[U-Boot] u-boot.dtb is not generated when enabling verified boot

Wed Apr 25 01:22:11 UTC 2018

Hi Fabio,

Additionally, I did check that my-blob.dtb does contain the public key
after signing the fitimage by using 'fdtdump -s'

Thank you,

Davis

On Tue, Apr 24, 2018 at 9:19 PM, Davis Roman <davis.roman84 at gmail.com>
wrote:

> Hi Fabio,
>
> Thank you so much for responding. It's good to know that I'm not alone in
> the world. :)
>
> Unfortunately, I'm stuck with 2016.03 for the moment.
>
> So I'm still having issues with getting verified boot to work. After
> compiling and installing the new u-boot image on my board I noticed that it
> bricked my board.
>
> After lots of trail and error, I tracked it down to CONFIG_OF_CONTROL.
> When enabled, u-boot refuses to boot. ( no output is shown on the serial
> debug interface)
>
> Since I'm using CONFIG_OF_SEPERATE, I suspect u-boot tries to read my
> attached dtb blob however it's probably wrong.
>
> So my dts file looks like this:
>
> /dts-v1/;
>
> / {
> model = "dummy";
> compatible = "dummy";
>
> reset at 0 {
> compatible = "dummy";
> };
> };
>
>
>
> I know that the properties 'model' and 'compatible' matter when in regards
> to the kernel however u-boot is using the device tree just to hold the
> public key so do they still matter?
> For now I just set them to "dummy"
>
>
> Secondly, I'm doing:
>
> $ cat u-boot.imx my-blob.dtb > u-boot.imx.final
>
>
> Do you see anything that stands out to you?
>
> Thank you!
>
> Davis
>
>
>
> On Tue, Apr 24, 2018 at 7:40 PM, Fabio Estevam <festevam at gmail.com> wrote:
>
>> Hi Davis,
>>
>> On Fri, Apr 20, 2018 at 9:00 PM, Davis Roman <davis.roman84 at gmail.com>
>> wrote:
>> > Hello,
>> >
>> > I'm trying to get verified-boot working using u-boot 2016.03 on an imx6.
>>
>> It would be better to try something more recent, such as 2018.03 instead.
>>
>> > So far I've managed to figure out that I need the following additional
>> > config settings:
>> >  #define CONFIG_DM
>> > #define CONFIG_ENABLE_VBOOT
>> > #define CONFIG_RSA
>> > #define CONFIG_FIT
>> > #define CONFIG_OF_CONTROL
>> > #define CONFIG_FIT_SIGNATURE
>> > #define CONFIG_OF_SEPERATE
>> > #define CONFIG_OF_LIBFDT
>> > #define CONFIG_FIT_VERBOSE
>> >
>> > However, no matter what I do I can't seem to generate u-boot.dtb.
>>
>> This is expected if your board does not use device tree file in U-Boot.
>>
>> >
>> > My understanding is that u-boot automatically generates this
>> > u-boot.dtb for the purpose of storing
>> > the public key when mkimage signs the fitimage and that this process
>> > does not require that I provide a dts file.
>> >
>> > However, below are the files that are generated with my current
>> > configuration and no u-boot.dtb file is generated.
>> >
>> > Additionally, since u-boot produces a u-boot-nodtb.bin, I figured it
>> > was reasonable to believe that u-boot.bin contained the device tree
>> > however as shown below both u-boot-nodtb.bin and u-boot.bin have an
>> > idential hash.
>> >
>> > Is there something that I'm missing here? Any advice would be greatly
>> > appreciated
>> >
>> > Thank you,
>> >
>> > Davis
>> >
>> > davis at XPS-15-9560:~/Desktop/u-boot-work/uboot-imx$ ls -l *u-boot*
>> > -rwxrwxr-x 1 davis davis 3413272 Apr 20 23:41 u-boot
>> > -rwxrwxr-x 1 davis davis  506052 Apr 20 23:37 u-boot.bin
>> > -rw-rw-r-- 1 davis davis   39490 Apr 20 23:27 u-boot.cfg
>> > -rw-rw-r-- 1 davis davis  510976 Apr 20 23:37 u-boot.imx
>>
>> That's the one you need.
>>
>> If your board does not use device tree you will get a u-boot.imx
>> binary that you can flash into your boot media.
>>
>
>