Imx7d 1gb emmc secure boot using torizon-signed and custom device tree

Technical Support
1

Project Context

  • Board: Toradex Colibri iMX7 eMMC

  • OS: Torizon OS 7.3.0

  • Bootloader: Hardened U-Boot (secure boot support enabled)

  • Customizations:

    • Custom layer containing own device tree and tailored configurations

    • Custom device tree integrated into the build

    • Using FIT image (fitImage) for kernel + DTB

Problem

  • Bitbake successfully compiles the binaries and image files, dumpimage -l fitImage returns a valid image tree:

    FIT description: Kernel fitImage for Torizon OS Upstream/6.6/colibri-imx7-emmc
Created:         Thu Jan  1 01:00:00 1970
 Image 0 (kernel-1)
  Description:  Linux kernel
  Created:      Thu Jan  1 01:00:00 1970
  Type:         Kernel Image
  Compression:  uncompressed
  Data Size:    11149824 Bytes = 10888.50 KiB = 10.63 MiB
  Architecture: ARM
  OS:           Linux
  Load Address: 0x84200000
  Entry Point:  0x84200000
  Hash algo:    sha256
  Hash value:   0cec3630c7a0394409d6c460c9a49dab90e72d78cfd856931fd420761236fc05
 Image 1 (fdt-my-custom-device-tree.dtb)
  Description:  Flattened Device Tree blob
  Created:      Thu Jan  1 01:00:00 1970
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    60987 Bytes = 59.56 KiB = 0.06 MiB
  Architecture: ARM
  Load Address: 0x88200000
  Hash algo:    sha256
  Hash value:   5029a8f7a5c91b11a2ba6064b84e4676e8652aed13ce21702d3d5b1be526984b
 Image 2 (fdt-nxp_imx_imx7d-colibri-emmc-aster.dtb)
  Description:  Flattened Device Tree blob
  Created:      Thu Jan  1 01:00:00 1970
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    57091 Bytes = 55.75 KiB = 0.05 MiB
  Architecture: ARM
  Load Address: 0x88200000
  Hash algo:    sha256
  Hash value:   5547639d59bb8b42315af168ba7a582701e4aa4f8e3023d2b2f419462bf0c8e6
 Image 3 (fdt-nxp_imx_imx7d-colibri-emmc-eval-v3.dtb)
  Description:  Flattened Device Tree blob
  Created:      Thu Jan  1 01:00:00 1970
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    57530 Bytes = 56.18 KiB = 0.05 MiB
  Architecture: ARM
  Load Address: 0x88200000
  Hash algo:    sha256
  Hash value:   c2c369a5e52d2517e5b5c95a2d7960bcd04c6fb233d63fe7228f9a8670cd6493
 Image 4 (fdt-nxp_imx_imx7d-colibri-emmc-iris.dtb)
  Description:  Flattened Device Tree blob
  Created:      Thu Jan  1 01:00:00 1970
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    57226 Bytes = 55.88 KiB = 0.05 MiB
  Architecture: ARM
  Load Address: 0x88200000
  Hash algo:    sha256
  Hash value:   d220305f95a7951783a4f21440867fd39a65f3d88317f03550feafe3f7d4531e
 Image 5 (fdt-nxp_imx_imx7d-colibri-emmc-iris-v2.dtb)
  Description:  Flattened Device Tree blob
  Created:      Thu Jan  1 01:00:00 1970
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    57508 Bytes = 56.16 KiB = 0.05 MiB
  Architecture: ARM
  Load Address: 0x88200000
  Hash algo:    sha256
  Hash value:   d49185ed89b2fcf7db6becad5dbac2b1e4f2b051c2b5abc77308c1aaf52d29d7
 Image 6 (fdt-colibri-imx7-emmc-secboot-kargs_overlay.dtbo)
  Description:  Flattened Device Tree blob
  Created:      Thu Jan  1 01:00:00 1970
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    494 Bytes = 0.48 KiB = 0.00 MiB
  Architecture: ARM
  Load Address: 0x88300000
  Hash algo:    sha256
  Hash value:   8fb7267df34d25d27357a0eee7c807b7a089a9faf0db57136bdfac5eb9df4285
 Image 7 (fdt-colibri-imx7_panel-cap-touch-10inch-lvds_overlay.dtbo)
  Description:  Flattened Device Tree blob
  Created:      Thu Jan  1 01:00:00 1970
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    2780 Bytes = 2.71 KiB = 0.00 MiB
  Architecture: ARM
  Load Address: 0x88300000
  Hash algo:    sha256
  Hash value:   5a5b075b3bb0fbc4e45e0b51b09fd4baa575c0a4161d684baf5aeadd654cdefa
 Image 8 (fdt-colibri-imx7_panel-cap-touch-7inch_adapter_overlay.dtbo)
  Description:  Flattened Device Tree blob
  Created:      Thu Jan  1 01:00:00 1970
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    2076 Bytes = 2.03 KiB = 0.00 MiB
  Architecture: ARM
  Load Address: 0x88300000
