Hi,
Recently we've built the U-Boot for i.MX 6SX SABRE-SD's QSPI boot medium. When we try to sign the image for HAB Authentication, we ran into the problem of missing header information.
We've successfully verfied HAB Authentication earlier for SD Card boot medium. Hence the header comparison of the QSPI vs SD Card U-Boot is shown below:
So our questions are summarised below,
Thanks in advance.
Solved! Go to Solution.
Usually the qspi image contains configuration info in first 0x1000 (0x400) of the image. Thus the IVT header resides at 0x1000. Please adjust the CSF accordingly.
for ex:
Blocks = <address> 0x1000 <size>-0x1000
Make sure the address is pointing at start of IVT and not start of image.
@Yuri is there any progress on this issue?
@kanimozhi_t
Hello,
Generally U-boot for QSPI should be signed in the same manner as
recommended in U-boot help.
As for QSPI U-boot, please refer to section 5.5 (U-Boot configuration)
of “IMX_YOCTO_PROJECT_USERS_GUIDE.pdf”.
https://www.nxp.com/docs/en/user-guide/IMX_YOCTO_PROJECT_USERS_GUIDE.pdf
Regards,
Yuri.
Hi @Yuri
Thanks for the reply. But we've already successfully built the U-Boot for QSPI boot medium and verified without HAB Authentication. The problem arises when we try to sign the QSPI U-Boot as the addresses for CSF are not available.
So can you help us how to get the values for CSF?
@kanimozhi_t
Hello,
Use Code-Signing Tool User’s Guide for details.
In particular, in Authenticate Data arguments, argument
Blocks - List of one or more data blocks.
Each block is specified by four parameters:
• source file (must be binary),
• starting load address in memory
• starting offset within the source file
• length (in bytes)
file address offset length with
file: valid pathname
address: 32-bit unsigned integer
offset: 0, ..., size of file
length: 0, ..., size of file - offset
Regards,
Yuri.
Hi @Yuri
Thanks for the CSF Block specifications. We're already familar with it as we've performed HAB signing and verified it on i.MX 6SX SABRE for SD Card boot medium.
Now our problem is that these block values (i.e., IVT & DCD) are null in our QSPI image.
Happy new year!
@kanimozhi_t
Hello,
Please refer to section 5.5 (U-Boot configuration) of “IMX_YOCTO_PROJECT_USERS_GUIDE.pdf” how to build U-boot, supporting different boot devices.
https://www.nxp.com/docs/en/user-guide/IMX_YOCTO_PROJECT_USERS_GUIDE.pdf
Customers can use demo images, in particular “u-boot-imx6sxsabreauto_qspi1.imx”
https://www.nxp.com/webapp/Download?colCode=L5.10.72_2.2.0_MX6QDLSOLOX&appType=license
Summary Page:
Regards,
Yuri.
Hi @Yuri
Thanks for pointing out the NXP's reference U-Boot, we've downloaded it and tried to sign but we think "HAB" is not enabled on the shared image.
Moreover, the imx header is agian zero on the reference image. Hence the image doesn't worked on a closed board.
Any further update would be appreciated.
@kanimozhi_t
Hello,
U-boot help describes how to build U-boot for secure boot.
Also use "IMX_PORTING_GUIDE.pdf".
Regards,
Yuri.
@Yuri thanks for your commitment and continuous support. I want to list the activites done on this regard and reiterate our problem in hand as follows,
So, kindly take our experiance/expertise into consideration on answering our current concern as given in step 3.
The header difference between SD and QSPI U-Boot is given in the following picture.
Thanks in advance.
Usually the qspi image contains configuration info in first 0x1000 (0x400) of the image. Thus the IVT header resides at 0x1000. Please adjust the CSF accordingly.
for ex:
Blocks = <address> 0x1000 <size>-0x1000
Make sure the address is pointing at start of IVT and not start of image.
Hi @utkarsh_gupta & @Yuri
How can we implement QSPI encryption, taking the 0x1000 offset on QSPI U-Boot? Are there any reference CSF or encryption guides regarding QSPI U-Boot?
Thanks in advance.
I dont believe we have a reference CSF for this. However, the example in uboot docs can be used for performing encrypted boot. Just ensure offset in the CSF is correct.
@utkarsh_gupta thanks!
@Yuri & @utkarsh_gupta we've found a variation in imx header on QSPI U-Boot for i.MX 6SX (the size is 0x718 instead of the constant 0xc00).
Kindly refer our new query for more info: https://community.nxp.com/t5/i-MX-Processors/Improper-imx-header-on-QSPI-U-Boot/m-p/1525036/highligh...
The IVT header in the image built for QSPI should be at offset 0x1000. Do you see the same thing? Are you using NXP BSP to build the image?