[U-Boot] [PATCH v6 00/25] Fix and extend i.MX HAB layer

Bryan O'Donoghue bryan.odonoghue at linaro.org
Fri Feb 9 10:01:24 UTC 2018 


On 09/02/18 07:27, Jagan Teki wrote:
> On Thu, Feb 8, 2018 at 9:47 PM, Bryan O'Donoghue
> <bryan.odonoghue at linaro.org> wrote:
>>
>>>>
>>>> I'm observing authentication issue while loading U-Boot proper, U-Boot
>>>> proper now have features like SPL DM and SPL FIT etc
>>>>
>>>> U-Boot SPL 2018.03-rc1-00182-gb81f7c9 (Feb 08 2018 - 17:19:03 +0530)
>>>> Trying to boot from MMC1
>>>> Expected Linux image is not found. Trying to start U-boot
>>>>
>>>> Authenticate image from DDR location 0x17800000...
>>>> bad magic magic=0xb8 length=0x841b version=0x17
>>>> bad length magic=0xb8 length=0x841b version=0x17
>>>> bad version magic=0xb8 length=0x841b version=0x17
>>>> spl: ERROR:  image authentication unsuccessful
>>>> ### ERROR ### Please RESET the board ###
>>>>
>>>> Please let me know where I missed, I'm authenticating SPL and
>>>> u-boot-dtb.img now.
>>>
>>>
>>> Can you please check if the generated u-boot-dtb.img contains a IVT
>>> table appended in the end of the image?
>>>
>>> The mx6slevk_spl_defconfig target also generates SPL + u-boot-dtb.img
>>> but I have to use the u-boot-ivt.img binary instead. In my case
>>> u-boot-dtb.img does not includes a IVT table.
>>>
>>> Best Regards,
>>> Breno Lima
>>>
>>
>> At a guess I'd say it's the fix we did for hab_auth_img - I guess Jagan you
>> have an out-of-tree implementation here ?
> 
> Basically I'm trying to compare this with implementation before, look
> like issue is IVT image signature is missing for when
> CONFIG_SPL_LOAD_FIT defined.  It's working without SPL_LOAD_FIT.
> 
>>
>> If you have a command in your environment that looks like this
>>
>> hab_auth_img 0x17800000 0x10000
>>
>> that should now be
>>
>> hab_auth_img 0x17800000 0x10000 0xF400
>>
>> assuming the CSF footer is aprox 0xC00 bytes padded.
>>
>> git show c5800b2
>>
>> arm: imx: hab: Fix authenticate_image input parameters
>>
>> 1: Adding a new parameter to hab_auth_img
>>         - addr   : image hex address
>>         - length : total length of the image
>>         - offset : offset of IVT from addr
>>
> 
> I've created u-boot-ivt.image which we did in previous releases[2] and
> padded 0x2000 to CSF to align the size of CONFIG_CSF_SIZE
> 
> Image Name:   U-Boot 2018.03-rc1-00182-gb81f7c
> Created:      Fri Feb  9 11:00:05 2018
> Image Type:   ARM U-Boot Firmware with HABv4 IVT (uncompressed)
> Data Size:    360384 Bytes = 351.94 KiB = 0.34 MiB
> Load Address: 17800000
> Entry Point:  00000000
> HAB Blocks:   0x177fffc0   0x0000   0x00056020
> 
> icorem6qdl-rqs> hab_auth_img 0x177fffc0 0x58020 0x56020
> 
> Authenticate image from DDR location 0x177fffc0...
> bad magic magic=0xd4 length=0x5000 version=0x41
> bad length magic=0xd4 length=0x5000 version=0x41
> 
> [2] https://openedev.amarulasolutions.com/display/ODUBOOT/i.MX6+HABv4#i.MX6HABv4-SignedBoot-Usage
> 

Ah... is that diagram accurate ?

You are perpending the IVT to your image header

In which case your command should be

icorem6qdl-rqs> hab_auth_img 0x177fffc0 0x58020 0

Incidentially you are pointed at the CSF there not the IVT.

High Assurance Boot Version 4 Application Programming Interface 
Reference Manual section 6.2

tag = 0xD4 => CSF
tag = 0xD1 => IVT

---
bod

More information about the U-Boot mailing list