- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- imx8qxp-mek secure boot
imx8qxp-mek secure boot
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
imx8qxp-mek secure boot
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi team,
I am using the imx8qxp-mek board and trying to implement the secure boot in that
I have enable the OCNFIG_AHAB_BOOT config in uboot. and followed the instruction given in
/doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt
I am using the 6.1.54 linux kernel version and uboot version 2023.04 lf-6.1.36_2.1.0 version .
I have attached the output of
$ cd <work>/imx-mkimage
$ make SOC=iMX8QX flash
and I am using the below csf data to generate the signed img.
$ cd <work>
$ ./release/linux64/bin/cst -i csf_boot_image.txt -o flash.signed.bin
[Header]
Target = AHAB
Version = 1.0
[Install SRK]
# SRK table generated by srktool
File = "../crts/SRK_1_2_3_4_table.bin"
# Public key certificate in PEM format
Source = "../crts/SRK1_sha256_prime256v1_v3_ca_crt.pem"
# Index of the public key certificate within the SRK table (0 .. 3)
Source index = 0
# Type of SRK set (NXP or OEM)
Source set = OEM
# bitmask of the revoked SRKs
Revocations = 0x0
[Authenticate Data]
# Binary to be signed generated by mkimage
File = "flash.bin"
# Offsets = Container header Signature block (printed out by mkimage)
Offsets = 0x400 0x510
1) Is the above Authentication Data is Fine to use with mentioned Offsets .
2) Is the padding automatically happening during the process of building u-boot/kernel image ?
Regards,
Rk
Harvey021
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the above Authentication Data is Fine to use with mentioned Offsets.
-> It is fine.
Is the padding automatically happening during the process of building u-boot/kernel image?
-> 0x400 is padded to 1kb alignment.
Best regads
Harvey
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for reply,
I am signing the kernel for secure boot.
I have used the mentioned steps in the
https://github.com/nxp-imx/uboot-imx/blob/lf_v2023.04/doc/imx/ahab/guides/sign_os_cntr.txt
But while build the kernel
$ make SOC=imx8qx flash_kernel
I was getting error for not found Image file. So i renamed the kernel image vmlinux-6.1.54-cip6+mel2 to Image.
1) Is this correct ?
Because I am not getting the Image what is mentioned in the imx-mkimage/iMX8QX/soc.mk for flash_kernel build.
After successfully building the kernel img container using above renamed method, I signed the kernel img using CST tool using below cmd
$./release/linux64/bin/cst -i csf_linux_img.txt -o os_cntr_signed.bin
I tried to load the kernel img to ram using sd card boot
=> load mmc 1:1 ${cntr_addr} /boot/os_cntr_signed.bin
But I got below error.
=> load mmc 1:1 ${cntr_addr} /opt/os_cntr_signed.bin
checksum verify failed on 22216704 found 000000DB wanted 000000E8
checksum verify failed on 22216704 found 00000054 wanted 00000038
checksum verify failed on 22216704 found 000000DB wanted 000000E8
bad tree block 22216704, bytenr mismatch, want=22216704, have=3757466704011408333
BTRFS: cannot read chunk root
Can't set block device
=>
2) I am using the uboot/include/configs/imx8qxp_mek.h file. Can we give both Image and os_contr_signed.bin as load
"loadimage=fatload mmc ${mmcdev}:${mmcpart} ${loadaddr} ${image}\0" \
"loadfdt=fatload mmc ${mmcdev}:${mmcpart} ${fdt_addr} ${fdt_file}\0" \
"loadcntr=fatload mmc ${mmcdev}:${mmcpart} ${cntr_addr} ${cntr_file}\0" \
Or Just for testing we can simply give the
I have tested with below command as mentioned in doc for testing the Os authentication
Note: OS image can also be authenticated by running a U-Boot command:
=> auth_cntr <Container address>
https://github.com/nxp-imx/uboot-imx/blob/lf_v2023.04/doc/imx/ahab/guides/sign_os_cntr.txt
=> auth_cntr ${cntr_addr}
Authenticate OS container at 0x98000000
container length 672
img 0, dst 0x80200000, src 0x2550145024x, size 0x222dc00
img 1, dst 0x83000000, src 0x2585984000x, size 0x19400
I think 1st img0 is the Image(kernel img) and 2nd img1 is the dtb img.
1) Is the above authentication of images is good to go for flashing the keys ?
2) In the below lines mentioned in the include/configs/imx8qxp_mek.h
"loadimage=fatload mmc ${mmcdev}:${mmcpart} ${loadaddr} ${image}\0" \
+ "loadfdt=fatload mmc ${mmcdev}:${mmcpart} ${fdt_addr} ${fdt_file}\0" \
+ "loadcntr=fatload mmc ${mmcdev}:${mmcpart} ${cntr_addr} ${cntr_file}\0" \
+ "auth_os=auth_cntr ${cntr_addr}\0" \
+ "boot_os=booti ${loadaddr} - ${fdt_addr};\0" \
+ "mmcboot=echo Booting from mmc ...; " \
+ "run mmcargs; " \
+ "if test ${sec_boot} = yes; then " \
+ "if run auth_os; then " \
+ "run boot_os; " \
+ "else " \
+ "echo ERR: failed to authenticate; " \
+ "fi; " \
We are loading the unsigned img at loadaddr and then loading the singed image at cntr_addr.
Is this steps correct to verify the signed kernel img ? Why we are loading the unsigned and then signed kernel img ?
How to cross verify the signed kernel/uboot img ?
Please give suggestion on this .
Regards,
Rk
