imx8qxp-mek secure boot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

imx8qxp-mek secure boot

491 Views
rakesh3
Contributor V

Hi team,

 

I am using the imx8qxp-mek board and trying to implement the secure boot in that 

I have enable the OCNFIG_AHAB_BOOT config in uboot. and followed the instruction given in 

/doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt

I am using the 6.1.54 linux kernel version and uboot version 2023.04  lf-6.1.36_2.1.0 version .

I have attached the output of 

$ cd <work>/imx-mkimage
$ make SOC=iMX8QX flash

and I am using the below csf data to generate the signed img.

$ cd <work>
$ ./release/linux64/bin/cst -i csf_boot_image.txt -o flash.signed.bin

[Header]
Target = AHAB
Version = 1.0

[Install SRK]
# SRK table generated by srktool
File = "../crts/SRK_1_2_3_4_table.bin"
# Public key certificate in PEM format
Source = "../crts/SRK1_sha256_prime256v1_v3_ca_crt.pem"
# Index of the public key certificate within the SRK table (0 .. 3)
Source index = 0
# Type of SRK set (NXP or OEM)
Source set = OEM
# bitmask of the revoked SRKs
Revocations = 0x0

[Authenticate Data]
# Binary to be signed generated by mkimage
File = "flash.bin"
# Offsets = Container header Signature block (printed out by mkimage)
Offsets = 0x400 0x510

1) Is the above Authentication Data is Fine to use with mentioned Offsets . 

2) Is the padding automatically happening during the process of building u-boot/kernel image ?

 

Regards,

Rk

Tags (1)
0 Kudos
2 Replies

450 Views
Harvey021
NXP TechSupport
NXP TechSupport

Is the above Authentication Data is Fine to use with mentioned Offsets. 

-> It is fine. 

Is the padding automatically happening during the process of building u-boot/kernel image?

-> 0x400 is padded to 1kb alignment.

 

Best regads

Harvey

 

0 Kudos

443 Views
rakesh3
Contributor V

Thanks for reply,

I am signing the kernel for secure boot. 

I have used the mentioned steps in the 

https://github.com/nxp-imx/uboot-imx/blob/lf_v2023.04/doc/imx/ahab/guides/sign_os_cntr.txt

But while build the kernel 

$ make SOC=imx8qx flash_kernel
I was getting error for not found Image file. So i renamed the kernel image vmlinux-6.1.54-cip6+mel2 to Image. 

1) Is this correct ?

Because I am not getting the Image what is mentioned in the imx-mkimage/iMX8QX/soc.mk for flash_kernel build.

After successfully building the kernel img container using above renamed method, I signed the kernel img using CST tool using below cmd

$./release/linux64/bin/cst -i csf_linux_img.txt -o os_cntr_signed.bin

I tried to load the kernel img to ram using sd card boot

=> load mmc 1:1 ${cntr_addr} /boot/os_cntr_signed.bin

But I got below error.

=> load mmc 1:1 ${cntr_addr} /opt/os_cntr_signed.bin
checksum verify failed on 22216704 found 000000DB wanted 000000E8
checksum verify failed on 22216704 found 00000054 wanted 00000038
checksum verify failed on 22216704 found 000000DB wanted 000000E8
bad tree block 22216704, bytenr mismatch, want=22216704, have=3757466704011408333
BTRFS: cannot read chunk root
Can't set block device
=>

2) I am using the uboot/include/configs/imx8qxp_mek.h  file. Can we give both Image and os_contr_signed.bin as load 

"loadimage=fatload mmc ${mmcdev}:${mmcpart} ${loadaddr} ${image}\0" \
"loadfdt=fatload mmc ${mmcdev}:${mmcpart} ${fdt_addr} ${fdt_file}\0" \
"loadcntr=fatload mmc ${mmcdev}:${mmcpart} ${cntr_addr} ${cntr_file}\0" \

Or Just for testing we can simply give the 

I have tested with below command as mentioned in doc for testing the Os authentication

Note: OS image can also be authenticated by running a U-Boot command:

=> auth_cntr <Container address>

https://github.com/nxp-imx/uboot-imx/blob/lf_v2023.04/doc/imx/ahab/guides/sign_os_cntr.txt

=> auth_cntr ${cntr_addr}
Authenticate OS container at 0x98000000
container length 672
img 0, dst 0x80200000, src 0x2550145024x, size 0x222dc00
img 1, dst 0x83000000, src 0x2585984000x, size 0x19400

I think 1st img0 is the Image(kernel img) and 2nd img1 is the dtb img.

1) Is the above authentication of images is good to go for flashing the keys ?

2) In the below lines mentioned in the include/configs/imx8qxp_mek.h

"loadimage=fatload mmc ${mmcdev}:${mmcpart} ${loadaddr} ${image}\0" \
+ "loadfdt=fatload mmc ${mmcdev}:${mmcpart} ${fdt_addr} ${fdt_file}\0" \
+ "loadcntr=fatload mmc ${mmcdev}:${mmcpart} ${cntr_addr} ${cntr_file}\0" \
+ "auth_os=auth_cntr ${cntr_addr}\0" \
+ "boot_os=booti ${loadaddr} - ${fdt_addr};\0" \
+ "mmcboot=echo Booting from mmc ...; " \
+ "run mmcargs; " \
+ "if test ${sec_boot} = yes; then " \
+ "if run auth_os; then " \
+ "run boot_os; " \
+ "else " \
+ "echo ERR: failed to authenticate; " \
+ "fi; " \

We are loading the unsigned img at loadaddr and then loading the singed image at cntr_addr. 

Is this steps correct to verify the signed kernel img ? Why we are loading the unsigned and then signed kernel img ?

How to cross verify the signed kernel/uboot img ?

Please give suggestion on this .

 

Regards,

Rk

 

0 Kudos