I am working on getting uboot to load a secure kernel on a Boundary Devices Nitrogen8MM. I have already worked through the instructions at https://boundarydevices.com/high-assurance-boot-hab-i-mx8m-edition/ and eveything is working with a sigend uboot.
According to BoundaryDevices, they have been told by NXP that the next step is to get booi to auth the kernel by using this patch: https://github.com/boundarydevices/u-boot-imx6/commit/a20a5ee3c0 However, it's not working.
When I auth the kernel by hand using hab_auth_img, it appears to work just fine:
=> load mmc 1 ${loadaddr} Image
30009696 bytes read in 679 ms (42.1 MiB/s)
=> hab_auth_img ${loadaddr} ${filesize} 0x01c9d000
Authenticate image from DDR location 0x40480000...
Secure boot enabled
HAB Configuration: 0xcc, HAB State: 0x99
No HAB Events Found!
=>
But when just booting I get this:
Authenticating Image...
Authenticate image from DDR location 0x40800000...
Error: Invalid IVT structure
Allowed IVT structure:
IVT HDR = 0x4X2000D1
IVT ENTRY = 0xXXXXXXXX
IVT RSV1 = 0x0
IVT DCD = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF = 0xXXXXXXXX
IVT CSF = 0xXXXXXXXX
IVT RSV2 = 0x0
Authenticate Image Fail, Please check
Error loading kernel image
And, of course, if I don't use the patch then it boots just fine, but I need to auth the kernel before leading.
What am I missing?
Solved! Go to Solution.
It turns out the the kernel was being loaded at a non-standard location, so the signing script needed changed.
@adam_m
Hello,
1. Please check if parameters "ld", "image_size" in patch function authenticate_image(ld, image_size)
are the same as in case of manual verification -
hab_auth_img ${loadaddr} ${filesize}
2. Is IVT added to the kernel before signing?
Regards,
Yuri.
It turns out the the kernel was being loaded at a non-standard location, so the signing script needed changed.