FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Boot fail with secure OS

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Boot fail with secure OS

‎11-01-2019 12:22 AM
1,180 Views
owenchiu
Contributor I

Hi,
I am enabling secure boot with iMX8XQ platform.
My platform boots with SD card.
It can boot up with secure u-boot, but boot fail with secure OS.
Below is boot log:
=====>
mmc1 is current device

** Unable to read file boot.scr **

** Unable to read file os_cntr_signed.bin **

Booting from net ...

ethernet@5b040000 Waiting for PHY auto negotiation to complete.........TIMEOUT !

Could not initialize PHY ethernet@5b040000

BOOTP broadcast 1

BOOTP broadcast 2

BOOTP broadcast 3

BOOTP broadcast 4

BOOTP broadcast 5

BOOTP broadcast 6

BOOTP broadcast 7

BOOTP broadcast 8

BOOTP broadcast 9

BOOTP broadcast 10

BOOTP broadcast 11

BOOTP broadcast 12

BOOTP broadcast 13

BOOTP broadcast 14

BOOTP broadcast 15

BOOTP broadcast 16

BOOTP broadcast 17  
Retry time exceeded; starting again

Authenticate OS container at 0x88000000 

Wrong container header

ERR: failed to authenticate  
<====

From boot log, system can't find signed OS file.

I used below command to copy OS container to system.
$ sudo cp os_cntr_signed.bin /media/root/Boot/imx8qx

The command to copy OS container to system in mx8_mx8x_secure_boot.txt is:
  $ sudo cp os_cntr_signed.bin /media/UserID/Boot\ imx8qx

What is wrong with my command?

Best Regards,
Owen Chiu

0 Kudos
Reply
2 Replies

‎11-03-2019 07:27 PM
1,009 Views
owenchiu
Contributor I

Hi Bio_TICFSL   ,

Thanks for your reply.
I connected ethernet and retested again.

System still can't read os_cntr_signed.bin.

The new test log is as below.

 

I did copy os_cntr_signed.bin before uboot. I sent os_cntr_signed.bin to SD card with "sudo cp os_cntr_signed.bin /media/root/Boot/imx8qx" command on PC. Then I used this SD card  as boot device to boot my target board.

If the location of os_cntr_signed.bin is correct, system shall read os_cntr_signed.bin without problem. That's not the case.

I am not sure the path of "sudo cp os_cntr_signed.bin /media/UserID/Boot\ imx8qx" in mx8_mx8x_secure_boot.txt is correct or not. If boot device is SD card, the UserID is root and the platform is imx8qx, do you think what is the exact path?

 

New test log :

===>

U-Boot 2018.03-g0d267d5-dirty (Nov 01 2019 - 11:56:27 +0800)
CPU: Freescale i.MX8QXP revB A35 at 1200 MHz at 31C
Model: DFI.Inc i.MX8QXP F8700
Board: iMX8QXP MEK
Boot: SD1
DRAM: 4 GiB
setup_typec lookup gpio@1a_7 failed ret = -22
MMC: FSL_SDHC: 0, FSL_SDHC: 1
Loading Environment from MMC... *** Warning - bad CRC, using default environment

Failed (-5)
TX PLL is not locked.
[board_video_skip] 17
[enable_lvds] 632
lvds2hdmi_setup: Can't find device id=0x4c, on bus 13
Display: M101NWWB_R3 (1280x800)
In: serial
Out: serial
Err: serial

BuildInfo:
- SCFW f0226b37, SECO-FW 9d71fd5b, IMX-MKIMAGE 2cf091c0, ATF d6451cc
- U-Boot 2018.03-g0d267d5-dirty

switch to partitions #0, OK
mmc1 is current device
flash target is MMC:1
Net:
Warning: ethernet@5b040000 (eth0) using random MAC address - 8a:de:be:a1:a3:0f
eth0: ethernet@5b040000 [PRIME]
Warning: ethernet@5b050000 (eth1) using random MAC address - 06:d2:93:d7:1b:64
, eth1: ethernet@5b050000
Fastboot: Normal
Normal Boot
Hit any key to stop autoboot: 3 2 1 0
switch to partitions #0, OK
mmc1 is current device
** Unable to read file boot.scr **
** Unable to read file os_cntr_signed.bin **
Booting from net ...
BOOTP broadcast 1
DHCP client bound to address 172.18.8.45 (18 ms)
Using ethernet@5b040000 device
TFTP from server 172.18.0.32; our IP address is 172.18.8.45
Filename 'SMSBoot\x64\wdsnbp.com'.
Load address: 0x88000000
Loading: * ## Warning: gatewayip needed but not set
###
2.7 MiB/s
done
Bytes transferred = 30832 (7870 hex)
Authenticate OS container at 0x88000000
Wrong container header
ERR: failed to authenticate

<=====

Best Regards,

Owen Chiu

0 Kudos
Reply

‎11-01-2019 08:20 AM
1,009 Views
Bio_TICFSL
NXP TechSupport
NXP TechSupport

Hello Owen,

In the boot mode you can find that the commands used for sending the kernel, device tree and rootfs here are missing. This is because you don´t have configuration of the Ethernet or you have not connected to ethernet, as well os_cntr_signed.bin you must copy before uboot.

regards

 

 

0 Kudos
Reply