign my image.

To do that:

- I downloaded CST-3.3.1

- I generated PKI tree and SRK hashes

- I got 'spl hab block' for csf_spl.txt by doing:

make SOC=iMX8M flash_hdmi_spl_uboot

 - I got Blocks for csf_fit.txt by doing:

TEE_LOAD_ADDR=0xfe000000 ATF_LOAD_ADDR=0x00910000 ./print_fit_hab.sh 0x60000 imx8mq-evk.dtb 

 - I created csf_fit.txt and csf_spl.txt. I copied flash.bin into my cst directory in order to generate the two csf binaries like below:

./cst -i csf_fit.txt -o csf_fit.bin

Logs :

Install SRK
Install CSFK
Authenticate CSF
Install key
Authenticate data
CSF Processed successfully and signed data available in csf_fit.bin

./cst -i csf_spl.txt -o csf_spl.bin

Logs:

Install SRK
Install CSFK
Authenticate CSF
Install key
Authenticate data
Invalid Block arguments, Blocks start offset and length together exceed file size in command AuthenticateData

 

So I would like to get some help with csf_fit.txt. I assume that I did the right command to get 'Block' (TEE_LOAD_ADDR=0xfe000000 ATF_LOAD_ADDR=0x00910000 ./print_fit_hab.sh 0x60000 imx8mq-evk.dtb); but it shouldn't make this error.

Could someone tell me what I did wrong?

Thanks.

标签 (1)
0 项奖励
回复
1 解答
6,975 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Hi @Julie3 

You can disable kernel/DTB image authenticate in u-boot, it's "booti" command for i.mx8 platform.

diff --git a/cmd/booti.c b/cmd/booti.c
index a132949091..b66dfbff0e 100644
--- a/cmd/booti.c
+++ b/cmd/booti.c
@@ -42,7 +42,7 @@ static int booti_start(cmd_tbl_t *cmdtp, int flag, int argc,
if (ret != 0)
return 1;

-#if defined(CONFIG_IMX_HAB) && !defined(CONFIG_AVB_SUPPORT)
+#if 0
extern int authenticate_image(
uint32_t ddr_start, uint32_t raw_image_size);
if (authenticate_image(ld, image_size) != 0) {

 

-----------------------

To Kernle and DTS, which will be like as below. normally that we use with its soft link. 

tmp/deploy/images/imx8mqevk/imx8mq-evk.dtb -> imx8mq-evk--5.10.72+git0+a68e31b63f-r0-imx8mqevk-20220427085518.dtb

tmp/deploy/images/imx8mqevk/Image -> Image--5.10.72+git0+a68e31b6 3f-r0-imx8mqevk-20220427085518.bin

---------------------

You will find some examples under directory samples for UUU to burn images if you have downloaded Demo images from: 

L5.15.5_1.0.0_MX8MQ (nxp.com)

examples as: example_kernel_emmc.uuu

--------------------

I think the current issue for signing flash.bin is fixed, I'll change the state of this case to be Answered back. And we cannot put a case in open state too long.

Please feel free to reach out us with new case, if you have any further question.

 

Best regards

Harvey

 

在原帖中查看解决方案

0 项奖励
回复
18 回复数
7,174 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Hi @Julie3 

- I got 'spl hab block' for csf_spl.txt by doing:

  make SOC=iMX8M flash_hdmi_spl_uboot --> Please change the SOC as "make SOC=iMX8MQ"

- I got Blocks for csf_fit.txt by doing:

  TEE_LOAD_ADDR=0xfe000000 ATF_LOAD_ADDR=0x00910000 ./print_fit_hab.sh 0x60000 imx8mq-evk.dtb -->  use this command to "make      SOC=iMX8MQ print_fit_hab" to Printing HAB FIT information

- I will not have OPTEE in my image.

  The OPTEE(tee.bin) that you make is similar with while making atf (bl31.bin), make sure alsp copy it to the directory imx-mkimage/iMX8M$

- I am not sure how to use it because I usually use uuu tool to flash eMMC:

  of=sdx x means sdcard that you insert into the host, which can be sdb. you can use sudo fdisk -l to check

- I am not sure that my whole image is signed (the rootfs.wic file was build with bitbake command but I never signed it).

  You just signed u-boot 

The tutorial that you follow should be fine for the secure boot. If you still have problem, please share below files to us for better understanding.

spl csf, fit csf, imx-mkimage build log and HAB FIT information.

 

Best regards

Harvey

 

0 项奖励
回复
7,162 次查看
Julie3
Contributor II

Hi @Harvey021 

 

Thank you for the reply.

