I am looking for the complete set of steps for setting up secure AHAB boot on the imx8qm-mek board.
I can fully create U-Boot, kernel, DTB, and rootfs and boot without security. I have read the guide which is included in U-Boot (mx8-mx8x-secure-boot.txt), this white paper https://community.nxp.com/docs/DOC-343178 , etc., but I cannot seem to get all the steps.
Thank you
Stuart
Quang, this is a dumb question, but in U-Boot, did you run the "ahab_status" command? It should explicitly tell you what the SECO events are, or that there were none.
By the way, I did not use the SGK certificates. All of my signatures were with the SRK. (I'm not sure that matters, though.)
We were both on the same track that only one container was being signed. I did get it fixed. Here are the HIGHLY simplified steps to make a signed boot image for the SD card:
It's working now. I have "closed" the SECO and confirmed that I am doing the secure boot. Thank you.
Hi Stuart,
i have a similar problem as you with my board - maybe you can help me out.
i've built my flash.bin and signed it with my SRK and SGK Certificate.
In the next step i tried to verify my SECO events - no output on the SCFW terminal which is great.
To recheck the procedure of AHAB i tried the same flash.bin with the same SRK but with ANOTHER SGK which is NOT part of the PKI Tree - still no events on the terminal , but I expected an error message here.
Did you use a SGK for you secure boot? if yes, what exactly did you do?
Best Regards
Quang
Hi Stuart,
As per the SECO error 0x0087EE00, following is the reason:
1. 0x0087EE00 = The container image is not signed (doesn’t contain any signature), but the device is open, so
everything will boot up successfully
SECO Event[0] = 0x0087EE00
CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
IND = AHAB_NO_AUTHENTICATION_IND (0xEE)
When I boot the UNSIGNED image, as expected, it does boot, but I have AHAB events:=> ahab_statusLifecycle: 0x0020, NXP closedSECO Event[0] = 0x0087EE00CMD = AHAB_AUTH_CONTAINER_REQ (0x87)IND = AHAB_NO_AUTHENTICATION_IND (0xEE)SECO Event[1] = 0x0087EE00CMD = AHAB_AUTH_CONTAINER_REQ (0x87)IND = AHAB_NO_AUTHENTICATION_IND (0xEE)sc_seco_get_event: idx: 2, res:3What is interesting here are that there are TWO events (not just one).
Once I again, I program the new image, flash.signed.bin to the SD card with dd. Now, when I boot the signed SD card image, I get ONE AHAB event:=> ahab_statusLifecycle: 0x0020, NXP closedSECO Event[0] = 0x0087EE00CMD = AHAB_AUTH_CONTAINER_REQ (0x87)IND = AHAB_NO_AUTHENTICATION_IND (0xEE)sc_seco_get_event: idx: 1, res:3
Regards,
Utkarsh
Hi Stuart
one can refer to AN12312
Secure Boot on i.MX 8 and i.MX 8X Families using AHAB
and uboot documentation
ahab\imx\doc - uboot-imx - i.MX U-Boot
Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Igor, thank you for your response. I have previously gone through the referenced documentation. Unfortunately, there are some differences between what the guide tells you to expect from the "make SOC=iMX8QM flash" command and what I actually get.
Here is my output:
``stuart@build-server:~/imx8-secure-boot-experimental/imx-mkimage$ make SOC=iMX8QM flash
Compiling mkimage_imx8
Converting iMX8 DCD file
cc -E -Wp,-MD,.imx8qm_dcd.cfg.cfgtmp.d -nostdinc -Iinclude -I./lib -DDDR_TRAIN_IN_DCD=1 -x c -o imx8qm_dcd.cfg.tmp imx8qm_dcd_1.6GHz.cfg
./../mkimage_imx8 -commit > head.hash
758+1 records in
758+1 records out
776360 bytes (776 kB, 758 KiB) copied, 0.00195725 s, 397 MB/s
objcopy: 'hdmitxfw.bin': No such file
cat: hdmitxfw-pad.bin: No such file or directory
./../mkimage_imx8 -soc QM -c -scfw scfw_tcm.bin -c -ap u-boot-atf.bin a53 0x80000000 -out flash.bin
SOC: QM
New Container: 0
SCFW: scfw_tcm.bin
New Container: 1
AP: u-boot-atf.bin core: a53 addr: 0x80000000
Output: flash.bin
Platform: i.MX8QM
scfw size = 163264
AP image size = 0xdd8a8
AP image offset = 0x29000
DONE.
Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET``
And here is what the documentation tells us:
``If the command ends successfully, the end of the result should look
like:
CST: CONTAINER 0 offset: 0x400
CST: CONTAINER 0: Signature Block: offset is at 0x590
DONE.
Note: Please copy image to offset: IVT_OFFSET + IMAGE_OFFSET``
The outputs are different enough that I don't know what to do for the next step (1.5) when setting up the CSF file.
Can you please confirm:
The exact Git repositories w/ tags for both U-Boot and the imx-mkimage utilities?
Thank you
Hi Stuart
source.codeaurora.org/external/imx is official nxp repository
nxp linux documentation
i.MX Software and Development Tools | NXP
Best regards
igor
@stuartrubinI guess you figured it out?
I am trying to do pretty much the same thing but with ahab.
I have followed the steps:
1 - Sign the u-boot-atf-container.img (0x0 / 0x110)
2 - Sign the flash.bin (0x400, 0x510) with the signed-u-boot-atf-container.img (renamed u-boot-atf-container.img)
3 - Flash on device
The ahab_status show two events, one is AHAB_BAD_KEY_HASH_IND (expected because the efuse are not done yet), the other one is AHAB_NO_AUTHENTICATION_IND which should be AHAB_BAD_KEY_HASH_IND shouldnt it ?
I get the following ahab_status:
```
Lifecycle: 0x0020, NXP closed
SECO Event[0] = 0x0087FA00
CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
IND = AHAB_BAD_KEY_HASH_IND (0xFA)
SECO Event[1] = 0x0087EE00
CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
IND = AHAB_NO_AUTHENTICATION_IND (0xEE)
sc_seco_get_event: idx: 2
```
Thanks for your help
EDIT: I figured it out, I needed to dd the signed-u-boot-atf-container at the end of the signed flash bin
how did the u-boot-atf-container.img get built and how did you sign it?
1 - Sign the u-boot-atf-container.img (0x0 / 0x110)
Hi @Gandalf-kern
The u-boot-atf-container.img gets built in the imx-mkimage/imx-boot_... recipes.
To be able to use it, you need to append to the recipe to move it from the BOOT_STAGING directory to the DEPLOYDIR (or whatever other destination you like). You also going to need the boot-spl-container.img.
Once you have built and got these two files, you should be able to follow through the steps to sign them manually.
Hope this helps