[U-Boot] u-boot hangs after enabling secured boot : gumstix-overo
Hi All,
I was trying to enable the secured boot in u-boot for gumstix overo storm.
based on http://www.denx-cs.de/doku/?q=m28verifiedboot
After I prepared by SD cards, u-boot is not able to boot and gives the below error message.
U-Boot SPL 2015.07 (Apr 28 2016 - 13:53:06) SPL: Please implement spl_start_uboot() for your board SPL: Direct Linux boot not active! reading u-boot.img spl_load_image_fat: error reading image u-boot.img, err - -1 SPL: Please implement spl_start_uboot() for your board SPL: Direct Linux boot not active! Failed to mount ext2 filesystem... spl_load_image_ext: ext4fs mount err - 0
================
This is the u-boot.dts file that I am using.
/dts-v1/;
/ { model = "Keys";
signature { key-dev { required = "conf"; algo = "sha1,rsa2048"; key-name-hint = "my_key"; }; }; };
compilation using : dtc -p 0x1000 /work/u-boot.dts -O dtb -o /work/u-boot.dtb
And these are the conf that I have added to include/configs/omap3_overo.h
#define CONFIG_OF_CONTROL #define CONFIG_OF_SEPARATE #define CONFIG_FIT #define CONFIG_FIT_SIGNATURE #define CONFIG_RSA #define CONFIG_FIT_VERBOSE
and I am compiling u-boot by using below line :
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- EXT_DTB=/work/u-boot.dtb all -j4
Please let me know if you have any ideas on how to debug this issue.
Thanks & Regards, Arun
Hi Arun,
On 28 April 2016 at 14:48, Arun Kuttiyara Varghese arunkuttiyara@gmail.com wrote:
Hi All,
I was trying to enable the secured boot in u-boot for gumstix overo storm.
based on http://www.denx-cs.de/doku/?q=m28verifiedboot
After I prepared by SD cards, u-boot is not able to boot and gives the below error message.
U-Boot SPL 2015.07 (Apr 28 2016 - 13:53:06) SPL: Please implement spl_start_uboot() for your board
This seems to be implemented for pepper, so to avoid this warning you could add this function for your board. .
SPL: Direct Linux boot not active! reading u-boot.img spl_load_image_fat: error reading image u-boot.img, err - -1 SPL: Please implement spl_start_uboot() for your board SPL: Direct Linux boot not active! Failed to mount ext2 filesystem... spl_load_image_ext: ext4fs mount err - 0
================
This is the u-boot.dts file that I am using.
/dts-v1/;
/ { model = "Keys";
signature { key-dev { required = "conf"; algo = "sha1,rsa2048"; key-name-hint = "my_key"; }; };};
compilation using : dtc -p 0x1000 /work/u-boot.dts -O dtb -o /work/u-boot.dtb
And these are the conf that I have added to include/configs/omap3_overo.h
#define CONFIG_OF_CONTROL #define CONFIG_OF_SEPARATE #define CONFIG_FIT #define CONFIG_FIT_SIGNATURE #define CONFIG_RSA #define CONFIG_FIT_VERBOSE
These are in Kconfig now, so you should add them to configs/omap3_overo_defconfig.
I'm not sure what is wrong, but those two things might help.
and I am compiling u-boot by using below line :
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- EXT_DTB=/work/u-boot.dtb all -j4
Please let me know if you have any ideas on how to debug this issue.
Thanks & Regards, Arun
Regards, Simon
Hi Simon,
Thanks for the help.
There is an update.
I experimented with the two options.
Option 1 =====
Like you mentioned, I tried putting all the RSA boot options to configs/omap3_overo_defconfig. but surprisingly, the board was not able to boot. it stucks after printing one line of junk characters.
So I think, putting definitions in include/configs/omap3_overo.h is also fine ?
Option 2 ====
1. changed u-boot-dtb.img name to u-boot.img . 2. then board is able to boot, but gives the below message when I tried to use bootm.