- I used the suggested commands, I modified my 2 csf files and I regenerated the 2 csf binaries. I use CST outside my yocto project, so I copied all the files from iMX8M folder (~/imx-yocto-bsp/build/tmp/work/imx8mq_evk-poky-linux/imx-boot/1.0-r0/git/iMX8M$ cp * ~/cst-3.3.1/linux64/bin/).

Then, I signed the signed_flash.bin with csf binaries and offsets from 'make SOC=iMX8MQ flash_hdmi_spl_uboot'.

- I usually use UUU to flash my eMMC, so I think I shouldn't use 'sudo dd if=signed_flash.bin of=/dev/sda bs=1K seek=33 && sync' (I found out 'sda' with the command that you suggested 'sudo fdisk -l')

- I copied signed_flash.bin and imx-image-core-imx8mq-evk-20220427100918.rootfs.wic into a shared folder between windows and my ubuntu VM

- From windows' PowerShell, I flashed the eMMC with: uuu.exe -v -b emmc_all signed_flash.bin imx-image-core-imx8mq-evk-20220427100918.rootfs.wic

- When I boot my board, I used u-boot=> hab_status and I still have events:

u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x44 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xdd 0xc0
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x44 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xcd 0xc0
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x3c 0x44 0x33 0x18 0xc0 0x00
0xca 0x00 0x34 0x00 0x02 0xc5 0x1d 0x00
0x00 0x00 0x16 0x5c 0x40 0x1f 0xcd 0xc0
0x00 0x00 0x10 0x20 0x40 0x20 0x00 0x00
0x00 0x0f 0x05 0x60 0x40 0x2f 0x05 0x60
0x00 0x00 0xb7 0xe0 0x00 0x91 0x00 0x00
0x00 0x00 0x90 0xe0 0xfe 0x00 0x00 0x00
0x00 0x08 0x00 0xa0

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

 

So I cannot close my device yet (signature error). I attached some files below, but I don't know where to find imx-mkimage build log.

 

Thank you for your help,

Julie

0 项奖励
回复
7,135 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Hi @Julie3 

When you do make SOC=iMX8MQ flash_hdmi_spl_uboot. You will see those build log, please share.

 

Best regards

Harvey

 

0 项奖励
回复
7,131 次查看
Julie3
Contributor II

Hi @Harvey021 

 

My VM is currently broken, so I cannot have these build log for now. I only have the one for SOC=iMX8M but I am not sure if the data are the same (the offsets and hab_block were the same).

I attached the file for iMX8M, and I will upload the build log for iMX8MQ when I will have access to my VM.

 

Julie

0 项奖励
回复
7,114 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Hi @Julie3 .

When your PC restores, Please send us your source files under iMX8M which is under your imx-mkimage. files are similar with as below: 

Harvey021_0-1652170549443.png

Please also share those info that mentioned as previous post.

Best regards

Harvey

 

0 项奖励
回复
7,048 次查看
Julie3
Contributor II

Hi @Harvey021 ,

 

I got access to my files, and my files under iMX8M are in a different path (~/imx-yocto-bsp/build/tmp/work/imx8mq_evk-poky-linux/imx-boot/1.0-r0/git/iMX8M). To sign my flash.bin (=>signed_flash.bin), I copy these files to cst-3.3.1/linux64/bin, and I do the commands:

- dd if=csf_spl.bin of=signed_flash.bin seek=$((0x4dc00)) bs=1 conv=notrunc

- dd if=csf_fit.bin of=signed_flash.bin seek=$((0x58c20)) bs=1 conv=notrunc

 

You can find the build log for iMX8MQ and the other files that you asked.

Thanks again for your help.

 

Julie

0 项奖励
回复
7,015 次查看
Harvey021
NXP TechSupport
NXP TechSupport

@Julie3 

Can you please check SRK table hash was correctly programmed compared with "SRK_1_2_3_4_fuse.bin"?  

u-boot=>fuse read 6 0 4; fuse read 7 0 4

And please check the last line of "HAB_FIT_INFO.txt" with "0xFE000000 0x15FA20 0x800A0cd " which is different from the last line of "csf_fit.txt" Blocks node with "0xFE000000 0x15FA20 0x800A0". Probably that was a mistype.

Best regards

Harvey

 

0 项奖励
回复
7,000 次查看
Julie3
Contributor II

Hi @Harvey021 

 

My SRK table is correct and I mistyped "cd" into my HAB_FIT_INFO.txt

- I tried some solution on forums without success. I finally came back to my original configuration and it worked (I don't really know why), there were not hab events.

