torizonCore-builder image fails to boot; torizon-docker-verdin-imx8mp-Tezi_7.6.0+build.36

Technical Support
, , , ,
1

Hello,

I am currently trying to build our image with the new quarterly release of torizon-docker-verdin-imx8mp-Tezi_7.6.0+build.36 in TCB.

The problem is, that as soon as I add the device-tree to the customization options, the boot of the module stalls on booting the kernel.

U-Boot 2024.07-7.6.0+git.3f772959501c (Jan 01 1970 - 00:00:00 +0000)

CPU:   Freescale i.MX8MP[6] rev1.1 1600 MHz (running at 1200 MHz)
CPU:   Industrial temperature grade (-40C to 105C) at 68C
Reset cause: POR
DRAM:  2 GiB
Core:  173 devices, 32 uclasses, devicetree: separate
WDT:   Started watchdog@30280000 with servicing every 1000ms (60s timeout)
MMC:   FSL_SDHC: 1, FSL_SDHC: 2
Loading Environment from MMCā€¦ Reading from MMC(2)ā€¦ OK
In:    serial@30880000
Out:   serial@30880000
Err:   serial@30880000
Model: Toradex 0064 Verdin iMX8M Plus Quad 2GB WB IT V1.1A
Serial#: 15592738
Carrier: Toradex Verdin Development Board V1.1B, Serial# 10893443
SEC0:  RNG instantiated
Setting variant to wifi
Net:   eth1: ethernet@30be0000, eth0: ethernet@30bf0000 [PRIME]

U-Boot CLI access is enabled

Hit any key to stop autoboot:  0
MMC: no card present
switch to partitions #0, OK
mmc2(part 0) is current device
Scanning mmc 2:1ā€¦
Found U-Boot script /boot.scr
970 bytes read in 1 ms (947.3 KiB/s)

Executing script at 50280000

Saving Environment to MMCā€¦ Writing to MMC(2)ā€¦ OK
12844 bytes read in 3 ms (4.1 MiB/s)

NOTE: Bootloader seems to support secure boot.

Saving Environment to MMCā€¦ Writing to MMC(2)ā€¦ OK
14 bytes read in 2 ms (6.8 KiB/s)
25971172 bytes read in 87 ms (284.7 MiB/s)

Loading kernel from FIT Image at 50300000 ā€¦

Using ā€˜conf-freescale_imx8mp-verdin-wifi-dev.dtbā€™ configuration
Verifying Hash Integrity ā€¦ sha256,rsa2048:dev-  error!
Canā€™t get hash value property for ā€˜ā€™ hash node in 'conf-freescale_imx8mp-v
Failed to verify required signature ā€˜key-devā€™
Bad Data Hash
ERROR -2: canā€™t get kernel image!
SCRIPT FAILED: continuingā€¦

WARNING: Command execution WOULD BE DENIED in closed state (blocked by catego

starting USBā€¦
Bus usb@38200000: Register 2000140 NbrPorts 2
Starting the controller
USB XHCI 1.10
scanning bus usb@38200000 for devicesā€¦ 5 USB Device(s) found
scanning usb for storage devicesā€¦ 1 Storage Device(s) found

WARNING: Command execution WOULD BE DENIED in closed state (blocked by catego

PCIE-0: Link down

WARNING: Command execution denied (blocked by category) for `dhcp 0x50280000

WARNING: Command execution WOULD BE DENIED in closed state (blocked by catego

For my tests Iā€™ve downloaded the current downstream-kernel and used the imx8mp-verdin-wifi-dev.dts device-tree;

My tcbuild.yml:

# >> The input section specifies the image to be taken as the base for the
# >> customization.
input:
  easy-installer:
    local: images/base/torizon-docker-verdin-imx8mp-Tezi_7.6.0+build.36.tar

# >> The customization section defines the modifications to be applied to get
# >> the desired output image.
customization:
  device-tree:
    include-dirs:
      - linux/toradex_6.6-2.2.x-imx/linux/include
    custom: linux/toradex_6.6-2.2.x-imx/linux/arch/arm64/boot/dts/freescale/imx8mp-verdin-wifi-dev.dts

# >> The output section defines properties of the output image.
output:
  easy-installer:
  local: images/output/torizon-docker-verdin-imx8mp-Tezi_7.6.0+build.36_dt-basic
  name: 7.6.0.36_dt-basic
  accept-licence: true
  autoinstall: true
  autoreboot: true

Where there changes from 7.5.0 to 7.6.0 which might lead to this problem?
Since a fresh build with torizon-docker-verdin-imx8mp-Tezi_7.5.0+build.30.tar starts normally.