Overo # ## Loading kernel from FIT Image at 82000000 ... Using 'conf@1' configuration Verifying Hash Integrity ... sha1,rsa2048:my_keyRSA: Can't find Modular Exp implementation RSA: Can't find Modular Exp implementation - Failed to verify required signature 'key-my_key' Bad Data Hash ERROR: can't get kernel image! Overo #
As mentioned in doc/uImage.FIT/beaglebone_vboot.txt, I tried the script - tools/fit_check_sign, and its output is normal. Able to verify the signature.
So still dont know, what is the exact issue, why I am getting the above error message. I searched for UCLASS_MOD_EXP, /* RSA Mod Exp device */, but couldn't get much info.
What is RSA Mod Exp device and how to make sure that I have that ?
Any input to debugging will be greatly helpful.
Thanks & Regards, Arun
On Sun, May 1, 2016 at 2:55 PM, Simon Glass sjg@chromium.org wrote:
Hi Arun,
On 28 April 2016 at 14:48, Arun Kuttiyara Varghese arunkuttiyara@gmail.com wrote:
Hi All,
I was trying to enable the secured boot in u-boot for gumstix overo
storm.
based on http://www.denx-cs.de/doku/?q=m28verifiedboot
After I prepared by SD cards, u-boot is not able to boot and gives the below error message.
U-Boot SPL 2015.07 (Apr 28 2016 - 13:53:06) SPL: Please implement spl_start_uboot() for your board
This seems to be implemented for pepper, so to avoid this warning you could add this function for your board. .
SPL: Direct Linux boot not active! reading u-boot.img spl_load_image_fat: error reading image u-boot.img, err - -1 SPL: Please implement spl_start_uboot() for your board SPL: Direct Linux boot not active! Failed to mount ext2 filesystem... spl_load_image_ext: ext4fs mount err - 0
================
This is the u-boot.dts file that I am using.
/dts-v1/;
/ { model = "Keys";
signature { key-dev { required = "conf"; algo = "sha1,rsa2048"; key-name-hint = "my_key"; }; };};
compilation using : dtc -p 0x1000 /work/u-boot.dts -O dtb -o /work/u-boot.dtb
And these are the conf that I have added to include/configs/omap3_overo.h
#define CONFIG_OF_CONTROL #define CONFIG_OF_SEPARATE #define CONFIG_FIT #define CONFIG_FIT_SIGNATURE #define CONFIG_RSA #define CONFIG_FIT_VERBOSE
These are in Kconfig now, so you should add them to configs/omap3_overo_defconfig.
I'm not sure what is wrong, but those two things might help.
and I am compiling u-boot by using below line :
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- EXT_DTB=/work/u-boot.dtb
all
-j4
Please let me know if you have any ideas on how to debug this issue.
Thanks & Regards, Arun
Regards, Simon
Hi Arun,
On 3 May 2016 at 19:50, Arun Kuttiyara Varghese arunkuttiyara@gmail.com wrote:
Hi Simon,
Thanks for the help.
There is an update.
I experimented with the two options.
Option 1
Like you mentioned, I tried putting all the RSA boot options to configs/omap3_overo_defconfig. but surprisingly, the board was not able to boot. it stucks after printing one line of junk characters.
So I think, putting definitions in include/configs/omap3_overo.h is also fine ?
Not if it is in Kconfig. That sounds like a separate problem. But i"m not sure what.
Option 2
- changed u-boot-dtb.img name to u-boot.img .
- then board is able to boot, but gives the below message when I tried to
use bootm.
Overo # ## Loading kernel from FIT Image at 82000000 ... Using 'conf@1' configuration Verifying Hash Integrity ... sha1,rsa2048:my_keyRSA: Can't find Modular Exp implementation RSA: Can't find Modular Exp implementation
- Failed to verify required signature 'key-my_key'
Bad Data Hash ERROR: can't get kernel image! Overo #
If you grep for that message you see:
ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev); if (ret) { printf("RSA: Can't find Modular Exp implementation\n"); return -EINVAL; }
It is trying to find that uclass. Assuming that you have driver model enabled (CONFIG_DM), I wonder if you have CONFIG_RSA_SOFTWARE_EXP enabled? Unfortunately it looks like you have to do that manually as the option is not in Kconfig.
It is a driver for modular exponentiation, used for RSA. Some chips include hardware acceleration, but there is a software driver as a fallback.
