imx8mplus

t2865k5 · ‎06-26-2023

Dear NXP ,

HW : imx8mplus

u-boot version : 2021.04-r0

kernel version : 5.10.72

Secure boot :

step 1 :

$ hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin

0x1BEBF778

0x3CEB2A

0xC41D3D61

0xD55165F3

0x70A014A9

0x1852CC22

0xED495390

0x488C0B93

step 2:

fuse prog 6 0 0x1BEBF778

fuse prog 6 1 0x3CEB2A

fuse prog 6 2 0xC41D3D61

fuse prog 6 3 0xD55165F3

fuse prog 7 0 0x70A014A9

fuse prog 7 1 0x1852CC22

fuse prog 7 2 0xED495390

fuse prog 7 3 0x488C0B93

step 3:

- Program SRK_LOCK:

=> fuse prog 0 0 0x200

- Program DIR_BT_DIS:

=> fuse prog 1 3 0x8000000

- Program SJC_DISABLE:

=> fuse prog 1 3 0x200000

- JTAG_SMODE:

=> fuse prog 1 3 0xC00000

step 4:

fuse prog 1 3 0x02000000

Refer to the picture below. This srg-imx8mplus platform has started secure boot, and Authenticate kernel image fail. Please check message after booting. I think the uboot authentication is passed.
Just to load kernel image failed.

I found out that setp3 is not needed . I want to know if imx8mplus secure boot only choose
verify u-boot signed image. Is this OK ?

Is it necessary to verify kernel and rootfs images?

t2865k5 · ‎07-13-2023

Dear NXP ,

I add some debug message in hab.c. In u-boot mode , it show meaasge as follows:

### [authenticate_image] ###
ddr_start : 0x40480000
ivt_offset : 0x1d90000
IVT_SIZE : 0x20
CSF_PAD_SIZE : 0x2000
bytes : 0x1d92020

refer to the imx_hab_authenticate_image(ddr_start, bytes, ivt_offset);

Run command as follows:

hab_auth_img 0x40480000 0x1d92020 0x1d90000

Please help fix this issue .

t2865k5 · ‎07-12-2023

Dear NXP ,

Could you reply here?

t2865k5 · ‎07-11-2023

Could you answer my question ASAP ?

Harvey021 · ‎07-11-2023

Yes, replied back to you in another case.

Best regards

Harvey

t2865k5 · ‎07-07-2023

Dear NXP ,

u-boot version : 2021.04-r0

kernel version : 5.10.72

Is it not possible to use cst-3.1.0 tool ? Should I use another version cst tool ?

t2865k5 · ‎07-06-2023

Dear NXP ,

I think uboot image authentication is passed .Kernel image authentication is failed.

t2865k5 · ‎07-06-2023

Dear NXP ,

It enter u-boot mode when the device boot . Run command as follows:

hab_auth_img 0x40480000 0x1CD9A00 0x20

smithcoba · ‎07-11-2023

hab_auth_img 0x40480000 0x1CD9A00 0x20

It seems the 3rd parameter ivt offset 0x20 is wrong.

you can add debug information here to make sure all the parameters match your wish.

u-boot/arch/arm/mach-imx/hab.c

int authenticate_image(u32 ddr_start, u32 raw_image_size)
{
u32 ivt_offset;
size_t bytes;

ivt_offset = (raw_image_size + ALIGN_SIZE - 1) &
~(ALIGN_SIZE - 1);
bytes = ivt_offset + IVT_SIZE + CSF_PAD_SIZE;

return imx_hab_authenticate_image(ddr_start, bytes, ivt_offset);
}

t2865k5 · ‎07-06-2023

Dear NXP ,

(1) How to only choose to verify u-boot without verifying the kernel image ? What are the method to achieve?

(2) I have referred to the mx8m_secure_boot.txt but Authenticating kernel image is failed . Please check the imx8mplusSecureBoot.docx .

Harvey021 · ‎07-06-2023

Hi @t2865k5

(1) How to only choose to verify u-boot without verifying the kernel image ?

You can disable kernel verification in uboot.

diff --git a/cmd/booti.c b/cmd/booti.c
index d820930fe8..e1122f3e38 100644
--- a/cmd/booti.c
+++ b/cmd/booti.c
@@ -78,7 +78,8 @@ static int booti_start(struct cmd_tbl *cmdtp, int flag, int argc,
if (ret != 0)
return 1;

-#if defined(CONFIG_IMX_HAB) && !defined(CONFIG_AVB_SUPPORT)
+#if 0
+
extern int authenticate_image(
uint32_t ddr_start, uint32_t raw_image_size);
if (authenticate_image(ld, image_size) != 0) {

(2) I have referred to the mx8m_secure_boot.txt but Authenticating kernel image is failed . Please check the imx8mplusSecureBoot.docx .

Try to authenticate the size for image: Image_pad_ivt.bin

Best regards

Harvey

Harvey021 · ‎07-03-2023

Hi @t2865k5

I want to know if imx8mplus secure boot only choose verify u-boot signed image. Is this OK ? Is it necessary to verify kernel and rootfs images?

Ans: Mostly depends on your need; I'd recommend sign kernel too.

To the error of additional singing, would suggest to check if you've padded kernel as step: 3.1 Padding the image (uboot-imx/doc/imx/habv4/guides/mx8m_secure_boot.txt at lf_v2022.04 · nxp-imx/uboot-imx · GitHub) and better check again the signing image including ivt.

Best regards

Harvey

smithcoba · ‎07-11-2023

I hope you are doing well.

t2865k5 · ‎06-30-2023

Dear NXP ,

Please refer to the csf_additional_images.txt.

cd cst-3.1.0/csf/

../linux64/bin/cst --i csf_additional_images.txt --o csf_kernel.bin

cat Image_pad_ivt.bin csf_kernel.bin > Image_signed

copy uboot , kernel image and imx8mp-evk.dtb to SD card .

I get some error log when imx8mplus boot . Please refer to the picture .

Please help to me to fix this issue .