  Hash algo:    sha256
  Hash value:   d4b2c3004af0f358325e3d5c85207b20d3dd34a34031d2394a2b5b87327bbe6b
 Image 9 (fdt-colibri-imx7_panel-cap-touch-7inch_overlay.dtbo)
  Description:  Flattened Device Tree blob
  Created:      Thu Jan  1 01:00:00 1970
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    1836 Bytes = 1.79 KiB = 0.00 MiB
  Architecture: ARM
  Load Address: 0x88300000
  Hash algo:    sha256
  Hash value:   cc93ca082d38f8e1d6691af9cec4fab6849fd3e6a4ae4f2ee1f59767a55833f4
 Image 10 (fdt-colibri-imx7_panel-res-touch-7inch_overlay.dtbo)
  Description:  Flattened Device Tree blob
  Created:      Thu Jan  1 01:00:00 1970
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    1416 Bytes = 1.38 KiB = 0.00 MiB
  Architecture: ARM
  Load Address: 0x88300000
  Hash algo:    sha256
  Hash value:   dd1088fc84dd7f3a6bc0df65182478c8625216735d79deea340d1c907f3db3b7
 Image 11 (fdt-colibri-imx7_spidev_overlay.dtbo)
  Description:  Flattened Device Tree blob
  Created:      Thu Jan  1 01:00:00 1970
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    609 Bytes = 0.59 KiB = 0.00 MiB
  Architecture: ARM
  Load Address: 0x88300000
  Hash algo:    sha256
  Hash value:   03dafebb6670f7aeba69d5242cfeab4fc90fa460015333d77d46c1c0202e32a0
 Image 12 (fdt-colibri-imx7_vga-640x480_overlay.dtbo)
  Description:  Flattened Device Tree blob
  Created:      Thu Jan  1 01:00:00 1970
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    1352 Bytes = 1.32 KiB = 0.00 MiB
  Architecture: ARM
  Load Address: 0x88300000
  Hash algo:    sha256
  Hash value:   85f1699d4adf3399992904df644c2707c6a356a480eee688120eafa0f690567f
 Default Configuration: 'conf-my-custom-device-tree.dtb'
 Configuration 0 (conf-my-custom-device-tree.dtb)
  Description:  1 Linux kernel, FDT blob
  Kernel:       kernel-1
  FDT:          fdt-my-custom-device-tree.dtb
  Hash algo:    sha256
  Hash value:   unavailable
  Sign algo:    sha256,rsa2048:dev
  Sign padding: pkcs-1.5
  Sign value:   cb8e54aba881d56065e36e913c00ad72718beac5915a03908b47044049bb79968a1044aaa6f4fe366fce51bb8777af22a3ce1e4bc3b971175808ad078ddc126434682492abce179d5c5e747c8baf909d38fa57fee49727f1293143e5b732cb195c1a6d24e089cae1ad66ca5c41a7c862a201cba3b08bd8ffed59dda65e0cd7ac0dbd7c1178188839614b19df9d25053dc79638e8d9a6f792a51d65297300542241d5ff89f9fa945ad2fe9e69b31d899dacfc9399280f266f733169070dadb005bfa6fdeb231c66fc287af7fffc480ab70c7b0343191ea0a3a6b24fe845ca532b86a51f0a9c7dfeb82ed62e98d0406ccd7b057d3ad3e544c6cee2ffb8041c6118
  Timestamp:    Thu Jan  1 01:00:00 1970
 Configuration 1 (conf-nxp_imx_imx7d-colibri-emmc-aster.dtb)
  Description:  0 Linux kernel, FDT blob
  Kernel:       kernel-1
  FDT:          fdt-nxp_imx_imx7d-colibri-emmc-aster.dtb
  Hash algo:    sha256
  Hash value:   unavailable
  Sign algo:    sha256,rsa2048:dev
  Sign padding: pkcs-1.5
  Sign value:   9ec78b92f50b33d1e566d30e57d1b87987c36b30b7baee24fa8ef72174824daf8da6833f58aa7734d86bb01d8dbee03d5d2006fd9e8c2a695467b76c1c7adcb5b51f9d27694907e5dbff5dcc6e5eae831c01f6551de5e3fddb02c6b6e4d6578e6cbb11e21d4c931974f8d5eca421392a107fdf77c212691da6162fe611544731d8919884769589b3e47c1867d2f77601668725eb4e7f9c7dfd12c8fe4732ed3879db247419c62b8818d01fc926044033bcaf1ac712f400e33fe80b887c300f971284be762f2644b211a39f3b78e194470f14599db7c640b74e51f956ae32fb5650a932227a971b06a68fc6a093eb29e5d16b527ffdec86f32053f89db2b4fff1
  Timestamp:    Thu Jan  1 01:00:00 1970
 Configuration 2 (conf-nxp_imx_imx7d-colibri-emmc-eval-v3.dtb)
  Description:  0 Linux kernel, FDT blob
  Kernel:       kernel-1
  FDT:          fdt-nxp_imx_imx7d-colibri-emmc-eval-v3.dtb
  Hash algo:    sha256
  Hash value:   unavailable
  Sign algo:    sha256,rsa2048:dev
  Sign padding: pkcs-1.5
  Sign value:   18dc8efa8851ec776193fcc6aa62739516fa57a85993e251df90d9c109831b246673218d02eff908d286f834b3ff597b9b429594d3b23137a9ea3a37d126a4f003919a78230ce838fdb4adf3f4528938e0f28f21f146c3c64d4ec595e77a13515d654a1c02efbd27622f86a017c5a3964748cfa6f8756c40c2a955f7454c88762e606a3d90af1bcd85c6152c8a088b820f812a0f7ed8f61f8279ea50ebfef0303c6213f17afc3d244aa956e2a4cd3d08e662b6dffe4619f0c124801761fdb3f284002378357fbf1b92c3af4c33d18cac7165cd0a5a195edae69507936b30acc2ebfc2cba728e44a4d84dd1aa5b7c39cb62fd4c6f7e93b58326e9246555e21820