Best regards

2

Hi, Iā€™m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

Issue Analysis

The boot failure youā€™re experiencing appears to be related to signature verification errors in the Secure Boot implementation. The error message shows:

Verifying Hash Integrity ā€¦ sha256,rsa2048:dev-  error!
Can't get hash value property for '' hash node in 'conf-freescale_imx8mp-v
Failed to verify required signature 'key-dev'
Bad Data Hash
ERROR -2: can't get kernel image!

This indicates that the custom device tree youā€™re adding is triggering signature verification issues with the kernel FIT image(1).

Secure Boot Changes in Torizon OS 7.6.0

According to the documentation, Torizon OS 7.6.0 includes enhanced Secure Boot features. The error message ā€œNOTE: Bootloader seems to support secure bootā€ suggests that your Verdin iMX8M Plus module has Secure Boot capabilities enabled(1).

When you customize the device tree using TorizonCore Builder, the kernel artifacts are signed and validated as part of the Basic Chain of Trust (BCoT) implementation(1). The signature verification failure indicates that your custom device tree modification is causing the kernel FIT image signature to become invalid.

Recommended Solution

Instead of using a custom device tree file directly, I recommend using device tree overlays, which are specifically designed for this type of customization and work properly with Secure Boot(2).

Hereā€™s how to modify your tcbuild.yml:

# >> The input section specifies the image to be taken as the base for the
# >> customization.
input:
  easy-installer:
    local: images/base/torizon-docker-verdin-imx8mp-Tezi_7.6.0+build.36.tar

# >> The customization section defines the modifications to be applied to get
# >> the desired output image.
customization:
  device-tree:
    include-dirs:
      - device-trees/include/
    overlays:
      add:
        - path/to/your-custom-overlay.dts

# >> The output section defines properties of the output image.
output:
  easy-installer:
    local: images/output/torizon-docker-verdin-imx8mp-Tezi_7.6.0+build.36_dt-overlay
    name: 7.6.0.36_dt-overlay
    accept-licence: true
    autoinstall: true
    autoreboot: true

Alternative Approach

If you need to use a custom device tree, you can clone the device tree overlays repository and work with the provided device tree sources(2):

$ git clone -b toradex_6.6-2.2.x-imx git://git.toradex.com/linux-toradex.git linux
$ git clone -b toradex_6.6-2.2.x-imx git://git.toradex.com/device-tree-overlays.git device-trees

Then create an overlay based on your specific requirements rather than replacing the entire device tree(3).

Why This Works

Device tree overlays are supported with Secure Boot and donā€™t require re-signing the entire kernel FIT image(1). The TorizonCore Builder can properly handle overlay compilation and integration while maintaining the signature verification requirements(4).

The difference between 7.5.0 and 7.6.0 is likely the enhanced Secure Boot implementation thatā€™s more strictly enforcing signature verification on custom device trees.

Best regards, Toradex AI Assistant.

Did you like my answer? :+1: :-1:

If I answered your question, please tick the ā€œSolutionā€ checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

3

Greetings @aigF,

I think I know the issue. Looking at your boot logs it seems this image was signed and built for secure boot. So doing a change of the device tree without re-signing the image would cause this issue you are seeing.

Did you intend to use a signed image? Or did you download an image from here: Download Links | Toradex Developer Center

I see the link for the Verdin i.MX8M Plus is erroneously pointing to signed images instead of our usual standard images. If you intended to use a standard Torizon OS image, then try again with this instead: https://tezi.toradex.com/artifactory/torizoncore-oe-prod-frankfurt/scarthgap-7.x.y/release/36/verdin-imx8mp/torizon/torizon-docker/oedeploy/torizon-docker-verdin-imx8mp-Tezi_7.6.0+build.36.tar

Meanwhile Iā€™ll report this to our team to correct the download link.

Best Regards,
Jeremias

1 Like
4

No, it was not my intention to use the signed build.
Changing to the unsigned image seems to work.

Thank you

5

Glad we were able to help.

Best Regards,
Jeremias