imx8mm: Invalid IVT structure
Hi,
On top of tree U-Boot, when CONFIG_IMX_HAB=y is selected in imx8mm_evk_defconfig, the following error messages are seen:
U-Boot SPL 2022.07-rc3-00097-g26aa5e5c3fbc-dirty (Jun 08 2022 - 10:59:56 -0300) SEC0: RNG instantiated Normal Boot WDT: Started watchdog@30280000 with servicing (60s timeout) Trying to boot from MMC1 hab fuse not enabled
Authenticate image from DDR location 0x401fcdc0... bad magic magic=0x0 length=0x00 version=0x0 bad length magic=0x0 length=0x00 version=0x0 bad version magic=0x0 length=0x00 version=0x0 Error: Invalid IVT structure NOTICE: BL31: v2.4(release):lf-5.15.5-1.0.0-10-gcb51a0faa4b6 NOTICE: BL31: Built : 10:50:11, Jun 8 2022
The boot proceeds normally, despite the error messages above.
Does anyone know how we could fix these errors?
Thanks,
Fabio Estevam
Hi
On Wed, Jun 8, 2022 at 4:13 PM Fabio Estevam festevam@gmail.com wrote:
Hi,
On top of tree U-Boot, when CONFIG_IMX_HAB=y is selected in imx8mm_evk_defconfig, the following error messages are seen:
U-Boot SPL 2022.07-rc3-00097-g26aa5e5c3fbc-dirty (Jun 08 2022 - 10:59:56 -0300) SEC0: RNG instantiated Normal Boot WDT: Started watchdog@30280000 with servicing (60s timeout) Trying to boot from MMC1 hab fuse not enabled
Authenticate image from DDR location 0x401fcdc0... bad magic magic=0x0 length=0x00 version=0x0 bad length magic=0x0 length=0x00 version=0x0 bad version magic=0x0 length=0x00 version=0x0 Error: Invalid IVT structure
You need to have a sign image
Michael
NOTICE: BL31: v2.4(release):lf-5.15.5-1.0.0-10-gcb51a0faa4b6 NOTICE: BL31: Built : 10:50:11, Jun 8 2022
The boot proceeds normally, despite the error messages above.
Does anyone know how we could fix these errors?
Thanks,
Fabio Estevam
Hi,
On Wed, Jun 08, 2022 at 04:14:51PM +0200, Michael Nazzareno Trimarchi wrote:
Hi
On Wed, Jun 8, 2022 at 4:13 PM Fabio Estevam festevam@gmail.com wrote:
Hi,
On top of tree U-Boot, when CONFIG_IMX_HAB=y is selected in imx8mm_evk_defconfig, the following error messages are seen:
U-Boot SPL 2022.07-rc3-00097-g26aa5e5c3fbc-dirty (Jun 08 2022 - 10:59:56 -0300) SEC0: RNG instantiated Normal Boot WDT: Started watchdog@30280000 with servicing (60s timeout) Trying to boot from MMC1 hab fuse not enabled
Authenticate image from DDR location 0x401fcdc0... bad magic magic=0x0 length=0x00 version=0x0 bad length magic=0x0 length=0x00 version=0x0 bad version magic=0x0 length=0x00 version=0x0 Error: Invalid IVT structure
You need to have a sign image
Agree
Maybe this page can help you Fabio https://boundarydevices.com/high-assurance-boot-hab-i-mx8m-edition/
Regards, Tommaso
Michael
NOTICE: BL31: v2.4(release):lf-5.15.5-1.0.0-10-gcb51a0faa4b6 NOTICE: BL31: Built : 10:50:11, Jun 8 2022
The boot proceeds normally, despite the error messages above.
Does anyone know how we could fix these errors?
