[U-Boot] [PATCH v6 00/25] Fix and extend i.MX HAB layer
Bryan O'Donoghue
bryan.odonoghue at linaro.org
Fri Feb 9 10:01:24 UTC 2018
On 09/02/18 07:27, Jagan Teki wrote:
> On Thu, Feb 8, 2018 at 9:47 PM, Bryan O'Donoghue
> <bryan.odonoghue at linaro.org> wrote:
>>
>>>>
>>>> I'm observing authentication issue while loading U-Boot proper, U-Boot
>>>> proper now have features like SPL DM and SPL FIT etc
>>>>
>>>> U-Boot SPL 2018.03-rc1-00182-gb81f7c9 (Feb 08 2018 - 17:19:03 +0530)
>>>> Trying to boot from MMC1
>>>> Expected Linux image is not found. Trying to start U-boot
>>>>
>>>> Authenticate image from DDR location 0x17800000...
>>>> bad magic magic=0xb8 length=0x841b version=0x17
>>>> bad length magic=0xb8 length=0x841b version=0x17
>>>> bad version magic=0xb8 length=0x841b version=0x17
>>>> spl: ERROR: image authentication unsuccessful
>>>> ### ERROR ### Please RESET the board ###
>>>>
>>>> Please let me know where I missed, I'm authenticating SPL and
>>>> u-boot-dtb.img now.
>>>
>>>
>>> Can you please check if the generated u-boot-dtb.img contains a IVT
>>> table appended in the end of the image?
>>>
>>> The mx6slevk_spl_defconfig target also generates SPL + u-boot-dtb.img
>>> but I have to use the u-boot-ivt.img binary instead. In my case
>>> u-boot-dtb.img does not includes a IVT table.
>>>
>>> Best Regards,
>>> Breno Lima
>>>
>>
>> At a guess I'd say it's the fix we did for hab_auth_img - I guess Jagan you
>> have an out-of-tree implementation here ?
>
> Basically I'm trying to compare this with implementation before, look
> like issue is IVT image signature is missing for when
> CONFIG_SPL_LOAD_FIT defined. It's working without SPL_LOAD_FIT.
>
>>
>> If you have a command in your environment that looks like this
>>
>> hab_auth_img 0x17800000 0x10000
>>
>> that should now be
>>
>> hab_auth_img 0x17800000 0x10000 0xF400
>>
>> assuming the CSF footer is aprox 0xC00 bytes padded.
>>
>> git show c5800b2
>>
>> arm: imx: hab: Fix authenticate_image input parameters
>>
>> 1: Adding a new parameter to hab_auth_img
>> - addr : image hex address
>> - length : total length of the image
>> - offset : offset of IVT from addr
>>
>
> I've created u-boot-ivt.image which we did in previous releases[2] and
> padded 0x2000 to CSF to align the size of CONFIG_CSF_SIZE
>
> Image Name: U-Boot 2018.03-rc1-00182-gb81f7c
> Created: Fri Feb 9 11:00:05 2018
> Image Type: ARM U-Boot Firmware with HABv4 IVT (uncompressed)
> Data Size: 360384 Bytes = 351.94 KiB = 0.34 MiB
> Load Address: 17800000
> Entry Point: 00000000
> HAB Blocks: 0x177fffc0 0x0000 0x00056020
>
> icorem6qdl-rqs> hab_auth_img 0x177fffc0 0x58020 0x56020
>
> Authenticate image from DDR location 0x177fffc0...
> bad magic magic=0xd4 length=0x5000 version=0x41
> bad length magic=0xd4 length=0x5000 version=0x41
>
> [2] https://openedev.amarulasolutions.com/display/ODUBOOT/i.MX6+HABv4#i.MX6HABv4-SignedBoot-Usage
>
Ah... is that diagram accurate ?
You are perpending the IVT to your image header
In which case your command should be
icorem6qdl-rqs> hab_auth_img 0x177fffc0 0x58020 0
Incidentially you are pointed at the CSF there not the IVT.
High Assurance Boot Version 4 Application Programming Interface
Reference Manual section 6.2
tag = 0xD4 => CSF
tag = 0xD1 => IVT
---
bod
More information about the U-Boot
mailing list