S32G-RDB2 secure boot example is not working

Hello @MayanksPatel,

Thank you for your reply.

I tried load address with 0x80000000 and 0x810000000 because BSP manual and u-boot environment provide me the address for kernel load. (and I refered to S32G reference manual to find A53 memory address and I think 0x8xxxxxxxx can be used.)

Actually, I used device tree dts file of branch bsp33.0-2.5 in arm-trusted-firmware for your example in BSP manual. And I made .itb file with .its file below using mkimage tool. 

(I can boot successfully without any modification if I use dts files in the branch, but It's not working if I use image made by mkimage tool)

/dts-v1/;
/ {
        description = "kernel+dtb/fdt fit image";
        #address-cells = <1>;
        images {
            kernel@1 {
                description = "kernel image";
                data = /incbin/("/home/test/linux/arch/arm64/boot/Image");
                type = "kernel";
                arch = "arm64";
                os = "linux";
                compression = "none";
                load = <0x81000000>;
                entry = <0x81000000>;
                kernel-version = <1>;
                hash@1 {
                    algo = "sha1";
                };
        };
        fdt@1 {
                description = "dtb blob";
                data = /incbin/("/home/test/arm-trusted-firmware/build/s32g274ardb2/release/fdts/s32g274a-rdb2.dtb");
                type = "flat_dt";
                arch = "arm64";
                compression = "none";
                fdt-version = <1>;
                hash@1 {
                    algo = "sha1";
                };
        };
    };
    configurations {
        default = "conf@1";
        conf@1 {
                kernel = "kernel@1";
                fdt = "fdt@1";
                signature@1 {
                    algo = "sha1,rsa2048";
                    key-name-hint = "boot_key";
                    sign-images = "kernel", "fdt";
                };
        };
    };
};

Please let me know where I can find the reference or how to update device tree for my case. Then I can try to update my device tree file.

Hi @tylor,

Why do you need to create an image by mkimage tool? Is there a use case?

Are you changing the default .dts file while using mkimage tool?

Thanks,

Mayank s Patel

Hello, @MayanksPatel .

I'm trying to do part 10.3.2 Setup Kernel Authentication in "S32G2_LinuxBSP_33.0_User_Manual.pdf"

And your 8th step for the part, manual describe how to make FIT image with mkimage tool. (refer to 8th step below)

I did not change any .dtb file and made FIT image with .its file I already posted.

8. Sign the kernel image and pack it into a FIT image
After the kernel has been compiled, from the u-boot directory, run:
tools/mkimage -f ../linux/<its-filename>.its
-K ../arm-trusted-firmware/build/<board>/release/fdts/<dtb-filename>.dtb
-k ../kernel_keys
-r <itb-filename>.itb

The resulting FIT image must be copied to the boot partition of the SD Card.

And next step is load the FIT image and boot, but it is not working.

(I can find the key verification is OK log when I boot with bootm command but reset right after load the kernel)

9. Rebuild the ARM Trusted Firmware
The ARM Trusted Firmware must be rebuilt to include the DTB in which the key was placed in the previous step.

10. Boot the board and stop at U-Boot command line
To optionally enable U-Boot secure boot, run:
=> hse_secboot_enable <rsa_public_key>.der
Copy the FIT image from the SD Card to memory:
=> fatload mmc 0:1 <load-address> <fit-image-name>
U-Boot must use the bootm command to boot, not booti. Trying to boot using booti will display the "Bad Linux
ARM64 Image magic!" error, since the header for the FIT image is not recognized by booti.
=> run mmcargs
=> bootm <load-address>
To check if the FIT image loaded on the board is correct, run:
iminfo

The command will check the hashes of the image, dtb, and configuration, but will not check if the FIT image is properly signed.

Hi @tylor,

We need help from you to resolve the issue.

Hello, @MayanksPatel 

I've attached some logs I used for the FIT image based on the UM.

I lost previous logs, so retry part 10.3 in the UM, pointed on the 10.3.2 part and I created an image in the same way and tested it, but unlike the last time, there was a problem with the verification of the FIT file. The process I have performed is the contents that you have explained in the manual, and only the paths have been changed to suit me.

And we're considering verify boot process from your HSE -> u-boot -> kernel for security purpose, so ensuring the boot process is important.

Please look at the attached file and check if there are any problems with the process I went through.

Hi @tylor,

Thanks for updating the logs. I've created a ticket with the internal team and will get back to you once anything is needed.

Thanks,

Mayank s Patel

Hi @tylor,

Hi @tylor,

I noticed in the for_linux.its.txt, the dtb file used was from ATF,  That is not correct, the dtb for Linux (linux/arch/arm64/boot/dts/freescale/...) should be used:

                fdt@1 {
                        description = "dtb blob";
                        data = /incbin/("/home/ty.lim/secure_temp/source/arm-trusted-firmware/build/s32g274ardb2/release/fdts/s32g274a-rdb2.dtb");
                        type = "flat_dt";
                        arch = "arm64";
                        compression = "none";
                        fdt-version = <1>;
                        hash@1 {
                            algo = "sha1";
                        };
                };

 Hope this helps.

Thanks,

Mayank s Patel

Hi, @MayanksPatel .

Finally it works!

Thanks for your support.

