Code signing tool error with uboot compiled from source

Hi,

Is there any other possibly helpful info on this issue?

I looked at the imx-mkimage for generating the flash.bin. I managed to find all necessary files (ddr firmware, uboot bin & dtb files, atf image, hdmi firmware)

I placed those into the iMX8M folder of the imx-mkimage tool. After that I ran make and got the following.

make SOC=iMX8M flash_hdmi_spl_uboot
Compiling mkimage_imx8
./mkimage_fit_atf.sh fsl-imx8mq-evk.dtb > u-boot.its
bl31.bin size:
32857
u-boot-nodtb.bin size:
658552
fsl-imx8mq-evk.dtb size:
23006
./mkimage_uboot -E -p 0x3000 -f u-boot.its u-boot-lpddr4.itb
make[1]: ./mkimage_uboot: Command not found
make[1]: *** [soc.mak:57: u-boot-lpddr4.itb] Error 127
make: *** [Makefile:20: flash_hdmi_spl_uboot] Error 2

Instead of the mkimage_uboot binary, the tool seems to create a mkimage_imx8 instead. So I modified the relevant line in iMX8M/soc.mak to use that instead. After that I got the following:

Compiling mkimage_imx8
./mkimage_fit_atf.sh fsl-imx8mq-evk.dtb > u-boot.its
bl31.bin size:
32857
u-boot-nodtb.bin size:
658552
fsl-imx8mq-evk.dtb size:
23006
./mkimage_imx8 -E -p 0x3000 -f u-boot.its u-boot-lpddr4.itb
Platform: i.MX8M (mScale)
option '' is invalid: ignored
make[1]: *** [soc.mak:57: u-boot-lpddr4.itb] Error 1
make: *** [Makefile:20: flash_hdmi_spl_uboot] Error 2

Am I still missing some file and as a result the tool is using the generic mkimage_uboot binary? Or is this some bug with the tool?

Hi,

could you solve this problem? I got the same issue now:

./mkimage_imx8 -E -p 0x3000 -f u-boot.its u-boot-lpddr4.itb
Platform: i.MX8M (mScale)
option '' is invalid: ignored

Hi,

Are you using the coral dev board? I recall we did solve the issue after getting some help from the coral support team. Give me 24h to dig up my notes on this and I'll get back to you.

Hi,

no we're using the eval board from TQ (TQ | STKa8MPxL (tq-group.com)) but there's the same imx8 processor on it. 

I've tried different things and now I'm clueless, so it could help to know how you solved it since it's a similar problem. The TQ support takes too long to reply unfortunately. 

Thanks a lot for your time, appreciate it!

I hope I can be of some help!

The process for the coral dev board was quite involved. It's roughly described below:

Dependencies:

apt-get install build-essential qemu-user-static bc

Fetching repo from google:

mkdir -p bin
export PATH=$PATH:$HOME/bin
curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo
chmod a+x ~/bin/repo

repo init -u https://coral.googlesource.com/manifest
repo sync -j$(nproc)

Next enabled secure boot by adding CONFIG_SECURE_BOOT=y to uboot-imx/configs/imx8mq_phanbell_defconfig

Next if all extra binary files were needed, we added the following to /packages/uboot-imx/debian/rules :

	install -d debian/uboot-imx/boot
	install -m 644 -o 0 -g 0 boot.scr debian/uboot-imx/boot/boot.scr
	install -m 644 -o 0 -g 0 debian/overlays.txt debian/uboot-imx/boot/overlays.txt
	install -d debian/uboot-mkimage/usr/bin
	install -m 644 -o 0 -g 0 tools/mkimage debian/uboot-mkimage/usr/bin/mkimage
	install -m 644 -o 0 -g 0 /usr/share/imx-atf/bl31.bin debian/uboot-imx/boot/bl31.bin
	install -m 644 -o 0 -g 0 u-boot-nodtb.bin debian/uboot-imx/boot/u-boot-nodtb.bin
	install -m 644 -o 0 -g 0 arch/arm/dts/fsl-imx8mq-phanbell.dtb debian/uboot-imx/boot/u-boot.dtb
	install -m 644 -o 0 -g 0 u-boot-spl-ddr.bin debian/uboot-imx/boot/u-boot-spl-ddr.bin
	install -m 644 -o 0 -g 0 $(IMX_FIRMWARE_DIR)/signed_hdmi_imx8m.bin debian/uboot-imx/boot/signed_hdmi_imx8m.bin
	install -m 644 -o 0 -g 0 u-boot.bin debian/uboot-imx/boot/u-boot.bin
	dh_install
	install -m 644 -o 0 -g 0 u-boot.imx debian/uboot-imx/boot/u-boot.imx

Then built bootloader with (requires docker):

source build/setup.sh
m docker-uboot-imx

The bootloader installer package could then be found from:

out/target/product/imx8m_phanbell/packages/bsp/uboot-imx_5-3_arm64.deb

With an archive explorer, the imx file was found from said deb file from:

data.tar.xz/./boot/u-boot.imx

Next we had to check the log file "/out/target/product/imx8m_phanbell/uboot-imx-arm64.log" for the offset dump values:

Loader IMAGE:
 header_image_off 0x0
 image_off 0x40
 csf_off 0x2ae00
 spl hab block: 0x7e0fc0 0x0 0x2ae00

Second Loader IMAGE:
 sld_header_off 0x57c00
 sld_csf_off 0x58c20
 sld hab block: 0x401fcdc0 0x57c00 0x1020

Here the hab_block & csf_off values were important later

Next we used this code signing tool: https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL_NEW 

and in the release/keys folder, created 2 files:

"serial" that contains a 8 digit code
"key_pass.txt" that contains a passphrase twice (1st and 2nd line)

We ran:

./hab4_pki_tree.sh
Do you want to use an existing CA key (y/n)?: n
Do you want to use Elliptic Curve Cryptography (y/n)?: n
Enter key length in bits for PKI tree: 4096
Enter PKI tree duration (years): 20
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: y

Continuing:

In crts folder we ran:

../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c ./SRK1_sha256_4096_65537_v3_ca_crt.pem,.SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1

Then got fuse keys:

hexdump -e '/4 "0x"' -e '/4 "%X""\n"' < SRK_1_2_3_4_fuse.bin

Next renamed the "u-boot.imx" to "flash.bin" and placed the files found from the .deb file into uboot-project-folder/tools/imx-mkimage/iMX8M/

Next ran, adapt with your dtb file:

./print_fit_hab.sh 0x60000 fsl-imx8mq-evk.dtb

Got an output such as:

0x40200000 0x5AC00 0xA0AF0
0x402A0AF0 0xFB6F0 0x72E0
0x920000 0x1029D0 0x9170

Now in csttool went to linux64/

I used the boundary devices example csf_spl.txt and csf_fit.txt files and modified [authenticate data] blocks with the following (see tutorial here: https://boundarydevices.com 

csf_spl.txt: spl hab block from the OFFSET DUMP

csf_fit.txt: sld hab block from offset dump and the output from print_fit_hab.sh 

Next we put the flash.bin to the same folder and ran:

./cst -i csf_spl.txt -o csf_spl.bin
./cst -i csf_fit.txt -o csf_fit.bin

Next ran the following (<csf_off> values were from the offset dump):

`cp flash.bin signed_flash.bin`
`dd if=csf_spl.bin of=signed_flash.bin seek=$((<csf_off>)) bs=1 conv=notrunc`
`dd if=csf_fit.bin of=signed_flash.bin seek=$((<sld_csf_off>)) bs=1 conv=notrunc`

 Finally we have a script that was used to install the bootloader, I've attached it to this message. Before running the script we had to rename signed_flash.bin to u-boot.imx

Hi uboot_problem,

I've had problems getting secure boot authentication to work for a Coral dev board and I see in this thread that you did get it working.

I've read through many NxP docs and your last posts here which were very helpful getting the files required to run "print_fit_hab.sh". The script in Google's repo has bugs (mainly aligning offsets to 4-byte boundary) which I've fixed to get the addr/offset/size values I needed.

After putting those (and others from logs) into "fit.csf" and "spl.csf" files for CST tools I created the binary files and inserted them into my "u-boot.imx" file using dd as instructed.

From looking at all the binary files, addresses, sizes, everything looks correct. But after flashing my 'signed' "u-boot.imx", I get errors below at boot which also shows output of hab_status cmd.

I did create keys using ECC algorithm vs RSA, but CAAM is supposed to support that.

Do you recall anything else you needed to do to get authentication to work on a Coral dev board. As you probably found, support is hard to find so any guidance or other resources you found is greatly appreciated.

Also, anyone know how to decode the hab_status errors below?

Thanks in advance.
Mark

hab fuse not enabled

Authenticate image from DDR location 0x401fcdc0...
Error: CSF header command not found
NOTICE: Configuring TZASC380
...
Hit any key to stop autoboot: 0
u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x44 0x33 0x11 0xcf 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_CSF (0x11)
CTX = HAB_CTX_CSF (0xCF)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x44 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x7e 0x0f 0xc0
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x44 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x7e 0x0f 0xe0
0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x44 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x7e 0x10 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

u-boot=>

You might already have a deeper understanding on this than I did. The only thing that I could still find was that apparently I had issues getting hab to work on the coral board if I included all 4 lines into `csf_fit.txt` as described in the boundarydevices article.

Those lines being the value of `sld hab block` and the 3 lines printed out by `print_fit_hab.sh`. Instead I used the `sld hab block` value and only the first 2 values provided by `print_fit_hab.sh`. I cannot remember the reason anymore.

Thanks for the quick response.

I originally tried with just the values you said worked for you since they were in the build log file.  That didn't work for me either.  I'll try that again but not expecting anything different.

Hopefully someone from NXP or other user chimes in here.

Thanks!