As mentioned in doc/uImage.FIT/beaglebone_vboot.txt, I tried the script - tools/fit_check_sign, and its output is normal. Able to verify the signature.
So still dont know, what is the exact issue, why I am getting the above error message. I searched for UCLASS_MOD_EXP, /* RSA Mod Exp device */, but couldn't get much info.
What is RSA Mod Exp device and how to make sure that I have that ?
Any input to debugging will be greatly helpful.
Thanks & Regards, Arun
Regards, Simon
On Sun, May 1, 2016 at 2:55 PM, Simon Glass sjg@chromium.org wrote:
Hi Arun,
On 28 April 2016 at 14:48, Arun Kuttiyara Varghese arunkuttiyara@gmail.com wrote:
Hi All,
I was trying to enable the secured boot in u-boot for gumstix overo storm.
based on http://www.denx-cs.de/doku/?q=m28verifiedboot
After I prepared by SD cards, u-boot is not able to boot and gives the below error message.
U-Boot SPL 2015.07 (Apr 28 2016 - 13:53:06) SPL: Please implement spl_start_uboot() for your board
This seems to be implemented for pepper, so to avoid this warning you could add this function for your board. .
SPL: Direct Linux boot not active! reading u-boot.img spl_load_image_fat: error reading image u-boot.img, err - -1 SPL: Please implement spl_start_uboot() for your board SPL: Direct Linux boot not active! Failed to mount ext2 filesystem... spl_load_image_ext: ext4fs mount err - 0
================
This is the u-boot.dts file that I am using.
/dts-v1/;
/ { model = "Keys";
signature { key-dev { required = "conf"; algo = "sha1,rsa2048"; key-name-hint = "my_key"; }; };};
compilation using : dtc -p 0x1000 /work/u-boot.dts -O dtb -o /work/u-boot.dtb
And these are the conf that I have added to include/configs/omap3_overo.h
#define CONFIG_OF_CONTROL #define CONFIG_OF_SEPARATE #define CONFIG_FIT #define CONFIG_FIT_SIGNATURE #define CONFIG_RSA #define CONFIG_FIT_VERBOSE
These are in Kconfig now, so you should add them to configs/omap3_overo_defconfig.
I'm not sure what is wrong, but those two things might help.
and I am compiling u-boot by using below line :
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- EXT_DTB=/work/u-boot.dtb all -j4
Please let me know if you have any ideas on how to debug this issue.
Thanks & Regards, Arun
Regards, Simon
Hi Simon,
Thanks a lot for your help.
I was experimenting with few options : finally I got a working combination.
I added below options in configs/omap3_overo_defconfig CONFIG_RSA=y CONFIG_DM=y
and in include/configs/omap3_overo.h.
#define CONFIG_OF_CONTROL #define CONFIG_OF_SEPARATE #define CONFIG_FIT #define CONFIG_FIT_SIGNATURE #define CONFIG_FIT_VERBOSE
and used EXT_DTB option for make.
now it works fine for the verified boot for gumstix overo.
So I think, putting CONFIG_RSA [CONFIG_RSA alone, since I can't put all there - board hanging issue ] in defconfig enabled the RSA options for the board.
Thanks & Regards, Arun
On Wed, May 18, 2016 at 11:59 PM, Simon Glass sjg@chromium.org wrote:
Hi Arun,
On 3 May 2016 at 19:50, Arun Kuttiyara Varghese arunkuttiyara@gmail.com wrote:
Hi Simon,
Thanks for the help.
There is an update.
I experimented with the two options.
Option 1
Like you mentioned, I tried putting all the RSA boot options to configs/omap3_overo_defconfig. but surprisingly, the board was not able to boot. it stucks after
printing
one line of junk characters.
So I think, putting definitions in include/configs/omap3_overo.h is also fine ?
Not if it is in Kconfig. That sounds like a separate problem. But i"m not sure what.
Option 2
- changed u-boot-dtb.img name to u-boot.img .
- then board is able to boot, but gives the below message when I tried
to
use bootm.
