[U-Boot] u-boot hangs after enabling secured boot : gumstix-overo

Simon Glass sjg at chromium.org
Sun May 29 19:40:00 CEST 2016 

Hi Arun,

On 27 May 2016 at 15:01, Arun Kuttiyara Varghese
<arunkuttiyara at gmail.com> wrote:
> Hi Simon,
>
> Thanks a lot for your help.
>
> I was experimenting with few options :
> finally I got a working combination.
>
> I added below options in configs/omap3_overo_defconfig
> CONFIG_RSA=y
> CONFIG_DM=y
>
> and in include/configs/omap3_overo.h.
>
> #define CONFIG_OF_CONTROL
> #define CONFIG_OF_SEPARATE
> #define CONFIG_FIT
> #define CONFIG_FIT_SIGNATURE
> #define CONFIG_FIT_VERBOSE
>
> and used EXT_DTB option for make.
>
> now it works fine for the verified boot for gumstix overo.

I'm pleased you got it working. But you should be able to put all of
those in your defconfig. Also, if you use 'make menuconfig' you can
select the options for your board and it will (or at least shout)
ensure that they are consistent.

>
> So I think, putting CONFIG_RSA [CONFIG_RSA alone, since I can't put all
> there - board hanging issue ] in defconfig enabled the RSA options for the
> board.
>
> Thanks & Regards,
> Arun
>

Regards,
Simon


>
>
>
>
>
>
>
>
>
>
>
>
> On Wed, May 18, 2016 at 11:59 PM, Simon Glass <sjg at chromium.org> wrote:
>>
>> Hi Arun,
>>
>> On 3 May 2016 at 19:50, Arun Kuttiyara Varghese <arunkuttiyara at gmail.com>
>> wrote:
>> > Hi Simon,
>> >
>> > Thanks for the help.
>> >
>> > There is an update.
>> >
>> > I experimented with the two options.
>> >
>> > Option 1
>> > =====
>> >
>> > Like you mentioned, I tried putting all the RSA boot options to
>> > configs/omap3_overo_defconfig.
>> > but surprisingly, the board was not able to boot. it stucks after
>> > printing
>> > one line of junk characters.
>> >
>> > So I think, putting definitions in include/configs/omap3_overo.h is also
>> > fine ?
>>
>> Not if it is in Kconfig. That sounds like a separate problem. But i"m
>> not sure what.
>>
>> >
>> > Option 2
>> > ====
>> >
>> > 1. changed u-boot-dtb.img name to u-boot.img .
>> > 2. then board is able to boot, but gives the below message when I tried
>> > to
>> > use bootm.
>> >
>> > Overo #
>> > ## Loading kernel from FIT Image at 82000000 ...
>> >    Using 'conf at 1' configuration
>> >    Verifying Hash Integrity ... sha1,rsa2048:my_keyRSA: Can't find
>> > Modular
>> > Exp implementation
>> > RSA: Can't find Modular Exp implementation
>> > - Failed to verify required signature 'key-my_key'
>> > Bad Data Hash
>> > ERROR: can't get kernel image!
>> > Overo #
>>
>> If you grep for that message you see:
>>
>> ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
>> if (ret) {
>> printf("RSA: Can't find Modular Exp implementation\n");
>> return -EINVAL;
>> }
>>
>> It is trying to find that uclass. Assuming that you have driver model
>> enabled (CONFIG_DM), I wonder if you have CONFIG_RSA_SOFTWARE_EXP
>> enabled? Unfortunately it looks like you have to do that manually as
>> the option is not in Kconfig.
>>
>> It is a driver for modular exponentiation, used for RSA. Some chips
>> include hardware acceleration, but there is a software driver as a
>> fallback.
>>
>> >
>> >
>> > As mentioned in doc/uImage.FIT/beaglebone_vboot.txt, I tried the script
>> > -
>> > tools/fit_check_sign, and its output is normal. Able to verify the
>> > signature.
>> >
>> > So still dont know, what is the exact issue, why I am getting the above
>> > error message.
>> > I searched for UCLASS_MOD_EXP,     /* RSA Mod Exp device */, but
>> > couldn't
>> > get much info.
>> >
>> > What is RSA Mod Exp device and how to make sure that I have that ?
>> >
>> > Any input to debugging will be greatly helpful.
>> >
>> > Thanks & Regards,
>> > Arun
>> >
>> >
>>
>> Regards,
>> Simon
>>
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Sun, May 1, 2016 at 2:55 PM, Simon Glass <sjg at chromium.org> wrote:
>> >>
>> >> Hi Arun,
>> >>
>> >> On 28 April 2016 at 14:48, Arun Kuttiyara Varghese
>> >> <arunkuttiyara at gmail.com> wrote:
>> >> > Hi All,
>> >> >
>> >> > I was trying to enable the secured boot in u-boot for gumstix overo
>> >> > storm.
>> >> >
>> >> > based on http://www.denx-cs.de/doku/?q=m28verifiedboot
>> >> >
>> >> > After I prepared by SD cards, u-boot is not able to boot
>> >> > and gives the below error message.
>> >> >
>> >> >
>> >> > U-Boot SPL 2015.07 (Apr 28 2016 - 13:53:06)
>> >> > SPL: Please implement spl_start_uboot() for your board
>> >>
>> >> This seems to be implemented for pepper, so to avoid this warning you
>> >> could add this function for your board.
>> >> .
>> >> > SPL: Direct Linux boot not active!
>> >> > reading u-boot.img
>> >> > spl_load_image_fat: error reading image u-boot.img, err - -1
>> >> > SPL: Please implement spl_start_uboot() for your board
>> >> > SPL: Direct Linux boot not active!
>> >> > Failed to mount ext2 filesystem...
>> >> > spl_load_image_ext: ext4fs mount err - 0
>> >> >
>> >> > ================
>> >> >
>> >> > This is the u-boot.dts file that I am using.
>> >> >
>> >> >
>> >> > /dts-v1/;
>> >> >
>> >> > / {
>> >> >         model = "Keys";
>> >> >
>> >> >         signature {
>> >> >                 key-dev {
>> >> >                         required = "conf";
>> >> >                         algo = "sha1,rsa2048";
>> >> >                         key-name-hint = "my_key";
>> >> >                 };
>> >> >         };
>> >> > };
>> >> >
>> >> > compilation using :
>> >> > dtc -p 0x1000 /work/u-boot.dts -O dtb -o /work/u-boot.dtb
>> >> >
>> >> > And these are the conf that I have added to
>> >> > include/configs/omap3_overo.h
>> >> >
>> >> >  #define CONFIG_OF_CONTROL
>> >> >  #define CONFIG_OF_SEPARATE
>> >> >  #define CONFIG_FIT
>> >> >  #define CONFIG_FIT_SIGNATURE
>> >> >  #define CONFIG_RSA
>> >> >  #define CONFIG_FIT_VERBOSE
>> >>
>> >> These are in Kconfig now, so you should add them to
>> >> configs/omap3_overo_defconfig.
>> >>
>> >> I'm not sure what is wrong, but those two things might help.
>> >>
>> >> >
>> >> > and I am compiling u-boot by using below line :
>> >> >
>> >> > make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi-
>> >> > EXT_DTB=/work/u-boot.dtb
>> >> > all
>> >> > -j4
>> >> >
>> >> > Please let me know if you have any ideas on how to debug this issue.
>> >> >
>> >> > Thanks & Regards,
>> >> > Arun
>> >> Regards,
>> >> Simon
>> >
>> >
>
>

More information about the U-Boot mailing list