U-boot with CONFIG_SECURE_BOOT enabled fail to build

Hello.

I would like to build U-Boot for Colibri iMX6DL module with CONFIG_SECURE_BOOT option enabled. If I build (source obtained with “git clone -b 2016.11-toradex git://git.toradex.com/u-boot-toradex.git” command) with default config (colibri_imx6_defconfig) there are no problems, but when I add “#define CONFIG_SECURE_BOOT” to the “.include/configs/colibri_imx6.h” file, I get following error messages:

...
  LD      spl/u-boot-spl
arch/arm/imx-common/built-in.o: In function `is_hab_enabled':
/home/.../u-boot-toradex/arch/arm/imx-common/hab.c:267: undefined reference to `fuse_read'
arch/arm/imx-common/built-in.o: In function `blob_encap_dek':
/home/.../u-boot-toradex/arch/arm/imx-common/cmd_dek.c:37: undefined reference to `sec_init'
/home/.../u-boot-toradex/arch/arm/imx-common/cmd_dek.c:46: undefined reference to `blob_dek'
scripts/Makefile.spl:288: recipe for target 'spl/u-boot-spl' failed
make[1]: *** [spl/u-boot-spl] Error 1
Makefile:1346: recipe for target 'spl/u-boot-spl' failed
make: *** [spl/u-boot-spl] Error 2

How should I proceed to be able to build with this configuration?
Should I replace/add some source files to get proper source code for “fuse_read”, “sec_init”, “blob_dek” functions?

Greetings @user622190,

Adding “#define CONFIG_SECURE_BOOT” to the board configuration header is only valid on older U-Boot’s, V2016.09 and older.

On newer U-Boot’s like our 2016.11 branch and onward, you instead want to add “CONFIG_SECURE_BOOT=y” to the appropriate defconfig. In Your case it would be the “colibri_imx6_defconfig” file.

Try this instead and let me know if the compile error persists or not.

Best Regards,
Jeremias

Hello.

Thank you for answering on my question.

I’ve used “#define…” because I’ve followed description in “…/doc/README.mxc_hab” file. I’ve already tried with “CONFIG_SECURE_BOOT=y” added to the “…/configs/colibri_imx6_defconfig” file (and without “#define…” in …/include/configs/colibri_imx6.h" file) but I got same errors on build.

Then I’ve also tried to use “colibri_imx6_nospl_defconfig” (with “CONFIG_SECURE_BOOT=y” added) configuration and the build finished without errors.
Is that because u-boot with SPL is not compatible with secure-boot feature? Should I proceed and try to flash “no-SPL” u-boot version to the Colibri module?

There is another problem with “nospl” build - when I run “./tools/mkimage -l u-boot.imx” command there is no “HAB Blocks: …” output, only this:

Image Type:   Freescale IMX Boot Image
Image Ver:    2 (i.MX53/6/7 compatible)
Mode:         DCD
Data Size:    712704 Bytes = 696.00 kB = 0.68 MB
Load Address: 177ff420
Entry Point:  17800000

The same output (no HAB info) is from newer mkimage version “2019.07+dfsg-1ubuntu4~18.04.1”. How to get this “HAB Blocks” info?

I’ve prepared separate build for Linux 3.0 version:

  • gcc-arm-8.2-2019.01-x86_64-arm-linux-gnueabihf
  • “git clone -b toradex_2019.07 git://git.toradex.com/u-boot-toradex.git”
  • “make colibri_imx6_defconfig” (with “CONFIG_SECURE_BOOT=y” added to “…/configs/colibri_imx6_defconfig”).

And now I got this errors when try to build with “make -j3 2>&1 | tee build.log” command:

arch/arm/mach-imx/built-in.o: In function `blob_encap_dek':
/.../u-boot-toradex/arch/arm/mach-imx/cmd_dek.c:34: undefined reference to `sec_init'
drivers/built-in.o: In function `blob_dek':
/.../u-boot-toradex/drivers/crypto/fsl/fsl_blob.c:162: undefined reference to `inline_cnstr_jobdesc_blob_dek'
/.../u-boot-toradex/drivers/crypto/fsl/fsl_blob.c:174: undefined reference to `run_descriptor_jr'
Makefile:1567: recipe for target 'u-boot' failed
make: *** [u-boot] Error 1

Am I doing something wrong here?

I’ve made another try with different configuration:

  • run “make clean”;
  • removed “CONFIG_SECURE_BOOT=y” from “colibri_imx6_defconfig”;
  • run “make colibri_imx6_defconfig”;
  • run “make menuconfig” and select “ARM architecture - Support i.MX HAB features”;
  • run “make V=1”;

Now build finished without errors, and with this results:

“SPL.log”

Image Type:   Freescale IMX Boot Image
Image Ver:    2 (i.MX53/6/7 compatible)
Mode:         DCD
Data Size:    65536 Bytes = 64.00 KiB = 0.06 MiB
Load Address: 00907420
Entry Point:  00908000
HAB Blocks:   0x00907400 0x00000000 0x0000bc00
DCD Blocks:   0x00910000 0x0000002c 0x00000004

“u-boot-ivt.img.log”

Image Name:   U-Boot 2019.07-00012-g26d926eda0
Created:      Mon Apr 27 15:09:55 2020
Image Type:   ARM U-Boot Firmware with HABv4 IVT (uncompressed)
Data Size:    499648 Bytes = 487.94 KiB = 0.48 MiB
Load Address: 17800000
Entry Point:  00000000
HAB Blocks:   0x177fffc0   0x0000   0x00078020

So it looks like I’m ready to continue with NXP Code-Signing-Tool and next flashing the module.

Unfortunately the same approach (with “make menuconfig” command) does not work for u-boot from Linux 2.7 version. There are still the same build errors.

Thank you for confirming the issue on your side.

I guess I’m going to try switching to Linux BSP 3.0 and to enable secure-boot support with it.

@user622190

I was able to confirm your results on my side as well. After some investigating it seems our older 2016.11 U-Boot has some issues with HAB and SPL. This is probably due to the age of this branch and also we don’t test HAB functionality with our BSP much if at all.

As for the 2019.07 U-Boot the reason the build works when using menuconfig is because when enabling CONFIG_SECURE_BOOT via menuconfig it also adds the following configs:

CONFIG_SYS_FSL_HAS_SEC=y
CONFIG_SYS_FSL_SEC_COMPAT=4

Which I guess are required for successful compilation.

Moving on is your issue solved? Is it acceptable for you to work on the 3.0 BSP or did you really need this to work on the 2.7/2.8 BSP?

Best Regards,
Jeremias