I was successfull in getting Secure Boot running through u-boot-imx-2013 (Secure Boot: [Authenticate Data] of CSF file for u-boot iMX6 ) and we recently moved to u-boot-denx-2015 for multi stage booting as we have read some reports about speed and effciency. Fortunately, we got the multi stage boot working. Now, we want to get the Secure Boot working also in this multi-stage booting. I am not sure this is the place to ask the current question but I am sure many people here can guide me here than else where. So, please bear with me.
Working - Normal Multi-stage Boot: This works like a charm
1. There are two main files SPL and u-boot.img
2. They are flashed onto the sd card
sudo dd if=SPL of=/dev/sdc bs=1k seek=1
sudo dd if=u-boot.img of=/dev/sdc bs=1k seek=69
3. seek=1 which means 0x400 (1KB) is to be left free and SPL has to be flashed
4. seek=69 means that SPL cannot be great than 68KB. After that it is u-boot.img
Not Working - Secure Multi-stage Boot:
- SPL is only 39936 Bytes (0x9C00) but devices like sd card and flash needs to be padded with 0x1000 (4KB). So, it is padded. 40960 Bytes (0xA000) is the new size.
- SPL hexdump looks like this SPL
- The SPL starts with IVT and therefore the Authenticate data of CSF file is as follows
- The CSF bin generated by CST is added to SPL.pad to generate SPL-signed.bin. This SPL-signed.bin is further padded to the size 0x1000
- I flashed the new SPL-signed.bin.pad and u-boot.img as in the Normal Multi-stage boot. Unfortunately it doesnt work.
- Is there any mistake in my above process to get secure boot running?
- I only sign the SPL image and not u-boot.img as I assume that the ROM only check the first part of the boot loader which is SPL in the current case. Is this wrong?
- How do I know at what RAM address is the u-boot.img is loaded to? Where in the code could that be written?
Ask me anything for more info, I would be happy to receive help from you guys.