AnsweredAssumed Answered

i.MX8M secure boot HAB + FIT image

Question asked by thomaslinder on Jul 3, 2020
Latest reply on Jul 16, 2020 by Yuri Muhin

Hi guys,

Regarding the HAB on i.MX8M.

I know that i.MX6 HAB does not check the validity of the certificate. -> good for my project.

What is about the i.MX8 Series or specially the i.MX8M. Is there a validity check for the certificate?

 

Thanks in advanced!

And may I ask here...

Are there any hints for setup FIT + pubkey in uboot.dtb with the "new" u-boot layout. 

So fare I'm able to do the u-boot verification with HAB and it works fine.

u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

u-boot=>

 

as well I'm able to sign the FIT image with the mkimage. the local check for the signature the FIT image is working as well.

u-boot-imx8/tools/fit_check_sign 

Verifying Hash Integrity ... sha1,rsa2048:dev+
## Loading kernel from FIT Image at 7f366c0e9000 ...
Using 'conf@freescale_fsl-imx8mm-port-core-techshine.dtb' configuration
Verifying Hash Integrity ...
sha1,rsa2048:dev+
OK

Trying 'kernel@1' kernel subimage
Description: Linux kernel
Created: Thu Jun 25 14:04:04 2020
Type: Kernel Image
Compression: lzo compressed
Data Size: 8942282 Bytes = 8732.70 KiB = 8.53 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x40480000
Entry Point: 0x40480000
Hash algo: sha256
Hash value: f2a2bb34afe08591f1c7bea8866741b1dfff21fc134e61d28e1f257d8998f0db
Verifying Hash Integrity ...
sha256+
OK

Uncompressing Kernel Image ... Unimplemented compression type 4
## Loading fdt from FIT Image at 7f366c0e9000 ...
Using 'conf@freescale_fsl-imx8mm-port-core-techshine.dtb' configuration
Verifying Hash Integrity ...
sha1,rsa2048:dev+
OK

Trying 'fdt@freescale_fsl-imx8mm-port-core-techshine.dtb' fdt subimage
Description: Flattened Device Tree blob
Created: Thu Jun 25 14:04:04 2020
Type: Flat Device Tree
Compression: uncompressed
Data Size: 36093 Bytes = 35.25 KiB = 0.03 MiB
Architecture: AArch64
Hash algo: sha256
Hash value: 759cd7596fde70a1ca5eb925f5e7180e5e813d33d38bbc12b4eac3de2459b9ae
Verifying Hash Integrity ...
sha256+
OK

Loading Flat Device Tree ... OK

## Loading ramdisk from FIT Image at 7f366c0e9000 ...
Using 'conf@freescale_fsl-imx8mm-port-core-techshine.dtb' configuration
Verifying Hash Integrity ...
sha1,rsa2048:dev+
OK

Could not find subimage node

Signature check OK

 

Problem is now if I create the flash.bin including the pubkey in the u-boot.dtb. I guess in this step I do something wrong. On the target the u-boot is not able to find the key to verify the signed FIT image. (dtb name removed because of policy)

 

u-boot=> ext2load mmc 2:1 0x50480000 image_signed_yocto_portkey_rsa.fit
8980546 bytes read in 140 ms (61.2 MiB/s)
u-boot=> bootm 0x50480000
## Loading kernel from FIT Image at 50480000 ...
Using 'conf@freescale_fsl-imx8mm-x-x-x.dtb' configuration
Verifying Hash Integrity ... sha1,rsa2048:portkey- Failed to verify required signature 'key-portkey'
Bad Data Hash
ERROR: can't get kernel image!

 

 

I'm working with the doc files from u-boot.

 doc/imx/habv4/guides/mx8m_mx8mm_secure_boot.txt 

doc/uImage.FIT/signature.txt

doc/uImage.FIT/beaglebone_vboot.txt

unfortunately I was not able to get it work as it should...

Would be great if someone has a Hint here.

 

Thanks  

guys

Outcomes