- I managed to fuse my board with: u-boot => fuse prog 1 3 0x2000000

- I rebooted my iMX8MQ and got no hab events (HAB configuration: 0xcc, HAB State: 0x99)

- Then, I tried to boot my board, but I encountered the following error :

Authenticate image from DDR location 0x40480000...
bad magic magic=0x78 length=0x383a version=0xfe
bad length magic=0x78 length=0x383a version=0xfe
bad version magic=0x78 length=0x383a version=0xfe
Error: Invalid IVT structure

Allowed IVT structure:
IVT HDR = 0x4X2000D1
IVT ENTRY = 0xXXXXXXXX
IVT RSV1 = 0x0
IVT DCD = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF = 0xXXXXXXXX
IVT CSF = 0xXXXXXXXX
IVT RSV2 = 0x0
Authenticate Image Fail, Please check

- I don't really know what I missed because the step 3 from the tutorial is for signing additional boot images: https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx8m_secure_boot.txt?...

I cannot boto my board anymore, do you have any idea to solve that? 

Julie

0 项奖励
回复
6,989 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Hi @Julie3 

You have to sign Kernle/dtb image following the step3 of the tutorial.

 

Best regards

Harvey

 

0 项奖励
回复
6,985 次查看
Julie3
Contributor II

Hi again @Harvey021 

 

I was thinking, is it possible to keep secure boot only for ROM and bootloader, but to disable Kernel image and rootfs image signature. In that way, I could disable Kernel image and rootfs authentification during boot process?

If it is possible to disable that, do you know how to do it?

Best regards,

Julie

0 项奖励
回复
6,976 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Hi @Julie3 

You can disable kernel/DTB image authenticate in u-boot, it's "booti" command for i.mx8 platform.

diff --git a/cmd/booti.c b/cmd/booti.c
index a132949091..b66dfbff0e 100644
--- a/cmd/booti.c
+++ b/cmd/booti.c
@@ -42,7 +42,7 @@ static int booti_start(cmd_tbl_t *cmdtp, int flag, int argc,
if (ret != 0)
return 1;

-#if defined(CONFIG_IMX_HAB) && !defined(CONFIG_AVB_SUPPORT)
+#if 0
extern int authenticate_image(
uint32_t ddr_start, uint32_t raw_image_size);
if (authenticate_image(ld, image_size) != 0) {

 

-----------------------

To Kernle and DTS, which will be like as below. normally that we use with its soft link. 

tmp/deploy/images/imx8mqevk/imx8mq-evk.dtb -> imx8mq-evk--5.10.72+git0+a68e31b63f-r0-imx8mqevk-20220427085518.dtb

tmp/deploy/images/imx8mqevk/Image -> Image--5.10.72+git0+a68e31b6 3f-r0-imx8mqevk-20220427085518.bin

---------------------

You will find some examples under directory samples for UUU to burn images if you have downloaded Demo images from: 

L5.15.5_1.0.0_MX8MQ (nxp.com)

examples as: example_kernel_emmc.uuu

--------------------

I think the current issue for signing flash.bin is fixed, I'll change the state of this case to be Answered back. And we cannot put a case in open state too long.

Please feel free to reach out us with new case, if you have any further question.

 

Best regards

Harvey

 

0 项奖励
回复
6,968 次查看
Julie3
Contributor II

Hi @Harvey021 

 

I added the patch that you suggested for booti.c and I recompiled my image (bitbake -k imx-image-core).

After that I made the two commands :

- make SOC=iMX8MQ flash_hdmi_spl_uboot (same results as before)

- make SOC=iMX8MQ print_fit_hab (the differences between now and before are written in red)
0x40200000 0x5AC00 0xF0518
0x402F0518 0x14B118 0xB7E8
0x910000 0x156900 0x90E0
0xFE000000 0x15F9E0 0x800A0

 

I regenerated the binary files for csf:
- cst -i csf_spl.txt -o csp_spl.bin
- cst -i csf_fit.txt -o csp_fit.bin
 
I copied flash.bin : cp flash.bin signed_flash.bin
 
I signed signed_flash.bin with csf_fit.bin and csf_spl.bin:
dd if=csf_spl.bin of=signed_flash.bin seek=$((0x4dc00)) bs=1 conv=notrunc
dd if=csf_fit.bin of=signed_flash.bin seek=$((0x58c20)) bs=1 conv=notrunc
 
But when I want to flash my new images with: uuu.exe -v -b emmc_all signed_flash.bin imx-image-core-imx8mq-evk-20220523101745.rootfs.wic
I have the following error on my TeraTerm console: spl: ERROR: image authentication unsuccessful
 
You can see my logs in details in the files below.
I tried to solve the problem, but I didn't find any solution. Do you know what I could do to solve this?
 