  Timestamp:    Thu Jan  1 01:00:00 1970
 Configuration 3 (conf-nxp_imx_imx7d-colibri-emmc-iris.dtb)
  Description:  0 Linux kernel, FDT blob
  Kernel:       kernel-1
  FDT:          fdt-nxp_imx_imx7d-colibri-emmc-iris.dtb
  Hash algo:    sha256
  Hash value:   unavailable
  Sign algo:    sha256,rsa2048:dev
  Sign padding: pkcs-1.5
  Sign value:   314dcef362dd842ec9636a28a81832ca69122549c704d4c5c1e0e0a1124db826bd20d520e5187f076644f21ab8d2d51c391078f048a2f95912c3cae99e9ae5edb7540f345aa36a84612b02167bde71d51758b09b4d9a1381a9e480533c908904e65ec4099d031620d64d25b59fdda3ad774f8cd2b776416392895378b5308e6d9f5109b668bf6b8790b92811b9a95dab5b09b3b3f865e9bb364f93af881a309dc9a06b930576363f8e16704e55bd62f5d5e8cbae65b1f455ad1fd85b693b8db9ced254e8af42d3a868f91248141c4605b5696b7008d9ea89d57383e5daa3302ffdc2efa09aa8cb29765a52ac942d5a54605b71b0d56da829b0f9f79e4d3b622b
  Timestamp:    Thu Jan  1 01:00:00 1970
 Configuration 4 (conf-nxp_imx_imx7d-colibri-emmc-iris-v2.dtb)
  Description:  0 Linux kernel, FDT blob
  Kernel:       kernel-1
  FDT:          fdt-nxp_imx_imx7d-colibri-emmc-iris-v2.dtb
  Hash algo:    sha256
  Hash value:   unavailable
  Sign algo:    sha256,rsa2048:dev
  Sign padding: pkcs-1.5
  Sign value:   bfc138cfb2417355529b7d971e44afaca5274e17d6747aa5102ecde28e5495f4569ba9ca132efba0670c54d5bc2dd2a12209c6b3d9b9f845568ab819deb866e8b7c5e8b33dd365c04d676d12082e3b8e2a12f9d2b53ceb336285f07fe22ceaa42f28a9d48d1f2deaaee9930858b51027aec873130329223ae0a4059d8087cc9b56c37a5fc76a6f2dc0107b4b5bf9c430657f8f75223100556f8547eb8ca83aaf5d11fe9e403e46eef12a30c6ae2303e5688864cecf5201a55110d89269220f5298067a4e32cc45b1c7190ce4dd84b80376438319b14176ed3fc11ca2aa8be26225b2d7b657d8f842d09b35fda53c8f62f71e0b78177932c2c3346c71cb3aa63e
  Timestamp:    Thu Jan  1 01:00:00 1970
 Configuration 5 (conf-colibri-imx7-emmc-secboot-kargs_overlay.dtbo)
  Description:  0 FDT blob
  Kernel:       unavailable
  FDT:          fdt-colibri-imx7-emmc-secboot-kargs_overlay.dtbo
  Hash algo:    sha256
  Hash value:   unavailable
  Sign algo:    sha256,rsa2048:dev
  Sign padding: pkcs-1.5
  Sign value:   7ccc1c748b7ded3c2b0ba6eb9b55fc84f03ff14a4143b38512dac453d6cd252c79e14da671498e5a26fdbccf8217cf88c9e57c9b196b9678e41137fb8389ebad1955939ecf5097d61b87b470b627343e1ce61b51879a1ab9085db38e9527d1b24d96b5edf96ec93312d0583981249f69799f18a49d5ea4cf87aabd89597309599b0d3dd715e157467b676a2ce46c01f96f04d93a168b02b8ee1acc9856b12500da779261c60679cdd92d601e3f9633d45178b4e59a59876620485ab8f0b85db512055ab9a7d1254ab3cb363f800cb323bc4118940133045f95b86cebfd0ac0b07ef65262c8233256b216c720c02221fe0e2b3ce443bb6148c2db10235711592c
  Timestamp:    Thu Jan  1 01:00:00 1970
 Configuration 6 (conf-colibri-imx7_panel-cap-touch-10inch-lvds_overlay.dtbo)
  Description:  0 FDT blob
  Kernel:       unavailable
  FDT:          fdt-colibri-imx7_panel-cap-touch-10inch-lvds_overlay.dtbo
  Hash algo:    sha256
  Hash value:   unavailable
  Sign algo:    sha256,rsa2048:dev
  Sign padding: pkcs-1.5
  Sign value:   1fbb79babccc658cb9820058d709a8c44a59acef1290d4b5e4dab3e9d9233ede1d6294bb5ff2776111da7bbf3619c4931344f81a7f1b3ddf5613462dd779dbc0a906208024f3593ee73c9db07b4dee62f5c3958a624cb37922702b510e362aa2cedfda46605e39b940aa8d8d8c87361d079d5f35742b3e06ddf1331fb71649f94cc81126f4349504f9dae61b83b04432db903396878af7efe16b54c20b7a1f1e9f308fdc7cfb4af97fa01cd1a1c0fa8da5976e7ac6f3e0e233b39c5210d5bbc5a84d897b6e8c74f042538fc38706fa5eacd64a8d4f4c90133fbb71fce147f1fb4db4c1a7ef82e8e14d302bce4a75a7e852fabf45050ea9accaf88929519db351
  Timestamp:    Thu Jan  1 01:00:00 1970
 Configuration 7 (conf-colibri-imx7_panel-cap-touch-7inch_adapter_overlay.dtbo)
  Description:  0 FDT blob
  Kernel:       unavailable
  FDT:          fdt-colibri-imx7_panel-cap-touch-7inch_adapter_overlay.dtbo
  Hash algo:    sha256
  Hash value:   unavailable
  Sign algo:    sha256,rsa2048:dev
  Sign padding: pkcs-1.5
