I am trying to enable secure boot for our product which is based on a verdin-imx8mp module. I have read several application notes such as the AN4581, the Code-Signing Tool User Guide and other materials. I have also read and followed the guidance as described on:
I have been able to build the torizon-minimal image and then started enabling secure boot by adding the ‘INHERIT += “tdx-signed”’ line in the conf/local.conf as described on the secure boot page. It then starts generating several fitImage and in the log.do_compile of imx-boot I see the layout of the fitImage that is being created. I also see that in the build directory there is a folder structure keys/fit which contains dev.key, dev.crt, dev2.key, dev2.crt.
After having read the guidances I would expect that I would have a failing build since I did not yet placed the CST tool in ${TOPDIR}/keys/cst. I also tried to put the CST tool there but then I would expect some actions regarding CSF files and the generation of the fuse-cmds.txt file.
I am missing a bit of understanding between the combination of meta-toradex-security and the usage of the CST tool and how to operate these together. Could someone guide me through this? Or point me to materials where this is described?
I just reproduced this behavior myself. Your intuition is correct, from what I can see in meta-toradex-security there should be an error thrown if the CST tool is not present and setup correctly.
I’ll bring this up with our team internally. Thank you for bringing this to our attention.
Thank you for reproducing this and for creating a problem report on GitHub.
Actually just saw the pull request in GitHub and tried the change suggested by Sergio Prado myself. It seems like now I get some errors, for example that it could not find CST, or that it could not find SRK fuse files. I will monitor the PR and will try to continue with integrating secure boot. So far I have been able to generate some images, see the attached log of the imx-boot steps.
On the other hand I would also like to get some confirmation from your side (when possible) if it now works as intended.
Kind regards,
Randy
DEBUG: Executing shell function do_compile
NOTE: UBOOT_CONFIG = sd, UBOOT_DTB_NAME = imx8mp-verdin.dtb
NOTE: 8MQ/8MM/8MN/8MP boot binary build
NOTE: Copy ddr_firmware: lpddr4_pmu_train_1d_dmem_202006.bin from /workdir/torizon/build-torizon/deploy/images/verdin-imx8mp -> /workdir/torizon/build-torizon/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/iMX8M
NOTE: Copy ddr_firmware: lpddr4_pmu_train_1d_imem_202006.bin from /workdir/torizon/build-torizon/deploy/images/verdin-imx8mp -> /workdir/torizon/build-torizon/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/iMX8M
NOTE: Copy ddr_firmware: lpddr4_pmu_train_2d_dmem_202006.bin from /workdir/torizon/build-torizon/deploy/images/verdin-imx8mp -> /workdir/torizon/build-torizon/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/iMX8M
NOTE: Copy ddr_firmware: lpddr4_pmu_train_2d_imem_202006.bin from /workdir/torizon/build-torizon/deploy/images/verdin-imx8mp -> /workdir/torizon/build-torizon/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/iMX8M
NOTE: building iMX8MP - flash_evk_emmc_fastboot
31764+0 records in
31764+0 records out
127056 bytes (127 kB, 124 KiB) copied, 0.0249128 s, 5.1 MB/s
./../scripts/dtb_check.sh imx8mp-evk.dtb evk.dtb imx8mp-verdin.dtb-sd
Use u-boot DTB: imx8mp-verdin.dtb-sd
./../scripts/pad_image.sh tee.bin
Pad file tee.bin NOT found
./../scripts/pad_image.sh bl31.bin
bl31.bin is padded to 41296
./../scripts/pad_image.sh u-boot-nodtb.bin evk.dtb
u-boot-nodtb.bin + evk.dtb are padded to 951024
BL32=tee.bin DEK_BLOB_LOAD_ADDR=0x40400000 TEE_LOAD_ADDR=0x56000000 ATF_LOAD_ADDR=0x00970000 ../iMX8M/mkimage_fit_atf.sh evk.dtb > u-boot.its
bl31.bin size:
41296
u-boot-nodtb.bin size:
886616
evk.dtb size:
64408
mkimage -E -p 0x5000 -f u-boot.its u-boot.itb
FIT description: Configuration to load ATF before U-Boot
Created: Thu Jan 1 00:00:00 1970
Image 0 (uboot-1)
Description: U-Boot (64-bit)
Created: Thu Jan 1 00:00:00 1970
Type: Standalone Program
Compression: uncompressed
Data Size: 886616 Bytes = 865.84 KiB = 0.85 MiB
Architecture: AArch64
Load Address: 0x40200000
Entry Point: unavailable
Image 1 (fdt-1)
Description: evk
Created: Thu Jan 1 00:00:00 1970
Type: Flat Device Tree
Compression: uncompressed
Data Size: 64408 Bytes = 62.90 KiB = 0.06 MiB
Architecture: Unknown Architecture
Image 2 (atf-1)
Description: ARM Trusted Firmware
Created: Thu Jan 1 00:00:00 1970
Type: Firmware
Compression: uncompressed
Data Size: 41296 Bytes = 40.33 KiB = 0.04 MiB
