[U-Boot] Workaround for SPL modifying the DTB before use

Bartlomiej bartek at conclusive.pl
Mon Sep 16 14:22:36 UTC 2019


We're implementing secure boot using HAB for an i.MX8M based board using 
U-Boot, specifically the fork from the `u-boot-imx6` repository from 
Boundary Devices. The reason i'm posting this here, is because the 
problematic behaviour we encountered seems to come from the mainline.

We have a FIT image which contains the U-Boot, ATF & the DTB. The SPL 
manipulates the DTB when booting the board by adding a memreserve 
section and an additional node into the FDT. This makes secure boot fail 
when verifying the DTB from the image, since it has a different length 
and contents. The workaround we used is removing the DTB from the 
U-Boot's FIT image and embedding it directly in the binary. This seems 
to work, but are there any better ways of fixing the above problem?

Best regards,
Bartlomiej Nowak

More information about the U-Boot mailing list