  Sign value:   26b07d5bcb4a5d46e39ca9c2bc9b5d3b55b3acbecf7acbc6a8c06c1b3e5f9b0132311874d7d718aa6bfed77169369baea60cf6380ce8da494844b07f77c5fced743c910662dc228e4b0bae9d4ac443963dcc0e0f4fbcc350190f65ff7ecef7953d8b992afd74a2ecb23d9fa89defe4d2f369443a856d224c3f559c2b569294fab04652b4ff4a5f13d2cd443445a80a692c44d173c0f85242aacb24ee6d28d71fb563e9baf1cef9e698309b10d096bc93c94391c7dafedafeda355da6079f4e0b049e1afc55b3a299073332f261c733a2452ad3060be82c4829fe3ee3772929028789dd6707fc31716919683bf4e1d32d6656f1c2d73de6794789f409e0f39e08
  Timestamp:    Thu Jan  1 01:00:00 1970
 Configuration 8 (conf-colibri-imx7_panel-cap-touch-7inch_overlay.dtbo)
  Description:  0 FDT blob
  Kernel:       unavailable
  FDT:          fdt-colibri-imx7_panel-cap-touch-7inch_overlay.dtbo
  Hash algo:    sha256
  Hash value:   unavailable
  Sign algo:    sha256,rsa2048:dev
  Sign padding: pkcs-1.5
  Sign value:   5c1624c593839120a53f112af7e76f387d8288027f7bba2849bc0dd6ffc3f3ba688b4033c0401584c77d2a3882509166b91aadea9fecc9224b0588c5d7add505600c3aa6ae772eecf852af25d50ca8ea1a6d0886c12fbc71c600fd20b4a051778988cbe932598567a86319cc75b174f62edbe1cc2344b465c10792b76641736fa0b55d339686a8bba2d7d3d50c8870aae5ec9719057bd4f533a9dc92a97a8909a279eb3f85aa1bc13b22619b31e43a09c8dc901c8dfb435468c447e038635b00154973ba043496aff8eb9b9bf378a656d4d82c74493b6c777b957406b791526bee5eb3fdccb7ac2e13e7677ca56916583f43ffd3eb533cec8941f19d664465b0
  Timestamp:    Thu Jan  1 01:00:00 1970
 Configuration 9 (conf-colibri-imx7_panel-res-touch-7inch_overlay.dtbo)
  Description:  0 FDT blob
  Kernel:       unavailable
  FDT:          fdt-colibri-imx7_panel-res-touch-7inch_overlay.dtbo
  Hash algo:    sha256
  Hash value:   unavailable
  Sign algo:    sha256,rsa2048:dev
  Sign padding: pkcs-1.5
  Sign value:   d0d1d97308729a4e8be968593595642873e6fc4da006684952216215b112fce7dd30f81d402a35019f64bb78c2ba0f5e07447370a2e231fb5ba22358c246593eea206412966b5be233f89e2d2858245082f16955e7a565ec92686c12a26ba5e6683657d6ccf5083242ad86633e8c1f45078f659b683939508b07fa41a2883192ecce1769666e8042e721b25078d8f0fd425b20dc6d03ebab6610b7a8335dc4d77c40458f302330883dd37ea867a4d5ba6f50d45e7626fb02b9d5aab38622345669a61d0a322ab3740f2c6e25a5024a0ee6d9d64da50c271f72edcacb1f0e993dfd7a4826c6db174240ee816d9115e73de83c27730a2e68f5bdfd309837b641b2
  Timestamp:    Thu Jan  1 01:00:00 1970
 Configuration 10 (conf-colibri-imx7_spidev_overlay.dtbo)
  Description:  0 FDT blob
  Kernel:       unavailable
  FDT:          fdt-colibri-imx7_spidev_overlay.dtbo
  Hash algo:    sha256
  Hash value:   unavailable
  Sign algo:    sha256,rsa2048:dev
  Sign padding: pkcs-1.5
  Sign value:   b304fbccbed66207161757f3f832cc3e74e4c05635dbfe2685c01469eb47773817aec91e15713f9fb91835a68e46190ccad124bfcbf3d66391b73dd6136a3a3b2c971e11f72ef96df58e2c04e0c7c425c9c3d33db50e5268b5192665e07e582b3f45c0383bea12f69ef61dd909c64714b627dce9d5d53b12bc0f7c9fc3d3e22298e037f7889a209a379e13f4c79346a8b318a0d215a09f7644a00d0fd1a50a6bfb13bd1bc5eae4b1a5221597726964caef18494d2b034d57fc8247e33dc0f490686fc0925aa44fda277c4be948c8ee3234b584185ec806612c29b42aa3f83bad80604fa33742dff6f4e1fb627b9b5026cfe6cc3124ee2acae862191e111d5a74
  Timestamp:    Thu Jan  1 01:00:00 1970
 Configuration 11 (conf-colibri-imx7_vga-640x480_overlay.dtbo)
  Description:  0 FDT blob
  Kernel:       unavailable
  FDT:          fdt-colibri-imx7_vga-640x480_overlay.dtbo
  Hash algo:    sha256
  Hash value:   unavailable
  Sign algo:    sha256,rsa2048:dev
  Sign padding: pkcs-1.5
  Sign value:   16637c59fccf39bc8ac4545cd7cb188a97f70f95f849df313bf0bd1cb94978dccb675ff7f4db16d8638ac6f0e242942c3dcbb25bfdfde09a0d4a6c5cb151625b98d9f8318d03e483574d8c9e42249f5c7200d0cfc2dbc619c7b7bb685f65a0dab3ec98c44e55a30a45e9a625ba19ce804b71122a583379d35aaf61eb99dd576a0c62f9ebf020793de31ea70957c4822728e4aa4d1a1b624974935fc3d96dc1907e7f5c1d77981a193ead7daec58732c16e81fc6fa06fdc44f33f8f9df9a22ac989f77126acaacb02ee2ddb2ecb02923abf1e98eff74378c93461fa25fcb073577370ee82e4480ba9d665ce4a189e8ed1ec2a07aedaaf5bdf9f665f41b52e332a
  Timestamp:    Thu Jan  1 01:00:00 1970

