[U-Boot] Enabling i.mx6 high assurance boot appears to breaks u-boot verified-boot

[Marek Vasut]

On 05/19/2018 02:40 AM, Davis Roman wrote:
> Hello,

Hi,

> We're currently using i.mx6 with u-boot 2017.03

Is there any reason why you wouldn't use something newer ? Or is that
the NXP fork of U-Boot ?

> and kernel 4.9 and our
> goal is to implement a chain of trust in our product.
> 
> So far we've done the following:
> 
> 1. We're using u-boot fitimage in our system in order to put our
> kernel, initramfs and 10 device trees into a boot.itb container.
> 
> 2. We've gone ahead and enabled verified-boot which signs the
> u-boot.itb and then is verified by u-boot using the attached control
> fdt which contains the public key.
> 
> 3. Finally, we're enabling i.mx6 high assurance boot so that the
> bootrom can verify u-boot. ( All previous HAB events have been
> resolved. Unit is ready to go from open -> closed )
> 
> The issue that we're seeing is that when we enable secure boot, this
> breaks the verified-boot feature ( in step 2 )
> 
> This is the error that we get:
> 
> Failed to verify required signature 'key-dev'
> Bad Data Hash
> ERROR: can't get kernel image!
> =>
> 
> If I don't enable secure boot, I don't get this error. Board boots fine.
> 
> I believe that the issue lies in the fact that secureboot adds the csf
> blob data  at the end of u-boot-dtb.imx and now u-boot is not longer
> able to find the controlfdt blob with the key information needed for
> verified-boot to work.
> 
> Additionally, after performing a hex comparison between two u-boots
> with secure boot enabled and not enabled, I can see that the
> controlfdt info is available in both cases.
> 
> If anyone has any thoughts on this, I would greatly appreciate it.

Can you try latest 2018.05 or u-boot/master and see if that's still broken ?

-- 
Best regards,
Marek Vasut