Thanks again, I will try to put the post in 'Solved' as soon as possible.
 
 
Best regards,
Julie
0 项奖励
回复
6,947 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Hi, 

Please share the patch log to that new case.

 

Best regards

Harvey

 

0 项奖励
回复
6,939 次查看
Julie3
Contributor II

Hi @Harvey021 

 

I managed to solve my problem. It was my mistake (a mistype).

Thank you so much for your help!

 

Best regards,

 

Julie

0 项奖励
回复
6,962 次查看
Julie3
Contributor II

When I use the old signed_flash.bin, I can flash my eMMC (with the new rootfs.wic).

But I am not sure I should use the old signed_flash.bin.

I added your patch to disable the checking of Kernel image's signature, and I used the old signed_flash.bin, but I still get the following error:

Authenticate image from DDR location 0x40480000...
bad magic magic=0x0 length=0x00 version=0x0
bad length magic=0x0 length=0x00 version=0x0
bad version magic=0x0 length=0x00 version=0x0
Error: Invalid IVT structure

Allowed IVT structure:
IVT HDR = 0x4X2000D1
IVT ENTRY = 0xXXXXXXXX
IVT RSV1 = 0x0
IVT DCD = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF = 0xXXXXXXXX
IVT CSF = 0xXXXXXXXX
IVT RSV2 = 0x0
Authenticate Image Fail, Please check

 

Best regards,

Julie

0 项奖励
回复
6,985 次查看
Julie3
Contributor II

Hi @Harvey021 

Thank you for your reply, I have to sign Kernel image and rootfs image as well, is it right?

I saw on some documentation that Kernel image is called 'Image'. And in my tmp/deploy/images/imx8mq-evk folder, I have a file called 'Image--5.10.72+git0+a68e31b63f-r0-imx8mq-evk-20220513080609.bin'. Is this the Kernel image? Or is it the .dtb file ('imx8mq-evk-ak4497--5.10.72+git0+a68e31b63f-r0-imx8mq-evk-20220513080609.dtb')?

 

Also, when I flash my emmc, I use the command 'uuu.exe emmc_all -v -b signed_flash.bin xxxx.rootfs.wic', so I am sending bootloader and rootfs. But how can I include kernel image in the flashing process? Do I have to do it separately? If so, how can I do it (I didn't see anything like that in UUU.pdf documentation).

 

Best regards,

Julie

0 项奖励
回复
7,216 次查看
Julie3
Contributor II

Hi,

 

I made a mistake in my previous question. I mixed up the logs for csf_spl and csf_fit. The problem is in csf_fit.

Also, I find out that the last line from 

TEE_LOAD_ADDR=0xfe000000 ATF_LOAD_ADDR=0x00910000 ./print_fit_hab.sh 0x60000 imx8mq-evk.dtb 

is for OPTEE. When I remove this line in my csf_fit.txt, I manage to make csf_fit.bin successfully. But if I do that, I will not have OPTEE in my image, right?

0 项奖励
回复
7,211 次查看
Julie3
Contributor II

Hi again,

Now that I have my csf_fit.bin (without including the line for tee.bin) and csf_spl.bin, I tried to include them into signed_flash.bin (see picture below):

Julie3_0-1651484662247.png

I also tried the following command, but I am not sure how to use it because I usually use uuu tool to flash eMMC:

Julie3_1-1651484803856.png

 

Finally, I flashed the eMMC with: uuu.exe -v -b emmc_all signed_flash.bin imx-image-core-imx8mq-evk-20220427100918.rootfs.wic

Now, my u-boot image is signed, but I am not sure that my whole image is signed (the rootfs.wic file was build with bitbake command but I never signed it).

 

Also, when I but my iMX8MQ EVK board, there is no error. But when I do u-boot=> hab_status, I have the following events:

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x44 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xdd 0xc0
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x44 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xcd 0xc0
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x34 0x44 0x33 0x18 0xc0 0x00
0xca 0x00 0x2c 0x00 0x02 0xc5 0x1d 0x00
0x00 0x00 0x16 0x54 0x40 0x1f 0xcd 0xc0
0x00 0x00 0x10 0x20 0x40 0x20 0x00 0x00
0x00 0x0f 0x05 0x60 0x40 0x2f 0x05 0x60
0x00 0x00 0xb7 0xdf 0x00 0x91 0x00 0x00
0x00 0x00 0x90 0xe0

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

 

I already programmed SRK Hash, but I didn't close the device yet. I followed the tutorial https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx8m_secure_boot.txt?...

But I am lost because I don't know if I did all the steps right or forgot some steps..

 

Could someone help me please?

Julie

0 项奖励
回复