  • However, when I boot my device, using the Tezi image

    U-Boot 2024.07-7.3.0-devel+git.3f772959501c (Jan 01 1970 - 00:00:00 +0000)

CPU:   Freescale i.MX7D rev1.3 1000 MHz (running at 792 MHz)
CPU:   Extended Commercial temperature grade (-20C to 105C) at 42C
Reset cause: POR
DRAM:  1 GiB
Core:  89 devices, 20 uclasses, devicetree: separate
WDT:   Started watchdog@30280000 with servicing every 1000ms (128s timeout)
PMIC:  RN5T567 LSIVER=0x01 OTPVER=0x0d
MMC:   FSL_SDHC: 1, FSL_SDHC: 0
Loading Environment from MMC... Reading from MMC(0)... OK
In:    serial
Out:   serial
Err:   serial
Model: Toradex 0039 Colibri iMX7D 1GB V1.1A
Serial#: 06878220
SEC0:  RNG instantiated
Net:   eth0: ethernet@30be0000
## U-Boot CLI access is enabled
Hit any key to stop autoboot:  0
MMC: no card present
switch to partitions #0, OK
mmc0(part 0) is current device
Scanning mmc 0:1...
Found U-Boot script /boot.scr
969 bytes read in 2 ms (472.7 KiB/s)
## Executing script at 88280000
12922 bytes read in 3 ms (4.1 MiB/s)
## NOTE: Bootloader seems to support secure boot.
14 bytes read in 4 ms (2.9 KiB/s)
22584861 bytes read in 503 ms (42.8 MiB/s)
## Loading kernel from FIT Image at 88400000 ...
Could not find configuration node
ERROR -2: can't get kernel image!
SCRIPT FAILED: continuing...
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `usb start`.
starting USB...
Bus usb@30b10000: Bus usb@30b20000: USB EHCI 1.00
scanning bus usb@30b10000 for devices... 1 USB Device(s) found
scanning bus usb@30b20000 for devices... 1 USB Device(s) found
       scanning usb for storage devices... 0 Storage Device(s) found
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `usb dev 0`.

