[U-Boot] Unable to boot the new FIT image

Harsha Kiran harshakiran443 at gmail.com
Wed Jun 4 04:29:50 CEST 2014


Hi Simon,

I was able to succesfully test the Secure u-boot on the beaglebone black
from the u-boot-x86 Bone git.
Thanks for all the help and it was a great beaglebone_vboot.txt file !

I have some of minor things i would like to mention when i followed the
procedure.

1) in the 7th step

7. Put U-Boot and the kernel onto the board
-------------------------------------------
The MLO information is missing..


2)

I was not able to boot with kernel (image.lzo) in the FIT. it gave me the
following error
U-Boot# bootm 0x82000000
## Loading kernel from FIT Image at 82000000 ...
   Using 'conf at 1' configuration
   Verifying Hash Integrity ... OK
   Trying 'kernel at 1' kernel subimage
     Description:  unavailable
     Created:      2014-06-04   1:28:38 UTC
     Type:         Kernel Image
     Compression:  lzo compressed
     Data Start:   0x820000a8
     Data Size:    8543704 Bytes = 8.1 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x80008000
     Entry Point:  0x80008000
     Hash algo:    sha1
     Hash value:   9504d8fefcec81c054e2d0fb4e9d9b6bcfb9b4b7
   Verifying Hash Integrity ... sha1+ OK
## Loading fdt from FIT Image at 82000000 ...
   Using 'conf at 1' configuration
   Trying 'fdt at 1' fdt subimage
     Description:  beaglebone-black
     Created:      2014-06-04   1:28:38 UTC
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x82825f68
     Data Size:    34352 Bytes = 33.5 KiB
     Architecture: ARM
     Hash algo:    sha1
     Hash value:   4b14973cf0fe4a40dc420ed55d2441c6f51f586b
   Verifying Hash Integrity ... sha1+ OK
   Booting using the fdt blob at 0x82825f68
   Uncompressing Kernel Image ... LZO: uncompress or overwrite error -1 -
must RESET board to recover
resetting ...

U-Boot SPL 2014.07-rc2 (Jun 03 2014 - 20:09:15)
reading u-boot.img
reading u-boot.img

But when i switch it back to the zImage it worked good. I will check again
on this.

Thanks,
Harsha Kiran





On Mon, Jun 2, 2014 at 11:46 PM, Simon Glass <sjg at chromium.org> wrote:

> Hi Harsha,
>
> On 31 May 2014 07:45, Harsha Kiran <harshakiran443 at gmail.com> wrote:
> > Hi Simon,
> >
> > I started working on the secure u-boot loading the FIT images and there
> are
> > some of the issues i observed.
> >
> > I took the latest U-Boot 2014.07-rc2 and applied the below mentioned
> > patches..
> >
> > (..http://patchwork.ozlabs.org/patch/339609/)
> > (..http://patchwork.ozlabs.org/patch/339610/)
> > (..http://patchwork.ozlabs.org/patch/339611/) I had to do a work around
> to
> > apply this patch. if i apply the patched directly to the latest u-boot it
> > failed in the fit_image.c file.
> > I searched online and found fit_image.c from
> > (..
> https://kernel.googlesource.com/pub/scm/linux/kernel/git/maz/u-boot/+/eb63218b9b95a59baa8b241f3a88e4415dabf833/tools/fit_image.c
> )
> > and applied the patch and it was perfect.
> > Then i applied http://patchwork.ozlabs.org/patch/350541/
> >
> > With these patches and removing CONFIG_OF_CONTROL in am335x_evm.h,  i was
> > able to load my FIT image successfully. if i include CONFIG_OF_CONTROL, i
> > get the following error
> > No valid FDT found - please append one to U-Boot binary, use
> u-boot-dtb.bin
> > or define CONFIG_OF_EMBED. For sandbox, use -d <file.dtb> ### ERROR ###
> > Please RESET the board ###.
>
> This is likely another missing patch.
>
> I just sent out a new series (available in u-boot-x86.git branch
> 'bone') which adds some step-by-step documentation. It also collects
> all the fixes in one place.
>
> >
> > Now for the secure u-boot i added the CONFIG_FIT_SIGNATURE and
> CONFIG_RSA. i
> > modified the doc/uImage.FIT/kernel_fdt.its file to include the signature
> > content.
> > Here is the file..
> >
> > /*
> >  * Simple U-boot uImage source file containing a single kernel and FDT
> blob
> >  */
> >
> > /*
> >  * Simple U-boot uImage source file containing a single kernel and FDT
> blob
> >  */
> >
> > /dts-v1/;
> >
> > / {
> >     description = "Simple image with single Linux kernel and FDT blob";
> >     #address-cells = <1>;
> >
> >     images {
> >         kernel at 1 {
> >             description = "3.12 Kernel RT";
> >             data = /incbin/("./zImage");
> >             type = "kernel";
> >             arch = "arm";
> >             os = "linux";
> >             compression = "none";
> >             load = <0x80008000>;
> >             entry = <0x80008000>;
> >             hash at 1 {
> >                 algo = "sha1";
> >             };
> >             signature at 1 {
> >                 algo = "sha1,rsa2048";
> >                 key-name-hint = "dev";
> >             };
> >         };
> >         fdt at 1 {
> >             description = "Flattened Device Tree blob";
> >             data = /incbin/("./am335x-evmsk.dtb");
> >             type = "flat_dt";
> >             arch = "arm";
> >             compression = "none";
> >             hash at 1 {
> >                 algo = "sha1";
> >             };
> >             signature at 1 {
> >                 algo = "sha1,rsa2048";
> >                 key-name-hint = "dev";
> >             };
> >         };
> >     };
> >
> >     configurations {
> >         default = "conf at 1";
> >         conf at 1 {
> >             description = "Boot Linux kernel with FDT blob";
> >             kernel = "kernel at 1";
> >             fdt = "fdt at 1";
> >         };
> >     };
> > };
> >
> > Then, i signed my images with the keys generated from openssl,
> >
> >
> > DTC_OPS="-I dts -O dtb -p 2000"
> > sudo mkimage -D "${DTC_OPS}" -f kernel_fdt.its -k dev-keys -K
> > u-boot-pubkey.dtb -r kernel_fdt.itb
> >
> > build the u-boot again with the signed binary..
> >
> > harsha at harshakiran_kasha:/abb/Experiment_Secure/u-boot$ sudo make
> ARCH=arm
> >
> CROSS_COMPILE=/abb/compilers/gcc-linaro-arm-linux-gnueabihf-4.7-2013.04-20130415_linux/bin/arm-linux-gnueabihf-
> > -j8 DEV_TREE_BIN=./u-boot-pubkey.dtb
> >
> >
> > Now, while booting, i was able to load the u-boot-dtb.bin file from the
> > u-boot prompt and it loaded the FIT image.
> >
> > U-Boot# fatload mmc 0 0x82000000 u-boot-dtb.bin
> > reading u-boot-dtb.bin
> > 466611 bytes read in 36 ms (12.4 MiB/s)
> > U-Boot# go 0x82000000
> > ## Starting application at 0x82000000 ...
> >
> >
> > U-Boot 2014.07-rc2 (May 31 2014 - 02:16:18)
> >
> > I2C:   ready
> > DRAM:  256 MiB
> > NAND:  0 MiB
> > MMC:   OMAP SD/MMC: 0, OMAP SD/MMC: 1
> > *** Warning - readenv() failed, using default environment
> >
> > Net:   <ethaddr> not set. Validating first E-fuse MAC
> > cpsw, usb_ether
> > Hit any key to stop autoboot:  0
> > mmc0 is current device
> > SD/MMC found on device 0
> > reading uEnv.txt
> > 2481 bytes read in 7 ms (345.7 KiB/s)
> > Loaded environment from uEnv.txt
> > Importing environment from mmc ...
> > Running uenvcmd ...
> > reading kernel_fdt.itb
> > 4157190 bytes read in 267 ms (14.8 MiB/s)
> > ## Loading kernel from FIT Image at 82000000 ...
> >    Using 'conf at 1' configuration
> >    Verifying Hash Integrity ... OK
> >    Trying 'kernel at 1' kernel subimage
> >      Description:  3.12 Kernel RT
> >      Type:         Kernel Image
> >      Compression:  uncompressed
> >      Data Start:   0x820000e4
> >      Data Size:    4117728 Bytes = 3.9 MiB
> >      Architecture: ARM
> >      OS:           Linux
> >      Load Address: 0x80008000
> >      Entry Point:  0x80008000
> >      Hash algo:    sha1
> >      Hash value:   3d72bc90b8afb5464cb03de2952d1bba90cd542e
> >      Sign algo:    sha1,rsa2048:dev
> >      Sign value:   unavailable
> >    Verifying Hash Integrity ... sha1+ sha1,rsa2048:dev- OK
> > ## Loading fdt from FIT Image at 82000000 ...
> >    Using 'conf at 1' configuration
> >    Trying 'fdt at 1' fdt subimage
> >      Description:  Flattened Device Tree blob
> >      Type:         Flat Device Tree
> >      Compression:  uncompressed
> >      Data Start:   0x823ed6f8
> >      Data Size:    38048 Bytes = 37.2 KiB
> >      Architecture: ARM
> >      Hash algo:    sha1
> >      Hash value:   01d8a7481ac4ae281e68383776287a94bd5f2d78
> >      Sign algo:    sha1,rsa2048:dev
> >      Sign value:   unavailable
> >    Verifying Hash Integrity ... sha1+ sha1,rsa2048:dev- OK
> >    Booting using the fdt blob at 0x823ed6f8
> >    Loading Kernel Image ... OK
> >    Loading Device Tree to 8f611000, end 8f61d49f ... OK
> >
> > Starting kernel ...
> >
>
> I worry that you are loading a zImage to 80008000 which is the
> intended load address of the kernel itself. Does the zImage wrapper
> handle that?
>
> In my example, I use the Image rather than zImage, so that U-Boot can
> decompress it.
>
> >
> > it says that the hash integrity is verified but when i tried with an
> > unsigned kernel_fdt.bin  with signed u-boot-dtb.bin i was still able to
> load
> > the FIT and the logs are the same.
>
> Yes but you didn't use the -r flag for mkimage, so the verification is
> optional.
>
> > I not really sure if the veification part is done correctly. Am i
> following
> > the correct procedure or missing something??
>
> Mostly I think. See my documentation in the series mentioned above -
> hopefully it will help.
>
> Regards,
> Simon
>



--


More information about the U-Boot mailing list