Error boot with torizon 7.6.0

Technical Support
, , , , ,
1

Hi support,

i am working with Verdin imx8mp and carrieri board mallow v1.1. I created a new torizon image with torizon core builder. This is my error when power up the board:

U-Boot 2024.07-7.6.0+git.3f772959501c (Jan 01 1970 - 00:00:00 +0000)

CPU:   Freescale i.MX8MP[6] rev1.1 1600 MHz (running at 1200 MHz)
CPU:   Industrial temperature grade (-40C to 105C) at 49C
Reset cause: POR
DRAM:  2 GiB
Core:  173 devices, 32 uclasses, devicetree: separate
WDT:   Started watchdog@30280000 with servicing every 1000ms (60s timeout)
MMC:   FSL_SDHC: 1, FSL_SDHC: 2
Loading Environment from MMC... Reading from MMC(2)... OK
In:    serial@30880000
Out:   serial@30880000
Err:   serial@30880000
Model: Toradex 0064 Verdin iMX8M Plus Quad 2GB WB IT V1.1A
Serial#: 15603379
Carrier: Toradex UNKNOWN CARRIER BOARD V1.1C, Serial# 11486223
SEC0:  RNG instantiated
Net:   pca953x gpio-expander@21: Error reading output register
eth1: ethernet@30be0000, eth0: ethernet@30bf0000 [PRIME]
## U-Boot CLI access is enabled
Hit any key to stop autoboot:  0
MMC: no card present
switch to partitions #0, OK
mmc2(part 0) is current device
Scanning mmc 2:1...
Found U-Boot script /boot.scr
970 bytes read in 1 ms (947.3 KiB/s)
## Executing script at 50280000
12847 bytes read in 2 ms (6.1 MiB/s)
## NOTE: Bootloader seems to support secure boot.
72 bytes read in 3 ms (23.4 KiB/s)
Applying Overlay: verdin-imx8mp_panel-touch-10inch-lvds_overlay_digimax.dtbo
25975740 bytes read in 88 ms (281.5 MiB/s)
## Loading kernel from FIT Image at 50300000 ...
   Using 'conf-freescale_imx8mp-verdin-wifi-mallow.dtb' configuration
   Verifying Hash Integrity ... sha256,rsa2048:dev-  error!
Can't get hash value property for '<NULL>' hash node in 'conf-freescale_imx8mp-verdin-wifi-mallow.dtb' config node
Failed to verify required signature 'key-dev'
Bad Data Hash
ERROR -2: can't get kernel image!
SCRIPT FAILED: continuing...
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `usb start`.
starting USB...
Bus usb@38200000: Register 2000140 NbrPorts 2
Starting the controller
USB XHCI 1.10
scanning bus usb@38200000 for devices... 4 USB Device(s) found
       scanning usb for storage devices... 0 Storage Device(s) found
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `pci enum`.
PCIE-0: Link down
## WARNING: Command execution denied (blocked by category) for `dhcp 0x50280000 boot.scr`.
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `dhcp 0x50280000 boot.scr`.

and this is my tcbuild.yaml file configuration:

---
input:
  easy-installer:
    remote: https://tezi.toradex.com/artifactory/torizoncore-oe-prod-frankfurt/scarthgap-7.x.y/release/36/verdin-imx8mp/torizon/torizon-docker/tdx-signed/oedeploy/torizon-docker-verdin-imx8>
customization:
  device-tree:
    include-dirs:
      - linux/include
      - linux/arch/arm64/boot/dts/freescale/
    custom: linux/arch/arm64/boot/dts/freescale/imx8mp-verdin-wifi-mallow.dts
    overlays:
      add:
        - device-trees/overlays/verdin-imx8mp_panel-touch-10inch-lvds_overlay_digimax.dts
output:
  easy-installer:
    name: digimax_demo_0.1.0
    local: digimax-torizon-image
    accept-licence: true
    autoinstall: true
    bundle:
      compose-file: containers/docker-compose.yml

Where is the issue and And why do I have this behavior?

