[U-Boot] Enabling i.mx6 high assurance boot appears to breaks u-boot verified-boot
Davis Roman
davis.roman84 at gmail.com
Sat May 19 00:40:41 UTC 2018
Hello,
We're currently using i.mx6 with u-boot 2017.03 and kernel 4.9 and our
goal is to implement a chain of trust in our product.
So far we've done the following:
1. We're using u-boot fitimage in our system in order to put our
kernel, initramfs and 10 device trees into a boot.itb container.
2. We've gone ahead and enabled verified-boot which signs the
u-boot.itb and then is verified by u-boot using the attached control
fdt which contains the public key.
3. Finally, we're enabling i.mx6 high assurance boot so that the
bootrom can verify u-boot. ( All previous HAB events have been
resolved. Unit is ready to go from open -> closed )
The issue that we're seeing is that when we enable secure boot, this
breaks the verified-boot feature ( in step 2 )
This is the error that we get:
Failed to verify required signature 'key-dev'
Bad Data Hash
ERROR: can't get kernel image!
=>
If I don't enable secure boot, I don't get this error. Board boots fine.
I believe that the issue lies in the fact that secureboot adds the csf
blob data at the end of u-boot-dtb.imx and now u-boot is not longer
able to find the controlfdt blob with the key information needed for
verified-boot to work.
Additionally, after performing a hex comparison between two u-boots
with secure boot enabled and not enabled, I can see that the
controlfdt info is available in both cases.
If anyone has any thoughts on this, I would greatly appreciate it.
Thank you,
Davis Roman
More information about the U-Boot
mailing list