iMX8QP MEK Boot fails with Read public key error after Secure Storage Enable

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

iMX8QP MEK Boot fails with Read public key error after Secure Storage Enable

Jump to solution
2,579 Views
nishadkamdar
Contributor III

We have the iMX8QuadXPlus MEK CPU Board.

We followed the below steps to enable Secure Storage TA on this board.

Step 1: Built the Android image for the same using the android_p9.0.0_2.3.4 package.

Step 2: Flashed the trusty image using the following command:

 

./uuu_imx_android_flash.sh -f imx8qxp -a -e -u trusty-c0

 

Step 3: The board boots successfully.

Step 4: Entered the fastboot mode using reboot bootloader command on the target

Step 5: Tried to enable the Secure Storage using the following commands

 

root@XXXX:/android_build/out/target/product/mek_8q# fastboot stage rpmb_key_test.bin
target reported max download size of 419430400 bytes
sending 'rpmb_key_test.bin' (0 KB)...
OKAY [  0.028s]
finished. total time: 0.028s
root@XXXX://android_build/out/target/product/mek_8q# fastboot oem set-rpmb-key
...
OKAY [  0.152s]
finished. total time: 0.152s
root@test-Precision-3630-Tower:/home/nanduser/nishad_2_3_4/android_build/out/target/product/mek_8q#

 

Step 6: Got the following output :

 

Starting download of 36bytes

downloading of 36 bytes finished
RPMB key programmed successfully!
RPMB key blob generated!

 

Step 7: After reboot we see following error:

 

avb: 265: Error: missing public key file [0]
avb.c:108: ERROR avb_do_tipc: AVB service returned error (2)
fsl_validate_vbmeta_public_key_rpmb: Read public key error
avb_slot_verify.c:783: ERROR: vbmeta_a: Public key used to sign data rejected.
resetting ...

 

Step 9: The board then reboots again automatically.

How do I recover from this ?

Thanks you for your time,

Nishad

0 Kudos
Reply
1 Solution
2,568 Views
igorpadykov
NXP Employee
NXP Employee

Hi nishadkamdar

 

one can try to set public key as described in sect.3.3.3 Generating AVB key to sign and verify images

i.MX_Android_Security_User_Guide included in P9.0.0_2.3.4  release package.

$ fastboot oem set-public-key

 

Best regards
igor

View solution in original post

3 Replies
2,569 Views
igorpadykov
NXP Employee
NXP Employee

Hi nishadkamdar

 

one can try to set public key as described in sect.3.3.3 Generating AVB key to sign and verify images

i.MX_Android_Security_User_Guide included in P9.0.0_2.3.4  release package.

$ fastboot oem set-public-key

 

Best regards
igor

2,547 Views
nishadkamdar
Contributor III

Hello Igor,

Thanks for the quick reply.

I tried the following steps and could boot the board:

Step 1: Flash the rpmb key.

Step 2: Reboot the board.

Step 3: Stop in uboot.

Step 4: enter fastboot mode using fastboot 0 command

Step 5: Flash the AVB public key.

Step 6: reboot the board

The boards boots successfully now.

Thanks and regards,

Nishad

 

0 Kudos
Reply
1,343 Views
intelav
Contributor II

How do we stop in uboot mode ? I have this imx8qx EVK kit and looking for better option for uboot command line to experiment. 

0 Kudos
Reply