[U-Boot] Enabling i.mx6 high assurance boot appears to breaks u-boot verified-boot

Davis Roman davis.roman84 at gmail.com
Sat May 19 00:40:41 UTC 2018


Hello,

We're currently using i.mx6 with u-boot 2017.03 and kernel 4.9 and our
goal is to implement a chain of trust in our product.

So far we've done the following:

1. We're using u-boot fitimage in our system in order to put our
kernel, initramfs and 10 device trees into a boot.itb container.

2. We've gone ahead and enabled verified-boot which signs the
u-boot.itb and then is verified by u-boot using the attached control
fdt which contains the public key.

3. Finally, we're enabling i.mx6 high assurance boot so that the
bootrom can verify u-boot. ( All previous HAB events have been
resolved. Unit is ready to go from open -> closed )

The issue that we're seeing is that when we enable secure boot, this
breaks the verified-boot feature ( in step 2 )

This is the error that we get:

Failed to verify required signature 'key-dev'
Bad Data Hash
ERROR: can't get kernel image!
=>

If I don't enable secure boot, I don't get this error. Board boots fine.

I believe that the issue lies in the fact that secureboot adds the csf
blob data  at the end of u-boot-dtb.imx and now u-boot is not longer
able to find the controlfdt blob with the key information needed for
verified-boot to work.

Additionally, after performing a hex comparison between two u-boots
with secure boot enabled and not enabled, I can see that the
controlfdt info is available in both cases.

If anyone has any thoughts on this, I would greatly appreciate it.

Thank you,


Davis Roman


More information about the U-Boot mailing list