[U-Boot] Unable to boot the new FIT image
Harsha Kiran
harshakiran443 at gmail.com
Wed Jun 4 04:29:50 CEST 2014
Hi Simon,
I was able to succesfully test the Secure u-boot on the beaglebone black
from the u-boot-x86 Bone git.
Thanks for all the help and it was a great beaglebone_vboot.txt file !
I have some of minor things i would like to mention when i followed the
procedure.
1) in the 7th step
7. Put U-Boot and the kernel onto the board
-------------------------------------------
The MLO information is missing..
2)
I was not able to boot with kernel (image.lzo) in the FIT. it gave me the
following error
U-Boot# bootm 0x82000000
## Loading kernel from FIT Image at 82000000 ...
Using 'conf at 1' configuration
Verifying Hash Integrity ... OK
Trying 'kernel at 1' kernel subimage
Description: unavailable
Created: 2014-06-04 1:28:38 UTC
Type: Kernel Image
Compression: lzo compressed
Data Start: 0x820000a8
Data Size: 8543704 Bytes = 8.1 MiB
Architecture: ARM
OS: Linux
Load Address: 0x80008000
Entry Point: 0x80008000
Hash algo: sha1
Hash value: 9504d8fefcec81c054e2d0fb4e9d9b6bcfb9b4b7
Verifying Hash Integrity ... sha1+ OK
## Loading fdt from FIT Image at 82000000 ...
Using 'conf at 1' configuration
Trying 'fdt at 1' fdt subimage
Description: beaglebone-black
Created: 2014-06-04 1:28:38 UTC
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x82825f68
Data Size: 34352 Bytes = 33.5 KiB
Architecture: ARM
Hash algo: sha1
Hash value: 4b14973cf0fe4a40dc420ed55d2441c6f51f586b
Verifying Hash Integrity ... sha1+ OK
Booting using the fdt blob at 0x82825f68
Uncompressing Kernel Image ... LZO: uncompress or overwrite error -1 -
must RESET board to recover
resetting ...
U-Boot SPL 2014.07-rc2 (Jun 03 2014 - 20:09:15)
reading u-boot.img
reading u-boot.img
But when i switch it back to the zImage it worked good. I will check again
on this.
Thanks,
Harsha Kiran
On Mon, Jun 2, 2014 at 11:46 PM, Simon Glass <sjg at chromium.org> wrote:
> Hi Harsha,
>
> On 31 May 2014 07:45, Harsha Kiran <harshakiran443 at gmail.com> wrote:
> > Hi Simon,
> >
> > I started working on the secure u-boot loading the FIT images and there
> are
> > some of the issues i observed.
> >
> > I took the latest U-Boot 2014.07-rc2 and applied the below mentioned
> > patches..
> >
> > (..http://patchwork.ozlabs.org/patch/339609/)
> > (..http://patchwork.ozlabs.org/patch/339610/)
> > (..http://patchwork.ozlabs.org/patch/339611/) I had to do a work around
> to
> > apply this patch. if i apply the patched directly to the latest u-boot it
> > failed in the fit_image.c file.
> > I searched online and found fit_image.c from
> > (..
> https://kernel.googlesource.com/pub/scm/linux/kernel/git/maz/u-boot/+/eb63218b9b95a59baa8b241f3a88e4415dabf833/tools/fit_image.c
> )
> > and applied the patch and it was perfect.
> > Then i applied http://patchwork.ozlabs.org/patch/350541/
> >
> > With these patches and removing CONFIG_OF_CONTROL in am335x_evm.h, i was
> > able to load my FIT image successfully. if i include CONFIG_OF_CONTROL, i
> > get the following error
> > No valid FDT found - please append one to U-Boot binary, use
> u-boot-dtb.bin
> > or define CONFIG_OF_EMBED. For sandbox, use -d <file.dtb> ### ERROR ###
> > Please RESET the board ###.
>
> This is likely another missing patch.
>
> I just sent out a new series (available in u-boot-x86.git branch
> 'bone') which adds some step-by-step documentation. It also collects
> all the fixes in one place.
>
> >
> > Now for the secure u-boot i added the CONFIG_FIT_SIGNATURE and
> CONFIG_RSA. i
> > modified the doc/uImage.FIT/kernel_fdt.its file to include the signature
> > content.
> > Here is the file..
