I am trying to run the esbc_validate command from the u-boot command line for an ESBC image signed with CST's uni_sign tool.
It is a T4240QDS Rev 2.0 with SDK 1.8 on bank 4.
This required a modified u-boot to add CONFIG_CMD_ESBC_VALIDATE without defining CONFIG_SECBOOT so we can first test without burning the fuses.
In the 1st attempt, u-boot returned an error of "No SG support". This is due to a check in board/freescale/common/fsl_validate.c:652 to see if sg_flag in the header is non-zero:
if (hdr->sg_flag) return ERROR_ESBC_CLIENT_HEADER_SG;
But in CST's uni_sign.c, the sg_flag is always set to 1.
Which one is correct for how the ISBC will process the CSF header file in a real Secure Boot scenario? Do I have the wrong set of CST or u-boot files?
In the 2nd attempt, u-boot was modified to omit the above check (no longer checking if sg_flag is non-zero). The error from u-boot is now "RSA verification failed".
So the key hash matches and u-boot is able to calculate a hash of the ESBC image, but the calculated image hash and the provided image hash from the CSF header are not matching.
For now, I have placed the images at the following memory locations for testing:
CSF header = 0xe8b00000
ESBC image = 0xe8a00000
And the call from u-boot command line is:
esbc_validate 0xe8b00000 <key hash>
Thank you for any help!