FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Patch for u-boot-imx: Using FIT and HAB in bootm command

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Patch for u-boot-imx: Using FIT and HAB in bootm command

‎10-08-2020 04:27 AM
8,326 Views
tmuthmann
Contributor I

Hi,

i want to propose the following patch to bootm.c.

If you want to use FIT Images and HAB together you always get this on bootm:

Not valid image format for Authentication, Please check

This is because there is no case for FIT Images in the switch statement.

I tested the patch below and was able to boot a HAB signed FIT Image without problems.

diff --git "a/cmd/bootm.c" "b/cmd/bootm.c"
index 03ea3b8998..47122e50cc 100644
--- "a/cmd/bootm.c"
+++ "b/cmd/bootm.c"
@@ -176,6 +176,15 @@ int do_bootm(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
 	case IMAGE_FORMAT_ANDROID:
 		/* Do this authentication in boota command */
 		break;
+#endif
+#ifdef CONFIG_FIT
+	case IMAGE_FORMAT_FIT:
+		if (authenticate_image(image_load_addr,
+			image_get_image_size((image_header_t *)image_load_addr)) != 0) {
+			printf("Authenticate FIT image Fail, Please check\n");
+			return 1;
+		}
+		break;
 #endif
 	default:
 		printf("Not valid image format for Authentication, Please check\n");

Thanks,

Thomas

Labels (1)
Labels
Reply
11 Replies

‎03-19-2024 08:24 AM
2,301 Views
mprt42
Contributor II

Is this in the meantime already implemented somewhere by NXP?
Thanks.

0 Kudos
Reply

‎11-27-2022 08:03 PM
5,562 Views
chen-wust
Contributor II

I'd like to ask you a question. Do we need special processing when adding digital signatures to fitimage, or is it the same as the official guidance (zimage/image)? Do we need to do something special with the.its file that generates fitimage?

0 Kudos
Reply

‎11-28-2022 04:31 AM
5,538 Views
jclsn
Contributor IV
No, you can sign any file with HAB actually

You don’t need to do something to the .its file. You just create the blob FIT blob and sign it
0 Kudos
Reply

‎07-06-2022 02:50 AM
6,531 Views
sascha1
Contributor I

Is there any way to get this patch upstream? I'm absolutely willing to send patches around on some mailing list or gitlabs if someone tells me how to contribute.

Cheers,
Sascha

0 Kudos
Reply

‎07-07-2022 06:11 AM
6,497 Views
jclsn
Contributor IV

Probably yes. Maybe we should notify some NXP employee.

Like:

@BiyongSUN 

@Yuri 

Or you create a ticket yourself

0 Kudos
Reply

‎12-10-2021 04:20 AM
7,275 Views
jclsn
Contributor IV

The patch actually requires to read the image size with the function fit_get_size() from the image header, because the image headers of FIT images differ. For me the first patch only worked by chance and I could fix it by exchanging the function.

Here is the diff:

 

diff --git a/cmd/bootm.c b/cmd/bootm.c
index bed84bd735..6fcd17eaf5 100644
--- a/cmd/bootm.c
+++ b/cmd/bootm.c
@@ -175,7 +175,7 @@ int do_bootm(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
 #ifdef CONFIG_FIT
        case IMAGE_FORMAT_FIT:
                if (authenticate_image(load_addr,
-                       image_get_image_size((image_header_t *)load_addr)) != 0) {
+                       fit_get_size((void *)load_addr)) != 0) {
                        printf("Authenticate FIT image Fail, Please check\n");
                        return 1;
                }

 

Reply

‎05-25-2021 03:28 AM
7,994 Views
tmuthmann
Contributor I

Thx everyone for the replies and kudos.

Meanwhile i'm using U-Boot Mainline, so you will get no more updates from me.

To be sure to use the correct address and size my code is like that now:

uint32_t fileaddr = env_get_hex("fileaddr", 0);
uint32_t filesize = env_get_hex("filesize", 0);
uint32_t ivt_offset = filesize - CONFIG_CSF_SIZE;

imx_hab_authenticate_image(fileaddr, filesize, ivt_offset);

fileaddr and filesize is set on all load operations as far I can see.

Reply

‎05-25-2021 02:00 AM
8,000 Views
jonnye
Contributor II

Hi @tmuthmann 

Your solution helped me a lot. After using your patch I was able to boot HAB signed fitImage.

But when I rebuild my images and disabled Mender it was not working for me. After some investigation I think that

the image_get_image_size is picking bytes 12..15 as size of the image which is a little less than the image size in bytes 4..7 which seems to be more correct. In some cases this made authenticate_image() not be able to find the IVT structure and verification failed.

So, it did not depend on Mender but the size of the fitImage, so maybe you can get into the same problem when rebuilding your images.

Regards,

Jonny

0 Kudos
Reply

‎05-19-2021 03:44 AM
8,028 Views
kunyichen
Contributor IV

I try on imx8mp with BSP Linux 5.10.9_1.0.0​, still need this patch for booting  FIT image with HAB feature

0 Kudos
Reply

‎02-23-2021 05:05 AM
8,157 Views
paul_geurts
Contributor III

Is this already implemented somewhere by NXP? We are running into the same problem with v2020.04_5.4.24_2.1.0. I think it's rather strange NXP does not see this as a valid usecase. 

Anyway, Thanks for the patch

Reply

‎01-30-2021 12:47 PM
8,218 Views
vinothkumars
Senior Contributor IV

Hi @tmuthmann 

Will you please give some ideas,

https://community.nxp.com/t5/i-MX-Processors/Build-FIT-image-for-IMX8MNano/m-p/1223538/highlight/fal...

 

Regards,
Vinothkumar Sekar
0 Kudos
Reply