Torizon Core 7.1.0 build error with tdx-signed

Technical Support
, , , , ,
1

Both Torizon Core 7.0.0 and Torizon Core 7.1.0 fail to build when tdx-signed is declared in local.conf. Builds were successful until 6.8.0. 7.0.0 cannot evaluate secure boot, so please fix this issue ASAP. Please fix it as soon as possible.

local.conf

INHERIT += tdx-signed
CFS_GENERATE_KEYS=”1”
CFS_SIGN_KEYDIR="keydir"
CFS_SIGN_KEYNAME="cfs-key"

build command

repo init -u https://git.toradex.com/toradex-manifest.git -b refs/tags/7.1.0 -m torizon/default.xml
repo sync --no-clone-bundle --no-repo-verify
bitbake torizon-docker

error log

ERROR: u-boot-toradex-1_2024.07-r0 do_patch: Applying patch '0001-bootm-don-t-use-HAB-to-authenticate-FIT-image.patch' on target directory '/work/tcbuild/build-torizon/tmp/work/apalis_imx8-tdx-linux/u-boot-toradex/2024.07/git'
CmdError('quilt --quiltrc /work/tcbuild/build-torizon/tmp/work/apalis_imx8-tdx-linux/u-boot-toradex/2024.07/recipe-sysroot-native/etc/quiltrc push', 0, 'stdout: Applying patch 0001-bootm-don-t-use-HAB-to-authenticate-FIT-image.patch
patching file cmd/bootm.c
Hunk #1 FAILED at 125.
1 out of 1 hunk FAILED -- rejects in file cmd/bootm.c
Patch 0001-bootm-don-t-use-HAB-to-authenticate-FIT-image.patch does not apply (enforce with -f)
stderr: ')
ERROR: Logfile of failure stored in: /work/tcbuild/build-torizon/tmp/work/apalis_imx8-tdx-linux/u-boot-toradex/2024.07/temp/log.do_patch.30618
NOTE: recipe u-boot-toradex-1_2024.07-r0: task do_patch: Failed
ERROR: Task (/work/tcbuild/build-torizon/conf/../../layers/meta-toradex-bsp-common/recipes-bsp/u-boot/u-boot-toradex_2024.07.bb:do_patch) failed with exit code '1'

Comment out 0001-bootm-don’t-use-HAB-to-authenticate-FIT-image.patch so that it does not apply.

meta-toradex-security/recipes-bsp/u-boot/u-boot-hab.inc

SRC_URI:append:mx8m-generic-bsp = "${TDX_IMX8M_CSF_ARTIFACTS}"
# TDX_UBOOT_HAB_PATCHES_DOWNSTREAM = "\
# file://0001-bootm-don-t-use-HAB-to-authenticate-FIT-image.patch \
# "
# SRC_URI:append:apalis-imx8 = "${TDX_UBOOT_HAB_PATCHES_DOWNSTREAM}"
# SRC_URI:append:colibri-imx8x = "${TDX_UBOOT_HAB_PATCHES_DOWNSTREAM}"

Another error occurs and the build does not succeed.

another error log

ERROR: u-boot-toradex-1_2024.07-r0 do_patch: QA Issue: Fuzz detected:
Applying patch 0004-toradex-integrate-bootargs-protection-downstream.patch
patching file Kconfig
Hunk #1 succeeded at 762 (offset 14 lines).
Hunk #2 succeeded at 799 (offset 14 lines).
patching file boot/fdt_support.c
Hunk #1 succeeded at 27 with fuzz 2 (offset 4 lines).
Hunk #2 succeeded at 318 (offset 4 lines).
The context lines in the patches can be updated with devtool:
devtool modify u-boot-toradex
devtool finish --force-patch-refresh u-boot-toradex <layer_path>
Don't forget to review changes done by devtool!
Patch log indicates that patches do not apply cleanly. [patch-fuzz]
ERROR: u-boot-toradex-1_2024.07-r0 do_patch: Fatal QA errors were found, failing task.
ERROR: Logfile of failure stored in: /work/tcbuild/build-torizon/tmp/work/apalis_imx8-tdx-linux/u-boot-toradex/2024.07/temp/log.do_patch.24868
NOTE: recipe u-boot-toradex-1_2024.07-r0: task do_patch: Failed
ERROR: Task (/work/tcbuild/build-torizon/conf/../../layers/meta-toradex-bsp-common/recipes-bsp/u-boot/u-boot-toradex_2024.07.bb:do_patch) failed with exit code '1'

Both errors seem to be caused by the fact that Torizon Core 7.0.0 now builds v2024.07 into the u-boot version, but the meta-toradex-security patch has not been corrected to patch v2024.07 correctly.

