imx8mm: Invalid IVT structure

Harm Berntsen harm.berntsen at nedap.com
Wed Jun 8 18:46:35 CEST 2022 

Hi,

On Wed, 2022-06-08 at 17:39 +0200, Michael Nazzareno Trimarchi wrote:
> Hi Tim
> 
> On Wed, Jun 8, 2022 at 5:25 PM Tim Harvey <tharvey at gateworks.com>
> wrote:
> > 
> > On Wed, Jun 8, 2022 at 8:09 AM Tommaso Merciai
> > <tommaso.merciai at amarulasolutions.com> wrote:
> > > 
> > > Hi,
> > > 
> > > On Wed, Jun 08, 2022 at 04:14:51PM +0200, Michael Nazzareno
> > > Trimarchi wrote:
> > > > Hi
> > > > 
> > > > On Wed, Jun 8, 2022 at 4:13 PM Fabio Estevam
> > > > <festevam at gmail.com> wrote:
> > > > > 
> > > > > Hi,
> > > > > 
> > > > > On top of tree U-Boot, when CONFIG_IMX_HAB=y is selected in
> > > > > imx8mm_evk_defconfig, the following error messages are seen:
> > > > > 
> > > > > U-Boot SPL 2022.07-rc3-00097-g26aa5e5c3fbc-dirty (Jun 08 2022
> > > > > - 10:59:56 -0300)
> > > > > SEC0:  RNG instantiated
> > > > > Normal Boot
> > > > > WDT:   Started watchdog at 30280000 with servicing (60s timeout)
> > > > > Trying to boot from MMC1
> > > > > hab fuse not enabled
> > > > > 
> > > > > Authenticate image from DDR location 0x401fcdc0...
> > > > > bad magic magic=0x0 length=0x00 version=0x0
> > > > > bad length magic=0x0 length=0x00 version=0x0
> > > > > bad version magic=0x0 length=0x00 version=0x0
> > > > > Error: Invalid IVT structure
> > > > 
> > > > You need to have a sign image
> > > 
> > > Agree
> > > 
> > > Maybe this page can help you Fabio
> > > https://boundarydevices.com/high-assurance-boot-hab-i-mx8m-edition/
> > > 
> > 
> > Tommaso,
> > 
> > Is that info still applicable to mainline U-Boot where binman is
> > used
> > to generate images?
> > 
> > I'm not clear how the image signing is affected when using binman.
> > I
> > believe Heiko was talking about getting binman to sign images at
> > one
> > point but I'm not sure if anyone has worked on that.
> > 
> 
> We should use the CST to sign image. I don't know if anyone is
> working
> on this for binman
> 
> Michael
> 
> > Best Regards,
> > 
> > Tim
> 
> 
> 

I've been working on creating the CSF within Binman. I basically
introduced two novelties in my code:

1. Fully generate the CSF for the U-Boot SPL within Binman
2. Embed a sha256 hash of U-Boot TPL in the SPL (wich is signed through
the CSF). So the TPL can be verified using a simple hash check.

See https://gitlab.com/hberntsen/u-boot/-/commits/secure-boot for my
commits on top of v2022.04. I did not submit those yet as I wanted to
internally test and review. Unfortunately, due to other priorities this
has not happened yet. So if anyone wants to help, let me know :).

Kind regards,
Harm

More information about the U-Boot mailing list