How to sign a kernel+ramdisk+dtb FIT image with HAB?


How to sign a kernel+ramdisk+dtb FIT image with HAB?

917 次查看
Contributor III

I have alredy read

and the PDF on Secure Boot on i.MX boards, but I am still unsure how to do this.

I have three files with the corresponding load addresses contained in the FIT image

Image                                    0x40480000
ramdisk-recovery.img            0x43100000
imx8mm-gpv-distec.dtb         0x43000000

The load address of the FIT image is 0x44000000 and its size is 0x0285d200. Its padded size is 0x285E000.

So in my ./genIVT I guess I need


#! /usr/bin/perl -w
use strict;
open(my $out, '>:raw', 'ivt.bin') or die "Unable to open: $!";
print $out pack("V", 0x412000D1); # Signature
print $out pack("V", 0x44000000); # Load Address (*load_address)
print $out pack("V", 0x0); # Reserved
print $out pack("V", 0x0); # DCD pointer
print $out pack("V", 0x0); # Boot Data
print $out pack("V", 0x4685E000); # Self Pointer (*ivt)
print $out pack("V", 0x4685E020); # CSF Pointer (*csf)
print $out pack("V", 0x0); # Reserved

I am unsure what to put in the csf_additional_images now. I have put this

Blocks = 0x40480000 0x00000000 0x01ec9a00 "Image", \
0x43000000 0x00000000 0x0000a638 "imx8mm-gpv-distec.dtb", \
0x43100000 0x00000000 0x00988a7a "ramdisk-recovery.img"

which corresponds to the sizes and load addresses of the individual components of the fitImage. Is that correct?

I cannot authenticate it with HAB

u-boot=> usb reset
resetting USB...
USB0:   Port not available.
USB1:   USB EHCI 1.00
scanning bus 1 for devices... Warning using limited usb xfer size 1024  
2 USB Device(s) found
      scanning usb for storage devices... 1 Storage Device(s) found
u-boot=> fatload usb 0 0x44000000 vti2/fitImage
42332016 bytes read in 1880 ms (21.5 MiB/s)
u-boot=> bootm 0x44000000

Authenticate image from DDR location 0x40480000...
bad magic magic=0xfd length=0xbc7b version=0xa9
bad length magic=0xfd length=0xbc7b version=0xa9
bad version magic=0xfd length=0xbc7b version=0xa9
Error: Invalid IVT structure

Allowed IVT structure:
IVT HDR       = 0x4X2000D1
IVT RSV1      = 0x0
IVT DCD       = 0x0
IVT RSV2      = 0x0
Authenticate uImage Fail, Please check

I am wondering why the image is detected as a uImage and loaded from the uImage's load address. I could successfully load the FIT image without secure boot this way.

0 项奖励
3 回复数

889 次查看
Contributor III

I would also be happy to find out about any other way to authenticate the ramdisk and dtb. It does not have to be a FIT image.

In the csf_additional_images.txt there is a device tree blob listed:

Blocks = 0x80800000 0x00000000 0x006EA000 "zImage", \
0x83800000 0x00000000 0x0000B927 "imx7d-sdb.dtb", \
0x84000000 0x00000000 0x000425B8 "uTee-7dsdb"

I was assuming those to be the components of a FIT image. How would I sign the .dtb (or ramdisk) when loading all three components instead of a FIT? I can load all three components in my case with the bootm command without the .dtb or ramdisk being signed. Would I have to add hab_auth_img for those files in my boot script?

As soon as I add these images like this

Blocks = 0x40480000 0x00000000 0x01ec9a20 "uImage-pad-ivt", \
0x43000000 0x00000000 0x0000a638 "imx8mm-gpv-distec.dtb", \
0x43100000 0x00000000 0x00988a7a "ramdisk-recovery.img"

HAB authentication fails

Authenticate image from DDR location 0x40480000...

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99

--------- HAB Event 1 -----------------
event data:
       0xdb 0x00 0x2c 0x43 0x33 0x18 0xc0 0x00
       0xca 0x00 0x24 0x00 0x02 0xc5 0x1d 0x00
       0x00 0x00 0x0d 0x54 0x40 0x48 0x00 0x00
       0x01 0xec 0xa0 0x20 0x43 0x00 0x00 0x00
       0x00 0x00 0xa6 0x38 0x43 0x10 0x00 0x00
       0x00 0x98 0x89 0x96

ENG = HAB_ENG_ANY (0x00)

Error loading the OS


When I just put

Blocks = 0x40480000 0x00000000 0x01ec9a20 "uImage-pad-ivt"


Everything works fine

0 项奖励

129 次查看
Contributor I

Hi jclsn,


Did you find a way to sign and authenticate your fitImage ?


If you found it, I will be so grateful if you can share it for the public.



0 项奖励

864 次查看
NXP TechSupport
NXP TechSupport


  yes, it is needed to sign each of the three components instead of a FIT;
and use hab_auth_img to authenticate each additional image.
  Appears, we don't have a guide to sign a whole (kernel) FIT image.


0 项奖励