Thanks,
Fabio Estevam
-- Michael Nazzareno Trimarchi Co-Founder & Chief Executive Officer M. +39 347 913 2170 michael@amarulasolutions.com __________________________________
Amarula Solutions BV Joop Geesinkweg 125, 1114 AB, Amsterdam, NL T. +31 (0)85 111 9172 info@amarulasolutions.com www.amarulasolutions.com
On Wed, Jun 8, 2022 at 8:09 AM Tommaso Merciai tommaso.merciai@amarulasolutions.com wrote:
Hi,
On Wed, Jun 08, 2022 at 04:14:51PM +0200, Michael Nazzareno Trimarchi wrote:
Hi
On Wed, Jun 8, 2022 at 4:13 PM Fabio Estevam festevam@gmail.com wrote:
Hi,
On top of tree U-Boot, when CONFIG_IMX_HAB=y is selected in imx8mm_evk_defconfig, the following error messages are seen:
U-Boot SPL 2022.07-rc3-00097-g26aa5e5c3fbc-dirty (Jun 08 2022 - 10:59:56 -0300) SEC0: RNG instantiated Normal Boot WDT: Started watchdog@30280000 with servicing (60s timeout) Trying to boot from MMC1 hab fuse not enabled
Authenticate image from DDR location 0x401fcdc0... bad magic magic=0x0 length=0x00 version=0x0 bad length magic=0x0 length=0x00 version=0x0 bad version magic=0x0 length=0x00 version=0x0 Error: Invalid IVT structure
You need to have a sign image
Agree
Maybe this page can help you Fabio https://boundarydevices.com/high-assurance-boot-hab-i-mx8m-edition/
Tommaso,
Is that info still applicable to mainline U-Boot where binman is used to generate images?
I'm not clear how the image signing is affected when using binman. I believe Heiko was talking about getting binman to sign images at one point but I'm not sure if anyone has worked on that.
Best Regards,
Tim
Hi Tim
On Wed, Jun 8, 2022 at 5:25 PM Tim Harvey tharvey@gateworks.com wrote:
On Wed, Jun 8, 2022 at 8:09 AM Tommaso Merciai tommaso.merciai@amarulasolutions.com wrote:
Hi,
On Wed, Jun 08, 2022 at 04:14:51PM +0200, Michael Nazzareno Trimarchi wrote:
Hi
On Wed, Jun 8, 2022 at 4:13 PM Fabio Estevam festevam@gmail.com wrote:
Hi,
On top of tree U-Boot, when CONFIG_IMX_HAB=y is selected in imx8mm_evk_defconfig, the following error messages are seen:
U-Boot SPL 2022.07-rc3-00097-g26aa5e5c3fbc-dirty (Jun 08 2022 - 10:59:56 -0300) SEC0: RNG instantiated Normal Boot WDT: Started watchdog@30280000 with servicing (60s timeout) Trying to boot from MMC1 hab fuse not enabled
Authenticate image from DDR location 0x401fcdc0... bad magic magic=0x0 length=0x00 version=0x0 bad length magic=0x0 length=0x00 version=0x0 bad version magic=0x0 length=0x00 version=0x0 Error: Invalid IVT structure
You need to have a sign image
Agree
Maybe this page can help you Fabio https://boundarydevices.com/high-assurance-boot-hab-i-mx8m-edition/
Tommaso,
Is that info still applicable to mainline U-Boot where binman is used to generate images?
I'm not clear how the image signing is affected when using binman. I believe Heiko was talking about getting binman to sign images at one point but I'm not sure if anyone has worked on that.
We should use the CST to sign image. I don't know if anyone is working on this for binman
Michael
Best Regards,
Tim
Hi,
On Wed, 2022-06-08 at 17:39 +0200, Michael Nazzareno Trimarchi wrote:
Hi Tim
On Wed, Jun 8, 2022 at 5:25 PM Tim Harvey tharvey@gateworks.com wrote:
On Wed, Jun 8, 2022 at 8:09 AM Tommaso Merciai tommaso.merciai@amarulasolutions.com wrote:
Hi,
On Wed, Jun 08, 2022 at 04:14:51PM +0200, Michael Nazzareno Trimarchi wrote:
Hi
On Wed, Jun 8, 2022 at 4:13 PM Fabio Estevam festevam@gmail.com wrote:
Hi,
On top of tree U-Boot, when CONFIG_IMX_HAB=y is selected in imx8mm_evk_defconfig, the following error messages are seen:
U-Boot SPL 2022.07-rc3-00097-g26aa5e5c3fbc-dirty (Jun 08 2022
- 10:59:56 -0300)
SEC0: RNG instantiated Normal Boot WDT: Started watchdog@30280000 with servicing (60s timeout) Trying to boot from MMC1 hab fuse not enabled
Authenticate image from DDR location 0x401fcdc0... bad magic magic=0x0 length=0x00 version=0x0 bad length magic=0x0 length=0x00 version=0x0 bad version magic=0x0 length=0x00 version=0x0 Error: Invalid IVT structure
You need to have a sign image
Agree
Maybe this page can help you Fabio https://boundarydevices.com/high-assurance-boot-hab-i-mx8m-edition/
Tommaso,
Is that info still applicable to mainline U-Boot where binman is used to generate images?