Device 0: unknown device
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `usb start`.
## WARNING: Command execution denied (blocked by category) for `dhcp 0x88280000 boot.scr`.
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `dhcp 0x88280000 boot.scr`.
Colibri iMX7 #

  • When trying to boot manually:

    Colibri iMX7 # bootm 0x84200000
ERROR: can't boot from non-FIT images with hardening enabled.
Wrong Image Type for bootm command
ERROR -91: can't get kernel image!

  • iminfo and some commands are not available (maybe due to the uboot hardening?).

  • When I look at the image files from inside u-boot, the OS Tree structure only contains a (seemingly) raw kernelfile:

    Colibri iMX7 # ls mmc 0:1 /boot/ostree/torizon-39dee6586876b7e052932427fe655497630bb5e3112275249b091fe03999d830
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `ls mmc 0:1 /boot/ostree/torizon-39dee6586876b7e052932427fe655497630bb5e3112275249b091fe03999d830...`.
<DIR>       4096 .
<DIR>       4096 ..
<DIR>       4096 dtb
        22584861 vmlinuz-6.6.95-7.3.0-devel-00057-g397c0ccb9903
               0 initramfs-6.6.95-7.3.0-devel-00057-g397c0ccb9903.img

What I suspect

  • The FIT image was generated, but somehow the bitbake process is not configured correctly so the Tezi image comes out wrong.

  • Hardened U-Boot blocks raw kernel boot (bootz/bootm without FIT config), and I think some of my connected usb peripherals.

The question

How do I correctly configure secure boot in combination with ostree and a custom device tree?

2

Hi, I’m the Toradex AI Assistant.

I might make mistakes. Our support team will step in if needed. If I answered your question, please tick the “Solution” checkbox. For follow-up questions to me, please use @ToradexAI in your post.

Did you like my answer? :+1: :-1:

Secure Boot Configuration with OSTree and Custom Device Tree

Based on your symptoms, you’re encountering the expected behavior of hardened U-Boot which is designed to prevent execution of non-FIT images and restrict certain commands for security(1). The issue appears to be related to configuration rather than fundamental incompatibility.

Understanding the Problem

Your hardened U-Boot is correctly blocking raw kernel execution with the message "ERROR: can't boot from non-FIT images with hardening enabled"(1). This is intentional security behavior where the hardening modifications prevent execution of unsigned software and tampering of the running software(1).

Required Yocto Configuration

For secure boot with Torizon OS 7, you need to use the appropriate BitBake class in your conf/local.conf file(2):

INHERIT += "torizon-signed"

(2)

The torizon-signed class provides Extended Chain of Trust (ECoT) coverage, which includes root filesystem protection through composefs integration(2). This class automatically includes tdx-signed functionality, so you get both Basic Chain of Trust (BCoT) and Extended Chain of Trust (ECoT) protections(2).

Custom Device Tree Integration Limitations

Important limitation: TorizonCore Builder cannot be used with secure boot enabled images(3). As confirmed in the community discussions, TorizonCore Builder was designed to work with standard images and doesn’t yet support FIT images that are signed(3).

For secure boot implementations, all modifications including custom device trees must be done at the Yocto level(3). You cannot use TorizonCore Builder’s device tree functionality when secure boot is enabled.

Root Filesystem Protection Considerations

When using torizon-signed, the root filesystem protection uses composefs, which significantly changes OSTree behavior(2). Most notably, changes to /etc are stored on an overlay and lost upon reboot(2). You may need to configure persistent storage for critical configuration files.

The following variables control composefs behavior(2):

Variable Description Default value
CFS_GENERATE_KEYS Enable ("1") or disable ("0") composefs key pair generation at build time "1"
CFS_SIGN_KEYDIR Directory where the composefs keys are stored ${TOPDIR}/keys/ostree
CFS_SIGN_KEYNAME Base name of the key files cfs-dev

Command Restrictions in Hardened U-Boot

The command restrictions you’re seeing (USB commands being blocked) are part of the command whitelisting feature(1). In closed state, only a small set of commands required for booting plus a few considered safe are permitted(1). This is normal behavior for hardened U-Boot.

Next Steps

  1. Verify your Yocto configuration uses INHERIT += "torizon-signed" in local.conf(2)
  2. Integrate your custom device tree directly into your Yocto build rather than using TorizonCore Builder(3)
  3. Ensure proper HAB/AHAB configuration for your iMX7 platform as described in the meta-toradex-security documentation(2)
  4. Configure FIT image signing as outlined in the meta-toradex-security documentation(2)

The error "Could not find configuration node" suggests the FIT image configuration may not be properly set up for your custom device tree within the secure boot context.

Best regards,
Toradex AI Assistant.

3

Greetings @jippeheijnen,

I have some initial questions to try and understand your setup better.

  • First of all, what security features have you enabled in your local.conf?
  • Does this issue occur only once you’ve added your customizations? Or does it happen with the default configuration as well?
  • How exactly did you configure the build to use your custom device tree?

