hi, i am trying to build torizon image with secure boot support.
I was getting error during do_patch process of openssh so i commented following lines in openssh_%.bbappend file (just to skip this patch for testing purpose): #FILESEXTRAPATHS:prepend := “${THISDIR}/files:”
After that build process fails @ do_compile on imx-boot while creating flash_evk_emmc_fastboot-csf-spl.csf file.
In flash_evk_emmc_fastboot-csf-spl.log following error is logged:
“Super Root Key table is invalid in file /home/sarthak/cst-3.4.1/crts/SRK_1_2_3_4_table.bin”
i have generated the certificates with following inputs:
Do you want to use an existing CA key (y/n)?: n
Key type options (confirm targeted device supports desired key type):
Select the key type (possible values: rsa, rsa-pss, ecc)?: rsa
Enter key length in bits for PKI tree: 2048
Enter the digest algorithm to use: sha256
Enter PKI tree duration (years): 10
Do you want the SRK certificates to have the CA flag set? (y/n)?: n
I’m a little confused. In your post you said the error you got was:
In flash_evk_emmc_fastboot-csf-spl.log following error is logged:
“Super Root Key table is invalid in file /home/sarthak/cst-3.4.1/crts/SRK_1_2_3_4_table.bin”
But, then in the error log you shared it shows a completely different error:
Certificate file name (defined by TDX_IMX_HAB_CST_SRK_CERT) does not match expected pattern - could not determine if CA flag is set.
I see you’re setting TDX_IMX_HAB_CST_SRK_CERT, but you should not set this manually since our layer determines this variable dynamically during build-time. This could be the cause of the error seen in your logs.
Also you should set TDX_IMX_HAB_CST_SRK_CA to 0 since you didn’t set the CA flag in your setup.
Update: i am generating certificates using AHAB script.
I am bit confused whether imx8mp support HAB or AHAB, becouse i read somewhere that imx8 onwards support ahab.
This may be the cause of your issue then since you’re using the wrong script to generate things for this SoC. Try again following the process for HAB this time and see if that help your situation.
Thanks for your reply.
I got confused between iMX8x & iMX8MP.
After generating certificates using HAB script, image builds successfully.
I am newbie to secure boot, i have following quarries:
Only using SRK keys ( fast boot) will validate fit image or not?
I have uploaded generated image to SOM using TEZI, but have not burn hash to som, and i am getting hab_status as-
Secure boot disabled
HAB Configuration: 0xf0, HAB state: 0x66
No HAB Event Found.
is this intended output? if it is then how i will come to know if secure boot is working or not post fusing the hash ( as hab_status will be same)
After generating certificates using HAB script, image builds successfully.
Perfect that’s great to hear!
Only using SRK keys ( fast boot) will validate fit image or not?
I believe you have a misunderstanding here. The FIT image validation feature is completely seperate from the SRK keys/HAB functionality. They can be implemented separately or together to form a longer chain of trust.
is this intended output? if it is then how i will come to know if secure boot is working or not post fusing the hash ( as hab_status will be same)
The output of hab_status can depend a bit on the SoC and such. In this case if the SoC detects nothing has been fused it will return no error. Once you fuse your key information however it will start using that information. If you fuse your key information and you get a hab error then something went wrong somewhere. If you fuse your key information and get no hab errors then you can be assured that nothing went wrong. This is why the act of fusing keys is a generally delicate process since these fuses are one-time only and can’t be undone.
if you read this section then the feature is enabled by default if you have TDX_IMX_HAB_ENABLE and UBOOT_SIGN_ENABLE set. While building a Torizon OS image. You can of course override this behavior if you don’t want it enabled.
how can i build to have complete chain of trust?
This depends, when you say “complete chain of trust”, what do you mean? Chain of trust depends on the use-case and needs of the system. For your system then how much of it do you want secured, and how do you expect it to be secured?
Dear jeremais,
thanks for your reply and answering my quarries.
From “complete chain of trust” i mean i want to have my container also validated.
as per toradex documentation, Toradex has not yet have implementation for docker container validation.
mean i want to have my container also validated.
as per toradex documentation, Toradex has not yet have implementation for docker container validation.
That is correct, this is still a work in progress, so keep an eye out for when new developments occur.
Otherwise, I’m glad I was able to help clarify all this for you.