> >
> > /*
> > * Simple U-boot uImage source file containing a single kernel and FDT
> blob
> > */
> >
> > /*
> > * Simple U-boot uImage source file containing a single kernel and FDT
> blob
> > */
> >
> > /dts-v1/;
> >
> > / {
> > description = "Simple image with single Linux kernel and FDT blob";
> > #address-cells = <1>;
> >
> > images {
> > kernel at 1 {
> > description = "3.12 Kernel RT";
> > data = /incbin/("./zImage");
> > type = "kernel";
> > arch = "arm";
> > os = "linux";
> > compression = "none";
> > load = <0x80008000>;
> > entry = <0x80008000>;
> > hash at 1 {
> > algo = "sha1";
> > };
> > signature at 1 {
> > algo = "sha1,rsa2048";
> > key-name-hint = "dev";
> > };
> > };
> > fdt at 1 {
> > description = "Flattened Device Tree blob";
> > data = /incbin/("./am335x-evmsk.dtb");
> > type = "flat_dt";
> > arch = "arm";
> > compression = "none";
> > hash at 1 {
> > algo = "sha1";
> > };
> > signature at 1 {
> > algo = "sha1,rsa2048";
> > key-name-hint = "dev";
> > };
> > };
> > };
> >
> > configurations {
> > default = "conf at 1";
> > conf at 1 {
> > description = "Boot Linux kernel with FDT blob";
> > kernel = "kernel at 1";
> > fdt = "fdt at 1";
> > };
> > };
> > };
> >
> > Then, i signed my images with the keys generated from openssl,
> >
> >
> > DTC_OPS="-I dts -O dtb -p 2000"
> > sudo mkimage -D "${DTC_OPS}" -f kernel_fdt.its -k dev-keys -K
> > u-boot-pubkey.dtb -r kernel_fdt.itb
> >
> > build the u-boot again with the signed binary..
> >
> > harsha at harshakiran_kasha:/abb/Experiment_Secure/u-boot$ sudo make
> ARCH=arm
> >
> CROSS_COMPILE=/abb/compilers/gcc-linaro-arm-linux-gnueabihf-4.7-2013.04-20130415_linux/bin/arm-linux-gnueabihf-
> > -j8 DEV_TREE_BIN=./u-boot-pubkey.dtb
> >
> >
> > Now, while booting, i was able to load the u-boot-dtb.bin file from the
> > u-boot prompt and it loaded the FIT image.
> >
> > U-Boot# fatload mmc 0 0x82000000 u-boot-dtb.bin
> > reading u-boot-dtb.bin
> > 466611 bytes read in 36 ms (12.4 MiB/s)
> > U-Boot# go 0x82000000
> > ## Starting application at 0x82000000 ...
> >
> >
> > U-Boot 2014.07-rc2 (May 31 2014 - 02:16:18)
> >
> > I2C: ready
> > DRAM: 256 MiB
> > NAND: 0 MiB
> > MMC: OMAP SD/MMC: 0, OMAP SD/MMC: 1
> > *** Warning - readenv() failed, using default environment
> >
> > Net: <ethaddr> not set. Validating first E-fuse MAC
> > cpsw, usb_ether
> > Hit any key to stop autoboot: 0
> > mmc0 is current device
> > SD/MMC found on device 0
> > reading uEnv.txt
> > 2481 bytes read in 7 ms (345.7 KiB/s)
> > Loaded environment from uEnv.txt
> > Importing environment from mmc ...
> > Running uenvcmd ...
> > reading kernel_fdt.itb
> > 4157190 bytes read in 267 ms (14.8 MiB/s)
> > ## Loading kernel from FIT Image at 82000000 ...
> > Using 'conf at 1' configuration
> > Verifying Hash Integrity ... OK
> > Trying 'kernel at 1' kernel subimage
> > Description: 3.12 Kernel RT
> > Type: Kernel Image
> > Compression: uncompressed
> > Data Start: 0x820000e4
> > Data Size: 4117728 Bytes = 3.9 MiB
> > Architecture: ARM
> > OS: Linux
> > Load Address: 0x80008000
> > Entry Point: 0x80008000
> > Hash algo: sha1
> > Hash value: 3d72bc90b8afb5464cb03de2952d1bba90cd542e
> > Sign algo: sha1,rsa2048:dev
> > Sign value: unavailable
> > Verifying Hash Integrity ... sha1+ sha1,rsa2048:dev- OK
> > ## Loading fdt from FIT Image at 82000000 ...
> > Using 'conf at 1' configuration
> > Trying 'fdt at 1' fdt subimage
> > Description: Flattened Device Tree blob
> > Type: Flat Device Tree
> > Compression: uncompressed
> > Data Start: 0x823ed6f8
> > Data Size: 38048 Bytes = 37.2 KiB
> > Architecture: ARM
> > Hash algo: sha1
> > Hash value: 01d8a7481ac4ae281e68383776287a94bd5f2d78
> > Sign algo: sha1,rsa2048:dev
> > Sign value: unavailable
> > Verifying Hash Integrity ... sha1+ sha1,rsa2048:dev- OK
> > Booting using the fdt blob at 0x823ed6f8
> > Loading Kernel Image ... OK
> > Loading Device Tree to 8f611000, end 8f61d49f ... OK
> >
> > Starting kernel ...
> >
>
> I worry that you are loading a zImage to 80008000 which is the
> intended load address of the kernel itself. Does the zImage wrapper
> handle that?
>
> In my example, I use the Image rather than zImage, so that U-Boot can
> decompress it.
>
> >
> > it says that the hash integrity is verified but when i tried with an
> > unsigned kernel_fdt.bin with signed u-boot-dtb.bin i was still able to
> load
> > the FIT and the logs are the same.
>
> Yes but you didn't use the -r flag for mkimage, so the verification is
> optional.
>
> > I not really sure if the veification part is done correctly. Am i
> following
> > the correct procedure or missing something??
>
> Mostly I think. See my documentation in the series mentioned above -
> hopefully it will help.
>
> Regards,
> Simon
>
--
More information about the U-Boot
mailing list