Overo # ## Loading kernel from FIT Image at 82000000 ... Using 'conf@1' configuration Verifying Hash Integrity ... sha1,rsa2048:my_keyRSA: Can't find
Modular
Exp implementation RSA: Can't find Modular Exp implementation
- Failed to verify required signature 'key-my_key'
Bad Data Hash ERROR: can't get kernel image! Overo #
If you grep for that message you see:
ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev); if (ret) { printf("RSA: Can't find Modular Exp implementation\n"); return -EINVAL; }
It is trying to find that uclass. Assuming that you have driver model enabled (CONFIG_DM), I wonder if you have CONFIG_RSA_SOFTWARE_EXP enabled? Unfortunately it looks like you have to do that manually as the option is not in Kconfig.
It is a driver for modular exponentiation, used for RSA. Some chips include hardware acceleration, but there is a software driver as a fallback.
As mentioned in doc/uImage.FIT/beaglebone_vboot.txt, I tried the script - tools/fit_check_sign, and its output is normal. Able to verify the signature.
So still dont know, what is the exact issue, why I am getting the above error message. I searched for UCLASS_MOD_EXP, /* RSA Mod Exp device */, but couldn't get much info.
What is RSA Mod Exp device and how to make sure that I have that ?
Any input to debugging will be greatly helpful.
Thanks & Regards, Arun
Regards, Simon
On Sun, May 1, 2016 at 2:55 PM, Simon Glass sjg@chromium.org wrote:
Hi Arun,
On 28 April 2016 at 14:48, Arun Kuttiyara Varghese arunkuttiyara@gmail.com wrote:
Hi All,
I was trying to enable the secured boot in u-boot for gumstix overo storm.
based on http://www.denx-cs.de/doku/?q=m28verifiedboot
After I prepared by SD cards, u-boot is not able to boot and gives the below error message.
U-Boot SPL 2015.07 (Apr 28 2016 - 13:53:06) SPL: Please implement spl_start_uboot() for your board
This seems to be implemented for pepper, so to avoid this warning you could add this function for your board. .
SPL: Direct Linux boot not active! reading u-boot.img spl_load_image_fat: error reading image u-boot.img, err - -1 SPL: Please implement spl_start_uboot() for your board SPL: Direct Linux boot not active! Failed to mount ext2 filesystem... spl_load_image_ext: ext4fs mount err - 0
================
This is the u-boot.dts file that I am using.
/dts-v1/;
/ { model = "Keys";
signature { key-dev { required = "conf"; algo = "sha1,rsa2048"; key-name-hint = "my_key"; }; };};
compilation using : dtc -p 0x1000 /work/u-boot.dts -O dtb -o /work/u-boot.dtb
And these are the conf that I have added to include/configs/omap3_overo.h
#define CONFIG_OF_CONTROL #define CONFIG_OF_SEPARATE #define CONFIG_FIT #define CONFIG_FIT_SIGNATURE #define CONFIG_RSA #define CONFIG_FIT_VERBOSE
These are in Kconfig now, so you should add them to configs/omap3_overo_defconfig.
I'm not sure what is wrong, but those two things might help.
and I am compiling u-boot by using below line :
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi-
EXT_DTB=/work/u-boot.dtb
all -j4
Please let me know if you have any ideas on how to debug this issue.
Thanks & Regards, Arun
Regards, Simon
Hi Arun,
On 27 May 2016 at 15:01, Arun Kuttiyara Varghese arunkuttiyara@gmail.com wrote:
Hi Simon,
Thanks a lot for your help.
I was experimenting with few options : finally I got a working combination.
I added below options in configs/omap3_overo_defconfig CONFIG_RSA=y CONFIG_DM=y
and in include/configs/omap3_overo.h.
#define CONFIG_OF_CONTROL #define CONFIG_OF_SEPARATE #define CONFIG_FIT #define CONFIG_FIT_SIGNATURE #define CONFIG_FIT_VERBOSE
and used EXT_DTB option for make.
now it works fine for the verified boot for gumstix overo.
I'm pleased you got it working. But you should be able to put all of those in your defconfig. Also, if you use 'make menuconfig' you can select the options for your board and it will (or at least shout) ensure that they are consistent.
So I think, putting CONFIG_RSA [CONFIG_RSA alone, since I can't put all there - board hanging issue ] in defconfig enabled the RSA options for the board.