That said, I do have a theory on what might have went wrong. For context, the majority of the boot script logic is contained in a file uEnv.txt. This file should be found at /boot/loader.1, in the OSTree structure.

For FIT images this script should eventually execute a boot command in the form of: bootm ${fitimage_addr_r}#conf-@@KERNEL_DTB_PREFIX@@${fdtfile}${fitconf_fdt_overlays}

Basically it’s selecting the correct configuration from the FIT image. In this command KERNEL_DTB_PREFIX should be substituted for the correct value during build time. While the other variables come from either U-Boot or from within uEnv.txt. Could you parse your uEnv.txt file and try to determine the exact bootm command your setup is trying to execute.

Then we can determine, whether it’s trying to execute something sane or not. My guess is that the value of one of the variables is trying to boot the default device tree instead of your custom device tree, causing the issue. For example by default the fdtfile variable which is defined in the U-Boot environment is set to our Colibri evaluation board by default. Did you patch/change this variable in your Yocto build when you started using your own device tree?

Best Regards,
Jeremias

4

Hi @jeremias.tx, thanks for getting back to me.

the (relevant) contents of my local.conf are the following:

# You can also set it explicitly if you want:
DISTRO ?= "torizon-upstream"

# Required by NXP’s proprietary bits used by Toradex BSP
ACCEPT_FSL_EULA = "1"

# -------------------------------------------------------------------
# Build a FIT kernel and sign it (U‑Boot verified boot)
# -------------------------------------------------------------------
# Ensure we produce a FIT kernel image:
KERNEL_CLASSES += " kernel-fitimage"
KERNEL_IMAGETYPE = "fitImage"

# Enable FIT signing and point to your FIT keys (PEM/X.509)
UBOOT_SIGN_ENABLE = "1"
UBOOT_SIGN_KEYNAME = "dev"
# Helpful DTC padding for mkimage? (Yocto’s default example):
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"

# Sign each image node (kernel, dtb, initramfs) inside the FIT individually:
FIT_SIGN_INDIVIDUAL = "1"
# For quick bring-up only (Yocto generates a throwaway key pair if none is present):
FIT_GENERATE_KEYS = "1"

# Variables for the ComposeFS
CFS_GENERATE_KEYS = "1"
CFS_SIGN_KEYDIR = "${TOPDIR}/keys/ostree"
CFS_SIGN_KEYNAME = "cfs-dev"

# -------------------------------------------------------------------
# Enable HAB (ROM) authentication of U‑Boot via Toradex security layer
# -------------------------------------------------------------------
# (meta-toradex-security provides these vars)
TDX_IMX_HAB_ENABLE = "1"

# Where you unpacked NXP CST and generated SRK keys/certs:
TDX_IMX_HAB_CST_CERTS_DIR  = "${TDX_IMX_HAB_CST_DIR}/crts"
TDX_IMX_HAB_CST_CRYPTO     = "rsa"
TDX_IMX_HAB_CST_KEY_SIZE   = "4096"
TDX_IMX_HAB_CST_KEY_EXP    = "65537"
TDX_IMX_HAB_CST_DIG_ALGO   = "sha256"
TDX_IMX_HAB_CST_SRK_CA     = "1"
TDX_IMX_HAB_CST_SRK_INDEX  = "1"

I am aware that some of these are probably unnecessary or redundant, they remained from when I was testing.

Also, the INHERIT += “torizon-signed” was located in my own meta-layer.

At the time of writing, bitbake is compiling an image without my custom meta-layer (containing the device-tree override) so I will get back to you about that when I have an image.

Concerning the uEnv.txt, this seems to be the snippet you are referring to:

bootcmd_boot=if test ${bootscript_debug} != 1; then \
                 if test ${kernel_image_type} = "fitImage"; then \
                     if test -n "${fdtdir}"; then \
                         bootm ${fitimage_addr_r}#conf-nxp_imx_${fdtfile}${fitconf_fdt_overlays} ; \
                     else \
                         bootm ${fitimage_addr_r}#conf-nxp_imx_${fdt_file}${fitconf_fdt_overlays} ; \
                     fi; \
                 else \
                     bootz ${kernel_addr_r} ${ramdisk_addr_r}:${ramdisk_size} ${fdt_addr_r}; \
                 fi; \
             fi || true

The image_type is fitimage (as expected) and all directories seem correct as well.
One thing I did notice, is that the dtb folder (torizon-docker-colibri-imx7-emmc.ota.tar.zst/boot/ostree/torizon-<commit>/dtb) only contains an overlays.txt that shows

fdt_overlays=

maybe this folder should be filled with device trees?

Thanks in advance,
Jippe

5

Concerning the uEnv.txt, this seems to be the snippet you are referring to:

This is snippet is from your custom build with your custom device tree?

If yes, then this doesn’t look correct for booting your device tree. You can see this will try to boot the configuration in your FIT image by the name conf-nxp_imx_${fdtfile}. But, according to your information in your initial post the configuration containing your device tree is named conf-my-custom-device-tree.dtb. Obviously this does not match.

