I am using the imx8qxp-mek board and implementing the secure boot.
But I am getting the below ahab events while running the ahab status .
=> ahab_status
Lifecycle: 0x0020, NXP closed
SECO Event[0] = 0x0087EE00
CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
IND = AHAB_NO_AUTHENTICATION_IND (0xEE)
And also I am using the op-tee os and while at boot up time I am getting below warning messages.
I/TC: Non-secure external DT found
I/TC: OP-TEE version: 4e32281 (gcc version 12.2.0 (Debian 12.2.0-14)) #1 Thu Jan 1 01:00:00 UTC 1970 aarch64
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: WARNING: Please check https://optee.readthedocs.io/en/latest/architecture/porting_guidelines.html
Could this be the cause of this ahab status events or not ?
I checked the events code means, its saying that container is not signed But i have signed the image using cst tool.
Please suggest me on this issue.
Regards,
Rk
You need to sign u-boot-atf-container.img if target is flash_spl. refer to: uboot-imx/doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt at lf_v2023.04 · nxp-imx/uboot-imx · GitH...
Best regards
Harvey
Hi @Harvey021 ,
Thanks for reply,
During the signing process of uboot-atf in debian rules override_dh_auto_build process, while running the below code
Certain doubts:
1) which container needs to be signed for uboot final signed image flash.bin if we are following flash_spl target. As per soc.mk of imx-mkimage. flash_spl contains below 3 containers.
a) scfw_tcm.bin
b) u-boot-spl.bin
c) u-boot-atf-container.img
From above which needs to be signed . In above link doc its describing about signing of u-boot-proper+atf only but at line L- 212, it says that
The flash.bin file include three containers and the second container have to be
signed using the Code Signing Tool (CST).
So , it means that 2nd container here "u-boot-spl.bin" also needs to get signed using cst tool. If yes then how will we get the Container offset and signature of this binary ? its not mentioned in the doc.
2) We don't have to sign the scfw_tcm.bin ?
3) I have generated the cst key having enabled the CA flags in that while generating the SRK certificate so , I am confused which csf file should i use (a) csf_boot_image.txt or csf_boot_image_sgk.txt ?
bash ./bin/cst -i csf_uboot_atf.txt -o signed-u-boot-atf-container.img
I am getting the below error.
bash: ./bin/cst: ./bin/cst: cannot execute binary file,
/release/linux64/bin$ file cst
cst: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a7c94f18b0d664d9d03f1a28ed2979ac407044a1, stripped
Seems like this cst binary is build for x86-64 ? Can we get the cst binary for ARM64 ?
Could you please give some suggestion on this ! it will be helpful
Regards,
Rk
The error is telling that container is not signed (signature is missing).
if you run make SOC=iMX8QX flash_spl, you should see another container signature block from print log for signing.
You can refer to soc.mak for what images you need to compile.
Best regards
Harvey
Hi @Harvey021 ,
Thanks for reply,
1) which container needs to be signed for uboot final signed image flash.bin if we are following flash_spl target. As per soc.mk of imx-mkimage. flash_spl contains below 3 containers.
a) scfw_tcm.bin
b) u-boot-spl.bin
c) u-boot-atf-container.img
From above which needs to be signed . In above link doc its describing about signing of u-boot-proper+atf only but at line L- 212, it says that
The flash.bin file include three containers and the second container have to be
signed using the Code Signing Tool (CST).
So , it means that 2nd container here "u-boot-spl.bin" also needs to get signed using cst tool. If yes then how will we get the Container offset and signature of this binary ? its not mentioned in the doc.
2) We don't have to sign the scfw_tcm.bin ?
3) I have generated the cst key having enabled the CA flags in that while generating the SRK certificate so , I am confused which csf file should i use (a) csf_boot_image.txt or csf_boot_image_sgk.txt ?
Please suggest on these doubts.
Regards,
Rk
Hi @Harvey021 ,
thanks for reply.
I have all the required images for flash_spl , checked in the soc.mk file.
I am following the below file
https://github.com/nxp-imx/uboot-imx/blob/lf_v2023.04/doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt
for flash_spl which seems incorrect. I should have followed the below one instead of above one.
since i am building the image for flash_spl
$cd imx-mkimage
$make SOC=iMX8QX flash_spl
In the above one document we have to sign the u-boot-atf image also and then sign the flash.bin after
$make SOC=iMX8QX flash_spl
But after this also I am getting the same error code,which says image is not signed .
SECO Event[1] = 0x0087EE00
CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
IND = AHAB_NO_AUTHENTICATION_IND (0xEE)
flash_spl needed following bins.
flash_spl: $(MKIMG) $(AHAB_IMG) scfw_tcm.bin u-boot-spl.bin u-boot-atf-container.img
1) scfw_tcm.bin
2) ub-too-spl.bin
3) u-boot-atf-container.img
Here do we need to sign the u-boot-atf-container.img file also as mentioned in
Where I am missing the steps ? Am i following the correct document or missing any steps for this . ?
Also I am flashing the signed flash.bin image to uboot as below cmd
$sudo dd if=signed_flash.bin of=/dev/mmcblk0 bs=1k seek=32; sync
Please suggest on this! Its quite seems complicated than it mentioned in doc.
Please help me on this secure boot steps.
Regards,
Rk