Hi @MayanksPatel 

I think you can close this ticket. Thank you!

Hello, @MayanksPatel 

Thank you for your support.

I tried to set fdt_high and changed address to conflict with .itb file. 

I think kernel start successfully but now it can not load fdt file.

Is there more task to do before bootm command? I attached log file of u-boot environment with print command. (I tried the command below) Could you check it once more if I miss something?

(

    => fatload mmc 0:1 0x90000000 output.itb
    => setenv fdt_high a0000000
    => run mmcargs
    => iminfo 0x90000000
    => bootm 0x90000000

)

Thanks in advance.

=> bootm 0x90000000
## Loading kernel from FIT Image at 90000000 ...
   Using 'conf@1' configuration
   Trying 'kernel@1' kernel subimage
     Description:  kernel image
     Type:         Kernel Image
     Compression:  uncompressed
     Data Start:   0x900000cc
     Data Size:    13824008 Bytes = 13.2 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x80000000
     Entry Point:  0x80000000
     Hash algo:    sha1
     Hash value:   f86b480fd9b21b15d76f73a3e3de153fd7cf62b6
   Verifying Hash Integrity ... sha1+ OK
## Loading fdt from FIT Image at 90000000 ...
   Using 'conf@1' configuration
   Trying 'fdt@1' fdt subimage
     Description:  dtb blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x90d2f1cc
     Data Size:    30042 Bytes = 29.3 KiB
     Architecture: AArch64
     Hash algo:    sha1
     Hash value:   d5b55721c778d5f568af230773506f48425a6d3f
   Verifying Hash Integrity ... sha1+ OK
   Booting using the fdt blob at 0x90d2f1cc
   Loading Kernel Image
   Loading Device Tree to 000000009fff5000, end 000000009ffff559 ... OK
Failed to get offset of '/clocks/serdes_100_ext' node
Failed to set the clock for SerDes0
Failed to get 'serdes1' alias
Failed to set the clock for SerDes1
Failed to get 'serdes1' alias
Failed to set mode for SerDes1

Starting kernel ...

[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[    0.000000] Linux version 5.10.109-rt65 (ty.lim@labriego) (aarch64-none-linux-gnu-gcc (GNU Toolchain for the A-profile Architecture 10.2-2020.11 (arm-10.16)) 10.2.1 20201103, GNU ld (GNU Toolchain for the A-profile Architecture 10.2-2020.11 (arm-10.16)) 2.35.1.20201028) #1 SMP PREEMPT Wed Jul 12 11:38:48 KST 2023
[    0.000000] Machine model: NXP S32G274A-RDB2
[    0.000000] earlycon: linflex0 at MMIO 0x00000000401c8000 (options '115200n8')
[    0.000000] printk: bootconsole [linflex0] enabled
[    0.000000] Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP
[    0.000000] Modules linked in:
[    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 5.10.109-rt65 #1
[    0.000000] Hardware name: NXP S32G274A-RDB2 (DT)
[    0.000000] pstate: 60000085 (nZCv daIf -PAN -UAO -TCO BTYPE=--)
[    0.000000] pc : fdt_check_header+0x8/0x130
[    0.000000] lr : __unflatten_device_tree+0x34/0x180
[    0.000000] sp : ffffffc010c93ea0
[    0.000000] x29: ffffffc010c93ea0 x28: 0000000080b40018
[    0.000000] x27: 00000000ffaa27f0 x26: 0000000000000000
[    0.000000] x25: 00000000ffb30a28 x24: 0000000000000000
[    0.000000] x23: ffffffc010d5a8d0 x22: 0000000000000000
[    0.000000] x21: fffffffefe7f5000 x20: ffffffc010b663b4
[    0.000000] x19: ffffffc010b663b4 x18: 0000000000000005
[    0.000000] x17: 0000000000001800 x16: 0000000000000000
[    0.000000] x15: 0000000000000030 x14: 0000000000200000
[    0.000000] x13: 00000000ff800000 x12: 0000000000000000
[    0.000000] x11: 0000000000006000 x10: 000000009fff5000
[    0.000000] x9 : 0000000000000000 x8 : 0000000000000000
[    0.000000] x7 : 0000000000801000 x6 : ffffffc010d4d8c8
[    0.000000] x5 : ffffffc010d4d850 x4 : 0000000000000000
[    0.000000] x3 : ffffffc010b663b4 x2 : ffffffc010d5a8d0
[    0.000000] x1 : fffffffefe7f5000 x0 : fffffffefe7f5000
[    0.000000] Call trace:
[    0.000000]  fdt_check_header+0x8/0x130
[    0.000000]  unflatten_device_tree+0x38/0x50
[    0.000000]  setup_arch+0x278/0x58c
[    0.000000]  start_kernel+0x70/0x4e4
[    0.000000] Code: d50323bf d65f03c0 d503245f aa0003e1 (b9400000)
[    0.000000] random: get_random_bytes called from oops_exit+0x38/0xd0 with crng_init=0
[    0.000000] ---[ end trace 0000000000000000 ]---
[    0.000000] Kernel panic - not syncing:
[    0.000000] Attempted to kill the idle task!
[    0.000000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]---

Hi @tylor,

I have created a ticket with the internal team. I will get back to you soon.

Thanks,

Mayank s Patel