This is the file in it’s unprocessed form in the meta-layer: meta-toradex-torizon/recipes-bsp/u-boot/u-boot-distro-boot/uEnv.txt.in at scarthgap-7.x.y · torizon/meta-toradex-torizon · GitHub

The KERNEL_DTB_PREFIX associates with the file path in the kernel the device tree is found at. I assume your device tree is being added as a patch, out of tree. Probably then you’d want this value to be blank so it just simplifies to conf-${fdtfile}. Then you would just need to patch/modify the U-Boot variable fdtfile to be my-custom-device-tree.dtb. In this way the boot script should select the correct configuration from your FIT image.

maybe this folder should be filled with device trees?

Yeah that looks incorrect. On a default Torizon OS that directory should contain overlays.txt, several DTB files and then a directory containing device tree overlay binaries. Not sure what happened in this build to cause this but, this would need to be fixed.

Best Regards,
Jeremias

6

Hi @jeremias.tx,

It’s been a while since I looked at this issue, but now I’m back. The problem with the DTB_PREFIX was fixed by placing /nxp/imx in several places. when I do that however, a new issue arises regarding the HAB secure boot. Below are the changes I made to files in my meta-layer.

#include "/nxp/imx/imx7d-colibri-emmc.dtsi"
// file: custom_dt.dts

KERNEL_DEVICETREE:append = " nxp/imx/custom_dt.dtb"
# file: colibri-imx7-emmc-extra.conf

SRC_URI += " \
	file://custom_dt.dts;subdir=git/arch/arm/boot/dts/nxp/imx \
	"
# file: linux-toradex-upstream_%.bbappend

Now the error is the following:

Colibri iMX7 # hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x00
        0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x2c
        0x00 0x00 0x01 0xb4

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x7f 0xf4 0x20
        0x00 0x00 0x00 0x01

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
        0x00 0x00 0x00 0x00 0x87 0x80 0x00 0x00
        0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
        0xdb 0x00 0x14 0x42 0x33 0x18 0xc0 0xff
        0xbe 0x00 0x0c 0x02 0x09 0x00 0x00 0x01
        0x00 0x00 0x08 0x98

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_SW (0xFF)

Maybe you can help me look in the right direction for this or if you need more information, please let me know.

Jippe

7

Well this is unexpected. Our default signed builds aren’t showing this issue as far as I know.

As a baseline, if you do a completely unmodified build with no modifications other than enabling secure boot, do you still see these events?

Also have you already programmed some of the fuses on this device?

Generally speaking the error HAB_FAILURE (0x33) suggests that there is a mismatch between the certs used to sign the bootloader binary and what is programmed onto the efuses of the device.

Best Regards,
Jeremias

8

@jippeheijnen,

Are you using recovery boot when you get those HAB events? Due to DCD usage, image for native boot and recovery boot need to be signed quite differently. Try using native boot (from EMMC, NAND, etc) instead.

9

Hi @Edward,

Unfortunately it’s the regular u-boot boot process.

And to answer your earlier question @jeremias.tx, When I disable my custom meta-layer the secure-boot issue goes away and I am able to build a clean 7.3.0 image, so I am guessing it is related to how I am altering my kernel and or u-boot recipes. Fuses are not burned yet.

Maybe unrelated, but since I am implementing secure boot at enterprise level, at some point this conversation will cross over into NDA territory. @jeremias.tx Maybe you know a way I can keep this support thread going privately without publishing company secrets. That way I can also go into a lot more detail code wise.

Thanks in advance and looking forward to hearing from you,

Jippe

10

When I disable my custom meta-layer the secure-boot issue goes away and I am able to build a clean 7.3.0 image, so I am guessing it is related to how I am altering my kernel and or u-boot recipes.

Interesting, yeah that would lead to the conclusion that some customization of yours is somehow causing HAB events to occur. It would have to be something in U-Boot I imagine. Since HAB is just between the fuses/bootrom and the bootloader.

That said I can’t think of a customization that could cause this off the top of my head. Would probably need to examine your meta-layer in detail and run some tests. Though sounds like this stuff is confidential at the moment.

Maybe you know a way I can keep this support thread going privately without publishing company secrets. That way I can also go into a lot more detail code wise.

I would recommend reaching out to your Toradex sales representative regarding getting an NDA in place. Then they can take lead on directing you to the correct support resources to follow-up on this.

Best Regards,
Jeremias

1 Like
11

Hi all!

I found out that my keys are unintentionally altered by my automation scripts (windows / linux line endings :cry: ). for other users, I would recommend checking sha sums after creation with CST tooling, and then again just before building with bitbake, just as a precaution to see whether they are still intact.

Closing this thread now, since I have it all working.
Thanks again for all suggestions :slight_smile:

12

I found out that my keys are unintentionally altered by my automation scripts (windows / linux line endings

Oh yup that will certainly do it. I’m glad you were able to figure out what the issue was and thank you for reporting back so we know it wasn’t an issue with our tooling/process itself.

Best Regards,
Jeremias