imx header missing on QSPI U-Boot for i.MX 6SX

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

imx header missing on QSPI U-Boot for i.MX 6SX

Jump to solution
9,626 Views
kanimozhi_t
Contributor V

Hi,

    Recently we've built the U-Boot for i.MX 6SX SABRE-SD's QSPI boot medium. When we try to sign the image for HAB Authentication, we ran into the problem of missing header information.

uboot-header-difference.png

    We've successfully verfied HAB Authentication earlier for SD Card boot medium. Hence the header comparison of the QSPI vs SD Card U-Boot is shown below:

sd-qspi-uboot-comp.png

    So our questions are summarised below,

  1. Is HAB authentication for QSPI?
  2. How could we add the missing imx header information for the QSPI U-Boot?
  3. Is there a provision to get the header details otherwise?

Thanks in advance. 

0 Kudos
Reply
1 Solution
9,203 Views
utkarsh_gupta
NXP Employee
NXP Employee

Usually the qspi image contains configuration info in first 0x1000 (0x400) of the image. Thus the IVT header resides at 0x1000. Please adjust the CSF accordingly.

for ex:

Blocks = <address> 0x1000 <size>-0x1000

Make sure the address is pointing at start of IVT and not start of image.

View solution in original post

14 Replies
9,233 Views
kanimozhi_t
Contributor V

@Yuri is there any progress on this issue?

0 Kudos
Reply
9,606 Views
Yuri
NXP Employee
NXP Employee

@kanimozhi_t 
Hello,

  

  Generally U-boot for QSPI should be signed in the same manner as
recommended in U-boot help.

 https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides?h=imx_v2020.04_5.4.70...

 

   As for QSPI U-boot, please refer to section 5.5 (U-Boot configuration)
of “IMX_YOCTO_PROJECT_USERS_GUIDE.pdf”.

 

 https://www.nxp.com/docs/en/user-guide/IMX_YOCTO_PROJECT_USERS_GUIDE.pdf

 

Regards,
Yuri.

9,587 Views
kanimozhi_t
Contributor V

Hi @Yuri

Thanks for the reply. But we've already successfully built the U-Boot for QSPI boot medium and verified without HAB Authentication. The problem arises when we try to sign the QSPI U-Boot as the addresses for CSF are not available.

So can you help us how to get the values for CSF?

0 Kudos
Reply
9,573 Views
Yuri
NXP Employee
NXP Employee

@kanimozhi_t 
Hello,

   Use Code-Signing Tool User’s Guide for details.
In particular, in Authenticate Data arguments, argument 

Blocks - List of one or more data blocks.
              Each block is specified by four parameters:
              • source file (must be binary),
              • starting load address in memory
              • starting offset within the source file
              • length (in bytes)

file address offset length with
file: valid pathname
address: 32-bit unsigned integer
offset: 0, ..., size of file
length: 0, ..., size of file - offset

Regards,
Yuri.

0 Kudos
Reply
9,557 Views
kanimozhi_t
Contributor V

Hi @Yuri 

 

Thanks for the CSF Block specifications. We're already familar with it as we've performed HAB signing and verified it on i.MX 6SX SABRE for SD Card boot medium.

 

Now our problem is that these block values (i.e., IVT & DCD) are null in our QSPI image.

  1. Do we need to build differently for the QSPI boot medium?
  2. Can you share a reference QSPI U-Boot for i.MX 6SX SABRE-SD that we can sign with CST 3.3.3?

 

Happy new year!

Tags (2)
0 Kudos
Reply
9,527 Views
Yuri
NXP Employee
NXP Employee

@kanimozhi_t 
Hello,

  

  Please refer to section 5.5 (U-Boot configuration) of “IMX_YOCTO_PROJECT_USERS_GUIDE.pdf” how to build U-boot, supporting different boot devices.

 https://www.nxp.com/docs/en/user-guide/IMX_YOCTO_PROJECT_USERS_GUIDE.pdf

  

  Customers can use demo images, in particular “u-boot-imx6sxsabreauto_qspi1.imx”

  https://www.nxp.com/webapp/Download?colCode=L5.10.72_2.2.0_MX6QDLSOLOX&appType=license

 Summary Page:

 https://www.nxp.com/design/software/embedded-software/i-mx-software/embedded-linux-for-i-mx-applicat...

Regards,
Yuri.

9,516 Views
kanimozhi_t
Contributor V

Hi @Yuri 

    Thanks for pointing out the NXP's reference U-Boot, we've downloaded it and tried to sign but we think "HAB" is not enabled on the shared image.

Screenshot from 2022-01-04 16-00-23.png

    Moreover, the imx header is agian zero on the reference image. Hence the image doesn't worked on a closed board.

Screenshot from 2022-01-04 15-56-56.png

Any further update would be appreciated. 

0 Kudos
Reply
9,438 Views
Yuri
NXP Employee
NXP Employee

@kanimozhi_t 
Hello,

   U-boot help describes how to build U-boot for secure boot.

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx6_mx7_secure_boot.t...

 Also use "IMX_PORTING_GUIDE.pdf".

Regards,
Yuri.

9,403 Views
kanimozhi_t
Contributor V

@Yuri thanks for your commitment and continuous support. I want to list the activites done on this regard and reiterate our problem in hand as follows,

  1. Succesfully built and verified HAB authentication on i.MX 6SX SABRE with SD Card boot medium
  2. Successfully build and verified U-Boot on QSPI boot medium following "IMX_YOCTO_PROJECT_USERS_GUIDE.pdf"
  3. Failed to sign QSPI U-Boot (step 2) due to missing header information.

So, kindly take our experiance/expertise into consideration on answering our current concern as given in step 3.

The header difference between SD and QSPI U-Boot is given in the following picture.

Screenshot from 2022-01-17 11-55-43.png

Thanks in advance.

0 Kudos
Reply
9,204 Views
utkarsh_gupta
NXP Employee
NXP Employee

Usually the qspi image contains configuration info in first 0x1000 (0x400) of the image. Thus the IVT header resides at 0x1000. Please adjust the CSF accordingly.

for ex:

Blocks = <address> 0x1000 <size>-0x1000

Make sure the address is pointing at start of IVT and not start of image.

8,139 Views
kanimozhi_t
Contributor V

Hi @utkarsh_gupta & @Yuri 

 

How can we implement QSPI encryption, taking the 0x1000 offset on QSPI U-Boot? Are there any reference CSF or encryption guides regarding QSPI U-Boot?

 

Thanks in advance.

0 Kudos
Reply
8,121 Views
utkarsh_gupta
NXP Employee
NXP Employee

I dont believe we have a reference CSF for this. However, the example in uboot docs can be used for performing encrypted boot. Just ensure offset in the CSF is correct.

8,043 Views
kanimozhi_t
Contributor V

@utkarsh_gupta thanks!

 

@Yuri & @utkarsh_gupta we've found a variation in imx header on QSPI U-Boot for i.MX 6SX (the size is 0x718 instead of the constant 0xc00).

Kindly refer our new query for more info: https://community.nxp.com/t5/i-MX-Processors/Improper-imx-header-on-QSPI-U-Boot/m-p/1525036/highligh...

0 Kudos
Reply
8,000 Views
utkarsh_gupta
NXP Employee
NXP Employee

The IVT header in the image built for QSPI should be at offset 0x1000. Do you see the same thing? Are you using NXP BSP to build the image?

0 Kudos
Reply