Thanks

Fabio

2

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

Hello Fabio,

The error you’re encountering is related to signature verification failure in the kernel FIT image. Looking at your boot log, the critical error is:

Verifying Hash Integrity ... sha256,rsa2048:dev-  error!
Can't get hash value property for '<NULL>' hash node in 'conf-freescale_imx8mp-verdin-wifi-mallow.dtb' config node
Failed to verify required signature 'key-dev'

Root Cause Analysis

You’re using a signed Torizon OS image (as indicated by the tdx-signed in your download URL), which has Secure Boot features enabled (1). When you customize this image with TorizonCore Builder, particularly when modifying the device tree or adding overlays, the kernel binary gets modified and requires re-signing (2).

Solution

Since you’re modifying the kernel configuration (custom device tree and overlays), you need to re-sign the kernel after customization. Add the secboot section to your tcbuild.yaml configuration:

---
input:
  easy-installer:
    remote: https://tezi.toradex.com/artifactory/torizoncore-oe-prod-frankfurt/scarthgap-7.x.y/release/36/verdin-imx8mp/torizon/torizon-docker/tdx-signed/oedeploy/torizon-docker-verdin-imx8mp-Tezi_7.6.0+build.36.tar
customization:
  device-tree:
    include-dirs:
      - linux/include
      - linux/arch/arm64/boot/dts/freescale/
    custom: linux/arch/arm64/boot/dts/freescale/imx8mp-verdin-wifi-mallow.dts
    overlays:
      add:
        - device-trees/overlays/verdin-imx8mp_panel-touch-10inch-lvds_overlay_digimax.dts
  secboot:
    sign-kernel:
      kernel-key-dir: /path/to/your/kernel/keys
      kernel-key: "name=dev;algo=sha256,rsa2048"
output:
  easy-installer:
    name: digimax_demo_0.1.0
    local: digimax-torizon-image
    accept-licence: true
    autoinstall: true
    bundle:
      compose-file: containers/docker-compose.yml

Important Notes

  1. Kernel Key Directory: You need to provide the directory containing your private key in PEM format with a .key extension (2).

  2. Key Management: The kernel-key parameter specifies the key name and algorithm. In your case, it should match the dev key that the image expects (2).

  3. Secure Boot Implications: When using Secure Boot images, custom kernel arguments are prepended rather than appended, and changes to kernel arguments require re-signing (2).

Alternative Approach

If you don’t need Secure Boot features for your development, consider using a non-signed Torizon OS image instead. Replace tdx-signed with the regular image path in your download URL.

The signature verification is working as designed to ensure only authenticated software can execute on your device (1).

Best regards,
Toradex AI Assistant.

Did you like my answer? :+1: :-1:

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

3

Greetings @fmolon,

Your input image is from https://tezi.toradex.com/artifactory/torizoncore-oe-prod-frankfurt/scarthgap-7.x.y/release/36/verdin-imx8mp/torizon/torizon-docker/tdx-signed/oedeploy/torizon-docker-verdin-imx8. This is for a secure boot signed image, you would need to re-sign the image after making an changes in order for the integrity/validation of the image to pass on boot.

I assume you didn’t intend to use a signed image, if you got the link from our downloads page: Download Links | Toradex Developer Center

It seems there was an error on the link for the Verdin i.MX8MP and it’s pointing to this pre-signed image. If you intended to use a normal standard Torizon OS image than use this link instead: https://tezi.toradex.com/artifactory/torizoncore-oe-prod-frankfurt/scarthgap-7.x.y/release/36/verdin-imx8mp/torizon/torizon-docker/oedeploy/torizon-docker-verdin-imx8mp-Tezi_7.6.0+build.36.tar

I’ve already reported the incorrect link to our team.

Best Regards,
Jeremias

1 Like
4

Thanks for the support @jeremias.tx

5

Glad we were able to help.

Best Regards,
Jeremias