Thanks & Regards, Arun
Regards, Simon
On Wed, May 18, 2016 at 11:59 PM, Simon Glass sjg@chromium.org wrote:
Hi Arun,
On 3 May 2016 at 19:50, Arun Kuttiyara Varghese arunkuttiyara@gmail.com wrote:
Hi Simon,
Thanks for the help.
There is an update.
I experimented with the two options.
Option 1
Like you mentioned, I tried putting all the RSA boot options to configs/omap3_overo_defconfig. but surprisingly, the board was not able to boot. it stucks after printing one line of junk characters.
So I think, putting definitions in include/configs/omap3_overo.h is also fine ?
Not if it is in Kconfig. That sounds like a separate problem. But i"m not sure what.
Option 2
- changed u-boot-dtb.img name to u-boot.img .
- then board is able to boot, but gives the below message when I tried
to use bootm.
Overo # ## Loading kernel from FIT Image at 82000000 ... Using 'conf@1' configuration Verifying Hash Integrity ... sha1,rsa2048:my_keyRSA: Can't find Modular Exp implementation RSA: Can't find Modular Exp implementation
- Failed to verify required signature 'key-my_key'
Bad Data Hash ERROR: can't get kernel image! Overo #
If you grep for that message you see:
ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev); if (ret) { printf("RSA: Can't find Modular Exp implementation\n"); return -EINVAL; }
It is trying to find that uclass. Assuming that you have driver model enabled (CONFIG_DM), I wonder if you have CONFIG_RSA_SOFTWARE_EXP enabled? Unfortunately it looks like you have to do that manually as the option is not in Kconfig.
It is a driver for modular exponentiation, used for RSA. Some chips include hardware acceleration, but there is a software driver as a fallback.
As mentioned in doc/uImage.FIT/beaglebone_vboot.txt, I tried the script
tools/fit_check_sign, and its output is normal. Able to verify the signature.
So still dont know, what is the exact issue, why I am getting the above error message. I searched for UCLASS_MOD_EXP, /* RSA Mod Exp device */, but couldn't get much info.
What is RSA Mod Exp device and how to make sure that I have that ?
Any input to debugging will be greatly helpful.
Thanks & Regards, Arun
Regards, Simon
On Sun, May 1, 2016 at 2:55 PM, Simon Glass sjg@chromium.org wrote:
Hi Arun,
On 28 April 2016 at 14:48, Arun Kuttiyara Varghese arunkuttiyara@gmail.com wrote:
Hi All,
I was trying to enable the secured boot in u-boot for gumstix overo storm.
based on http://www.denx-cs.de/doku/?q=m28verifiedboot
After I prepared by SD cards, u-boot is not able to boot and gives the below error message.
U-Boot SPL 2015.07 (Apr 28 2016 - 13:53:06) SPL: Please implement spl_start_uboot() for your board
This seems to be implemented for pepper, so to avoid this warning you could add this function for your board. .
SPL: Direct Linux boot not active! reading u-boot.img spl_load_image_fat: error reading image u-boot.img, err - -1 SPL: Please implement spl_start_uboot() for your board SPL: Direct Linux boot not active! Failed to mount ext2 filesystem... spl_load_image_ext: ext4fs mount err - 0
================
This is the u-boot.dts file that I am using.
/dts-v1/;
/ { model = "Keys";
signature { key-dev { required = "conf"; algo = "sha1,rsa2048"; key-name-hint = "my_key"; }; };};
compilation using : dtc -p 0x1000 /work/u-boot.dts -O dtb -o /work/u-boot.dtb
And these are the conf that I have added to include/configs/omap3_overo.h
#define CONFIG_OF_CONTROL #define CONFIG_OF_SEPARATE #define CONFIG_FIT #define CONFIG_FIT_SIGNATURE #define CONFIG_RSA #define CONFIG_FIT_VERBOSE
These are in Kconfig now, so you should add them to configs/omap3_overo_defconfig.
I'm not sure what is wrong, but those two things might help.
and I am compiling u-boot by using below line :
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- EXT_DTB=/work/u-boot.dtb all -j4
Please let me know if you have any ideas on how to debug this issue.
Thanks & Regards, Arun
Regards, Simon
participants (2)
-
Arun Kuttiyara Varghese -
Simon Glass