I'm not clear how the image signing is affected when using binman. I believe Heiko was talking about getting binman to sign images at one point but I'm not sure if anyone has worked on that.
We should use the CST to sign image. I don't know if anyone is working on this for binman
Michael
Best Regards,
Tim
I've been working on creating the CSF within Binman. I basically introduced two novelties in my code:
1. Fully generate the CSF for the U-Boot SPL within Binman 2. Embed a sha256 hash of U-Boot TPL in the SPL (wich is signed through the CSF). So the TPL can be verified using a simple hash check.
See https://gitlab.com/hberntsen/u-boot/-/commits/secure-boot for my commits on top of v2022.04. I did not submit those yet as I wanted to internally test and review. Unfortunately, due to other priorities this has not happened yet. So if anyone wants to help, let me know :).
Kind regards, Harm
Hi Michael,
On Wed, Jun 8, 2022 at 11:15 AM Michael Nazzareno Trimarchi michael@amarulasolutions.com wrote:
Hi
On Wed, Jun 8, 2022 at 4:13 PM Fabio Estevam festevam@gmail.com wrote:
Hi,
On top of tree U-Boot, when CONFIG_IMX_HAB=y is selected in imx8mm_evk_defconfig, the following error messages are seen:
U-Boot SPL 2022.07-rc3-00097-g26aa5e5c3fbc-dirty (Jun 08 2022 - 10:59:56 -0300) SEC0: RNG instantiated Normal Boot WDT: Started watchdog@30280000 with servicing (60s timeout) Trying to boot from MMC1 hab fuse not enabled
Authenticate image from DDR location 0x401fcdc0... bad magic magic=0x0 length=0x00 version=0x0 bad length magic=0x0 length=0x00 version=0x0 bad version magic=0x0 length=0x00 version=0x0 Error: Invalid IVT structure
You need to have a sign image
Yes, I understand that.
On other platforms, with IMX_HAB selected, I don't see these errors even when the image is not signed.
On a warp7, which has CONFIG_IMX_HAB=y by default:
U-Boot 2022.07-rc3-00094-g15d0b98acf-dirty (Jun 08 2022 - 13:16:07 -0300)
CPU: Freescale i.MX7S rev1.2 800 MHz (running at 792 MHz) CPU: Extended Commercial temperature grade (-20C to 105C) at 44C Reset cause: POR Model: Warp i.MX7 Board Board: WARP7 in secure mode OPTEE DRAM 0x9d000000-0xa0000000 DRAM: 464 MiB Core: 68 devices, 17 uclasses, devicetree: separate PMIC: PFUZE3000 DEV_ID=0x30 REV_ID=0x11 MMC: FSL_SDHC: 3, FSL_SDHC: 0 Loading Environment from MMC... OK In: serial@30860000 Out: serial@30860000 Err: serial@30860000 SEC0: RNG instantiated Net: usb_ether Hit any key to stop autoboot: 0 =>
It seems the error comes when IMX_HAB is used with SPL.
Just tried it on a imx6sabresd board:
--- a/configs/mx6sabresd_defconfig +++ b/configs/mx6sabresd_defconfig @@ -122,3 +122,5 @@ CONFIG_VIDEO_IPUV3=y CONFIG_SPLASH_SCREEN=y CONFIG_SPLASH_SCREEN_ALIGN=y CONFIG_BMP_16BPP=y +CONFIG_IMX_HAB=y +CONFIG_SPL_DRIVERS_MISC=y
U-Boot SPL 2022.07-rc3-00094-g15d0b98acf-dirty (Jun 08 2022 - 13:04:35 -0300) Trying to boot from MMC1 hab fuse not enabled
Authenticate image from DDR location 0x177fcd40... bad magic magic=0xc5 length=0x54b2 version=0xf8 bad length magic=0xc5 length=0x54b2 version=0xf8 bad version magic=0xc5 length=0x54b2 version=0xf8 Error: Invalid IVT structure
(The board hangs here)
Not sure if this is related to the hang that Andrey observes on i.MX8MP when IMX_HAB is selected.
participants (5)
-
Fabio Estevam -
Harm Berntsen -
Michael Nazzareno Trimarchi -
Tim Harvey -
Tommaso Merciai