Architecture: AArch64
OS: Unknown OS
Load Address: 0x00970000
Default Configuration: 'config-1'
Configuration 0 (config-1)
Description: evk
Kernel: unavailable
Firmware: uboot-1
FDT: fdt-1
Loadables: atf-1
./mkimage_imx8 -version v2 -dev emmc_fastboot -fit -loader u-boot-spl-ddr.bin 0x920000 -second_loader u-boot.itb 0x40200000 0x60000 -out flash.bin
Platform: i.MX8M (mScale)
ROM VERSION: v2
BOOT DEVICE: emmc_fastboot
Using FIT image
LOADER IMAGE: u-boot-spl-ddr.bin start addr: 0x00920000
SECOND LOADER IMAGE: u-boot.itb start addr: 0x40200000 offset: 0x00060000
Output: flash.bin
fit_size: 888
1+0 records in
1+0 records out
888 bytes copied, 5.5578e-05 s, 16.0 MB/s
FIT hash: f2341e1498e8a316f2080e248972c90143119c51c1722e10ed611494592c2d
========= IVT HEADER [HDMI FW] =========
header.tag: 0x0
header.length: 0x0
header.version: 0x0
entry: 0x0
reserved1: 0x0
dcd_ptr: 0x0
boot_data_ptr: 0x0
self: 0x0
csf: 0x0
reserved2: 0x0
boot_data.start: 0x0
boot_data.size: 0x0
boot_data.plugin: 0x0
========= IVT HEADER [PLUGIN] =========
header.tag: 0x0
header.length: 0x0
header.version: 0x0
entry: 0x0
reserved1: 0x0
dcd_ptr: 0x0
boot_data_ptr: 0x0
self: 0x0
csf: 0x0
reserved2: 0x0
boot_data.start: 0x0
boot_data.size: 0x0
boot_data.plugin: 0x0
========= IVT HEADER [LOADER IMAGE] =========
header.tag: 0xd1
header.length: 0x2000
header.version: 0x41
entry: 0x920000
reserved1: 0x0
dcd_ptr: 0x0
boot_data_ptr: 0x91ffe0
self: 0x91ffc0
csf: 0x9571c0
reserved2: 0x0
boot_data.start: 0x91ffc0
boot_data.size: 0x39260
boot_data.plugin: 0x0
========= OFFSET dump =========
Loader IMAGE:
header_image_off 0x0
dcd_off 0x0
image_off 0x40
csf_off 0x37200
spl hab block: 0x91ffc0 0x0 0x37200
Second Loader IMAGE:
sld_header_off 0x60000
sld_csf_off 0x61020
sld hab block: 0x401fadc0 0x60000 0x1020
SPL CSF block:
Blocks = 0x91ffc0 0x0 0x37200 "flash.bin"
SLD CSF block:
Blocks = 0x401fadc0 0x60000 0x1020 "flash.bin",\
fit-fdt csf_off 0x63020
fit-fdt hab block: 0x401fadc0 0x60000 0x3020
SLD FIT-FDT CSF block:
Blocks = 0x401fadc0 0x60000 0x3020 "flash.bin"
NOTE: UBOOT_CONFIG = sd, UBOOT_DTB_NAME = imx8mp-verdin.dtb
/workdir/torizon/build-torizon/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/mx8m_create_csf.sh -t flash_evk_emmc_fastboot
Verified TDX_IMX_HAB_CST_SRK=/workdir/torizon/build-torizon/keys/cst/crts/SRK_1_2_3_4_table.bin
Verified TDX_IMX_HAB_CST_SRK_CERT=/workdir/torizon/build-torizon/keys/cst/crts/SRK1_sha256_2048_65537_v3_ca_crt.pem
Verified TDX_IMX_HAB_CST_CSF_CERT=/workdir/torizon/build-torizon/keys/cst/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem
Verified TDX_IMX_HAB_CST_IMG_CERT=/workdir/torizon/build-torizon/keys/cst/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem
Verified TDX_IMX_HAB_CST_BIN=/workdir/torizon/build-torizon/keys/cst/linux64/bin/cst
Verified IMXBOOT=/workdir/torizon/build-torizon/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/imx-boot-verdin-imx8mp-sd.bin-flash_evk_emmc_fastboot
Verified LOG_MKIMAGE=/workdir/torizon/build-torizon/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/mkimage.log
Verified LOG_PRINT_FIT_HAB=/workdir/torizon/build-torizon/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/mkimage.hab
Creating CSF file: flash_evk_emmc_fastboot-csf-spl.csf
CSF Processed successfully and signed data available in flash_evk_emmc_fastboot-csf-spl.bin
Creating CSF file: flash_evk_emmc_fastboot-csf-fit.csf
CSF Processed successfully and signed data available in flash_evk_emmc_fastboot-csf-fit.bin
'/workdir/torizon/build-torizon/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/imx-boot-verdin-imx8mp-sd.bin-flash_evk_emmc_fastboot' -> '/workdir/torizon/build-torizon/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/imx-boot-verdin-imx8mp-sd
.bin-flash_evk_emmc_fastboot-unsigned'
3912+0 records in
3912+0 records out
3912 bytes (3.9 kB, 3.8 KiB) copied, 0.0018116 s, 2.2 MB/s
3928+0 records in
3928+0 records out
3928 bytes (3.9 kB, 3.8 KiB) copied, 0.00184539 s, 2.1 MB/s
DEBUG: Shell function do_compile finished
It seems like now I get some errors, for example that it could not find CST, or that it could not find SRK fuse files.
Well that’s a good thing right? The intent is that an error should be thrown when the CST tool is not downloaded and setup properly on the build system as instructed.
On the other hand I would also like to get some confirmation from your side (when possible) if it now works as intended.
That is indeed a good thing, also meant it like that .
I will pull the latest changes for the meta-toradex-security layer and continue working on this. Thank you for your support!
