Hi team,
I am using the linux kernel branch lf-6.1.36_2.1.0, I am implementig the secure boot in imx8qxp-mek board .
But how to get the signed image of kernel ?
Somewhere it is mention about to use the imx-mkimage tool. I tried that also but getting error.
$/imx-mkimage (lf-6.1.36_2.1.0)$ make SOC=iMX8QX flash_linux_m4
Compiling mkimage_imx8
include misc.mak
include m4.mak
include android.mak
include test.mak
include autobuild.mak
include alias.mak
make[1]: *** No rule to make target 'mx8qxb0-ahab-container.img', needed by 'flash_linux_m4'. Stop.
make: *** [Makefile:26: flash_linux_m4] Error 2
is the metione imx-mkimage command looks fine ? any reference for signing kernel.
imx-mkimage command to create the signed img ?
Please suggest on this issue
Regards,
RK
Hi @rakesh3 ,
I hope you're doing well! Sorry for the late reply.
Make sure you have all needed files in your directory in order to successfully build the image. I'd suggest reviewing the following guide i.MX8 Boot process and creating a bootable image - NXP Community.
Also double check the following (from uboot-imx/doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt at lf_v2023.04 · nxp-imx/uboot-imx · GitHub
Before continuing, be sure to have already downloaded and built the
following:
- imx-mkimage downloaded and built with i.MX 8 container support.
- SECO firmware downloaded.
- U-Boot downloaded and built. Please check section 1.2.
- ARM Trusted Firmware (ATF) downloaded and built for your target.
- System Controller Firmware (SCFW).
- Kernel image.
Let me know if this was of any help!
Best regards,
Hector.
Thanks @hector_delgado for reply,
I have flashed the key with the below details of uboot build for
$cd imx-mkimage/
$make SOC=iMX8QX flash_spl
I had got below details while building the uboot .
145408 bytes (145 kB, 142 KiB) copied, 0.00288485 s, 50.4 MB/s
282+1 records in
282+1 records out
144623 bytes (145 kB, 141 KiB) copied, 0.00315915 s, 45.8 MB/s
SOC: QX
REVISION: B0
DCD: skip
New Container: 0
SCFW: scfw_tcm.bin
AP: u-boot-spl.bin core: a35 addr: 0x00100000
Output: flash.bin
CONTAINER FUSE VERSION: 0x00
CONTAINER SW VERSION: 0x0000
ivt_offset: 1024
rev: 2
Platform: i.MX8QXP B0
ivt_offset: 1024
container image offset (aligned):13400
csf_off 0x13800
flags: 0x10
Hash of the images =
SCFW file_offset = 0x13400 size = 0x28400
Hash of the images =
AP file_offset = 0x3b800 size = 0x23800
CST: CONTAINER 0 offset: 0x400
CST: CONTAINER 0: Signature Block: offset is at 0x510
Offsets = 0x400 0x510
DONE.
Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET
append u-boot-atf-container.img at 380 KB
3146+0 records in
3146+0 records out
3221504 bytes (3.2 MB, 3.1 MiB) copied, 0.00977448 s, 330 MB/s
From the above details i had created the csf_boot_image.txt, Attached the csf file.
and created the uboot signed image.
Below is the o/p of keys which i have flashed.
=> fuse read 0 730 16
Reading bank 0:
Word 0x000002da: 0f2b72e0 b198e649 a323e0e5 bb649ea0
Word 0x000002de: 5469e0f0 683d36d1 4efe867f e661f8ce
Word 0x000002e2: e40850fe 7ff51662 97772618 da8f51fa
Word 0x000002e6: 43854e5c 8c7b2d7d 0b7bbb73 49aab9c8
=>
I cross checked the keys with hash table as mentioned in
https://github.com/nxp-imx/uboot-imx/blob/lf_v2023.04/doc/imx/ahab/introduction_ahab.txt
But unfortunately , after flashing the keys while checking the ahab_status, I am getting the below SECO events.
=> ahab_status
Lifecycle: 0x0020, NXP closed
SECO Event[0] = 0x0087EE00
CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
IND = AHAB_NO_AUTHENTICATION_IND (0xEE)
sc_seco_get_event: idx: 1, res:3
I also checked this event in AN12312.pdf , its saying container image is not signed But I am sure its signed with the keys using CST tool.
Also I am getting the same size of signed and unsigned u-boot image.
$ls -l
-rw-r--r-- 1 user user 3610624 Oct 30 19:11 flash.signed.bin
-rw-r--r-- 1 user user 3610624 Oct 30 19:10 flash.bin
Is this correct ? Or should signed image be larger then unsigned img.?
Please suggest on this issue, As its quite risky to flash the keys in another device
Regards,
Rk
Hi @rakesh3 ,
Could you confirm if you're working with an M4 image?
If so, please be aware of this note found on uboot-imx/doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt at lf_v2023.04 · nxp-imx/uboot-imx · GitHub
Please note that on this example we not including an Cortex-M4 Image, on i.MX8/8x MEK boards the SCU console may be replaced by the M4 console not being possible to run the steps documented in section "1.5.5 Verify SECO events".
Just making sure since your original post it seems to be an M4 image and you're using one of our MEK boards. Please let me know!
Best regards,
Hector.