AnsweredAssumed Answered

CST uni_sign and u-boot esbc_validate mismatch

Question asked by ch6 on Nov 3, 2015
Latest reply on Nov 6, 2015 by Yiping Wang

I am trying to run the esbc_validate command from the u-boot command line for an ESBC image signed with CST's uni_sign tool.

It is a T4240QDS Rev 2.0 with SDK 1.8 on bank 4.


This required a modified u-boot to add CONFIG_CMD_ESBC_VALIDATE without defining CONFIG_SECBOOT so we can first test without burning the fuses.


In the 1st attempt, u-boot returned an error of "No SG support". This is due to a check in board/freescale/common/fsl_validate.c:652 to see if sg_flag in the header is non-zero:

   if (hdr->sg_flag)  return ERROR_ESBC_CLIENT_HEADER_SG;

But in CST's uni_sign.c, the sg_flag is always set to 1.

Which one is correct for how the ISBC will process the CSF header file in a real Secure Boot scenario? Do I have the wrong set of CST or u-boot files?


In the 2nd attempt, u-boot was modified to omit the above check (no longer checking if sg_flag is non-zero). The error from u-boot is now "RSA verification failed".

So the key hash matches and u-boot is able to calculate a hash of the ESBC image, but the calculated image hash and the provided image hash from the CSF header are not matching.


For now, I have placed the images at the following memory locations for testing:

CSF header  = 0xe8b00000

ESBC image = 0xe8a00000


And the call from u-boot command line is:

esbc_validate 0xe8b00000 <key hash>


Thank you for any help!