[U-Boot] u-boot hangs after enabling secured boot : gumstix-overo

Simon Glass sjg at chromium.org
Thu May 19 05:59:03 CEST 2016 

Hi Arun,

On 3 May 2016 at 19:50, Arun Kuttiyara Varghese <arunkuttiyara at gmail.com> wrote:
> Hi Simon,
>
> Thanks for the help.
>
> There is an update.
>
> I experimented with the two options.
>
> Option 1
> =====
>
> Like you mentioned, I tried putting all the RSA boot options to
> configs/omap3_overo_defconfig.
> but surprisingly, the board was not able to boot. it stucks after printing
> one line of junk characters.
>
> So I think, putting definitions in include/configs/omap3_overo.h is also
> fine ?

Not if it is in Kconfig. That sounds like a separate problem. But i"m
not sure what.

>
> Option 2
> ====
>
> 1. changed u-boot-dtb.img name to u-boot.img .
> 2. then board is able to boot, but gives the below message when I tried to
> use bootm.
>
> Overo #
> ## Loading kernel from FIT Image at 82000000 ...
>    Using 'conf at 1' configuration
>    Verifying Hash Integrity ... sha1,rsa2048:my_keyRSA: Can't find Modular
> Exp implementation
> RSA: Can't find Modular Exp implementation
> - Failed to verify required signature 'key-my_key'
> Bad Data Hash
> ERROR: can't get kernel image!
> Overo #

If you grep for that message you see:

ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
if (ret) {
printf("RSA: Can't find Modular Exp implementation\n");
return -EINVAL;
}

It is trying to find that uclass. Assuming that you have driver model
enabled (CONFIG_DM), I wonder if you have CONFIG_RSA_SOFTWARE_EXP
enabled? Unfortunately it looks like you have to do that manually as
the option is not in Kconfig.

It is a driver for modular exponentiation, used for RSA. Some chips
include hardware acceleration, but there is a software driver as a
fallback.

>
>
> As mentioned in doc/uImage.FIT/beaglebone_vboot.txt, I tried the script -
> tools/fit_check_sign, and its output is normal. Able to verify the
> signature.
>
> So still dont know, what is the exact issue, why I am getting the above
> error message.
> I searched for UCLASS_MOD_EXP,     /* RSA Mod Exp device */, but couldn't
> get much info.
>
> What is RSA Mod Exp device and how to make sure that I have that ?
>
> Any input to debugging will be greatly helpful.
>
> Thanks & Regards,
> Arun
>
>

Regards,
Simon

>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Sun, May 1, 2016 at 2:55 PM, Simon Glass <sjg at chromium.org> wrote:
>>
>> Hi Arun,
>>
>> On 28 April 2016 at 14:48, Arun Kuttiyara Varghese
>> <arunkuttiyara at gmail.com> wrote:
>> > Hi All,
>> >
>> > I was trying to enable the secured boot in u-boot for gumstix overo
>> > storm.
>> >
>> > based on http://www.denx-cs.de/doku/?q=m28verifiedboot
>> >
>> > After I prepared by SD cards, u-boot is not able to boot
>> > and gives the below error message.
>> >
>> >
>> > U-Boot SPL 2015.07 (Apr 28 2016 - 13:53:06)
>> > SPL: Please implement spl_start_uboot() for your board
>>
>> This seems to be implemented for pepper, so to avoid this warning you
>> could add this function for your board.
>> .
>> > SPL: Direct Linux boot not active!
>> > reading u-boot.img
>> > spl_load_image_fat: error reading image u-boot.img, err - -1
>> > SPL: Please implement spl_start_uboot() for your board
>> > SPL: Direct Linux boot not active!
>> > Failed to mount ext2 filesystem...
>> > spl_load_image_ext: ext4fs mount err - 0
>> >
>> > ================
>> >
>> > This is the u-boot.dts file that I am using.
>> >
>> >
>> > /dts-v1/;
>> >
>> > / {
>> >         model = "Keys";
>> >
>> >         signature {
>> >                 key-dev {
>> >                         required = "conf";
>> >                         algo = "sha1,rsa2048";
>> >                         key-name-hint = "my_key";
>> >                 };
>> >         };
>> > };
>> >
>> > compilation using :
>> > dtc -p 0x1000 /work/u-boot.dts -O dtb -o /work/u-boot.dtb
>> >
>> > And these are the conf that I have added to
>> > include/configs/omap3_overo.h
>> >
>> >  #define CONFIG_OF_CONTROL
>> >  #define CONFIG_OF_SEPARATE
>> >  #define CONFIG_FIT
>> >  #define CONFIG_FIT_SIGNATURE
>> >  #define CONFIG_RSA
>> >  #define CONFIG_FIT_VERBOSE
>>
>> These are in Kconfig now, so you should add them to
>> configs/omap3_overo_defconfig.
>>
>> I'm not sure what is wrong, but those two things might help.
>>
>> >
>> > and I am compiling u-boot by using below line :
>> >
>> > make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- EXT_DTB=/work/u-boot.dtb
>> > all
>> > -j4
>> >
>> > Please let me know if you have any ideas on how to debug this issue.
>> >
>> > Thanks & Regards,
>> > Arun
>> Regards,
>> Simon
>
>

More information about the U-Boot mailing list