AnsweredAssumed Answered

i.MX7D failed to boot from encrypted u-boot image

Question asked by Bobby Chen on Apr 24, 2019
Latest reply on Apr 25, 2019 by Bobby Chen

I've follow the document AN4581/AN12056 try to build a encrypted and signed u-boot image for i.MX7D board.

The signed image (AN4581) is completed and work fine, but encrypted image (AN12056) don't work.

The device is closed by program SEC_CONFIG[1] fuse and can boot form a correct signed image, next I try to build a encrypted and signed u-boot image by follow the procedure in document AN12056 but failed.

The image can't boot device, and console print nothing.

 

 

The detailed steps as follow:

  1. Done the procedure in AN4581 and boot the device with signed u-boot.
  2. Compile the CST to enable the encrypting feature.
  3. Modify file "csf_u-boot_enc.txt" and "csf_u-boot_sign_enc.txt".
  4. Encrypt the U-Boot image.
    • $ ./cst_encrypted -i csf_u-boot_enc.txt -o csf_u-boot_enc.bin
  5. Sign the encrypted U-Boot image.
    • $ ./cst_encrypted -i csf_u-boot_sign_enc.txt -o csf_u-boot_sign_enc.bin
  6. Swap Nonce/MAC from csf_u-boot_enc.bin to csf_u-boot_sign_enc.bin.
    • $ dd if=csf_u-boot_enc.bin of=noncemac.bin bs=1 skip=3936 count=36
    • $ dd if=noncemac.bin of=csf_u-boot_sign_enc.bin bs=1 seek=3936 count=36
  7. Generate encryptedu-boot with no dek.
    • $ objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0xff csf_u-boot_sign_enc.bin csf_u-boot_sign_enc.bin.pad
    • $ cat u-boot-dtb.imx-enc csf_u-boot_sign_enc.bin.pad > u-boot_encrypted_no_dek.bin
    • $ objcopy -I binary -O binary --pad-to 0x95c00 --gap-fill=0x00 u-boot_encrypted_no_dek.bin u-boot_encrypted_no_dek_padded.bin
  8. Generate the DEK Blob.
    • $ cp dek.bin /mnt/mmc
    • boot device by sd card and into u-boot CLI.
    • => fatload mmc 0 0x80800000 dek.bin; dek_blob 0x80800000 0x80801000 128; fatwrite mmc 0 0x80801000 dek_blob.bin 0x48
  9. Finalize the encrypted U-Boot image.
    • $ cp /mnt/mmc/dek_blob.bin ./
    • cat u-boot_encrypted_no_dek_padded.bin dek_blob.bin > u-boot_encrypted.bin
    • sudo dd if=u-boot_encrypted.bin of=/dev/sdc bs=512 seek=2 conv=fsync
  10. Boot device and nothing show on console.

 

I have no idea about how to debug it due to I can't to trace ROM code or download the HAB log. Any suggestion?

Attachments

Outcomes