2

Hi, I’m the Toradex AI Assistant. The Toradex Support team will follow up with you shortly!

Did you like my answer?

:+1: :-1:

Hello,

It seems you’re encountering build errors with Torizon Core 7.0.0 and 7.1.0 when using the ‘tdx-signed’ class, which were not present in version 6.8.0. The errors are related to patch application failures in U-Boot, likely due to changes in the U-Boot version used in Torizon Core 7.x.

To address these issues, consider the following steps:

  1. Patch Compatibility: Ensure that the patches applied to U-Boot are compatible with the version being used. The error indicates that the patch 0001-bootm-don-t-use-HAB-to-authenticate-FIT-image.patch is failing. This might be due to changes in the U-Boot source code that make the patch incompatible.

  2. Refreshing Patches: You can try refreshing the patches to ensure they apply cleanly to the new U-Boot version. This involves updating the patch context lines to match the current source code. The devtool command in Yocto can assist with this:

    • Use devtool modify u-boot-toradex to set up a workspace.
    • Apply the patch manually and resolve any conflicts.
    • Use devtool finish --force-patch-refresh u-boot-toradex <layer_path> to update the patch.

  3. Check for Updates: Verify if there are any updates or new patches from Toradex that address these issues. Sometimes, the meta layers are updated to fix such compatibility problems.

  4. Review Configuration: Double-check your local.conf and other configuration files to ensure they are set up correctly for the new version.

By following these steps, you should be able to resolve the patch application errors and successfully build Torizon Core 7.x with Secure Boot enabled.

Best regards,
Toradex AI Assistant

Please, also check if these links can help you solve your problem:

Secure boot using IMX8MP and Mallow board V1.1.

3

Greetings @access,

I just tried this build using our latest 7.X meta-layers and it succeeded fine on my end without issues. Also if you’re using the composefs (CFS) features then you should be inheriting torizon-signed instead of tdx-signed as documented here: Secure Boot | Toradex Developer Center

Though the most glaring issue and what I believe the cause of this is, is the fact that your build is using 2024.07 U-Boot for some reason. Based on your logs it appears you are building for the Apalis i.MX8, correct?

If that is true, then the build should be using the downstream 2024.04 U-Boot not the 2024.07, which is used for some of our other modules, but not the Apalis imx8. You can even see what the expected version is for U-Boot per module in our release matrix here: Release Matrix - Kernel/U-Boot Version | Toradex Developer Center

My build I did just now used 2024.04 U-Boot for Apalis imx8, and I didn’t change anything. Did you change something on your side to cause this to happen in your build? For reference we explicitly set the U-Boot version in the machine configuration for Apalis imx8, so I’m not even sure how you would have changed this: apalis-imx8.conf « machine « conf - meta-toradex-nxp.git - Toradex BSP layer, recipes for NXP based modules

Best Regards,
Jeremias

4

Hello @jeremias.tx

Thank you for your reply and useful links.

Based on your logs it appears you are building for the Apalis i.MX8, correct?

Yes, you are right. I specified apalis-imx8 in MACHINE before building. The build command in my first post was incomplete. I had correctly done the following.

EULA=1 MACHINE=apalis-imx8 source . /setup-environment
bitbake torizon-docker

There was the following setting in our apalis-imx8.conf

PREFERRED_VERSION_u-boot-toradex = "2022.04%"

We have modified apalis-imx8.conf and it may be because we were doing an older u-boot version, even 7.0.0.

5

You should review your machine configuration to make sure that the Apalis i.MX8 is using the expected 2024.04 U-Boot version. The patches for U-Boot are version specific, and for the Apalis i.MX8 we assume the version of U-Boot is 2024.04. If the version is anything else, as seems to be the case in your build, then the patches will obviously fail to apply properly as you saw.

Best Regards,
Jeremias

6

I fixed the PREFERRED_VERSION_u-boot-toradex in apalis-imx8.conf and the build error was resolved. I found the same problem reported here.
Thanks to you I noticed the problem with the configuration file. Thank you very much.

7

Glad I was able to assist.

1 Like