[U-Boot] Enabling i.mx6 high assurance boot appears to breaks u-boot verified-boot
Hello,
We're currently using i.mx6 with u-boot 2017.03 and kernel 4.9 and our goal is to implement a chain of trust in our product.
So far we've done the following:
1. We're using u-boot fitimage in our system in order to put our kernel, initramfs and 10 device trees into a boot.itb container.
2. We've gone ahead and enabled verified-boot which signs the u-boot.itb and then is verified by u-boot using the attached control fdt which contains the public key.
3. Finally, we're enabling i.mx6 high assurance boot so that the bootrom can verify u-boot. ( All previous HAB events have been resolved. Unit is ready to go from open -> closed )
The issue that we're seeing is that when we enable secure boot, this breaks the verified-boot feature ( in step 2 )
This is the error that we get:
Failed to verify required signature 'key-dev' Bad Data Hash ERROR: can't get kernel image! =>
If I don't enable secure boot, I don't get this error. Board boots fine.
I believe that the issue lies in the fact that secureboot adds the csf blob data at the end of u-boot-dtb.imx and now u-boot is not longer able to find the controlfdt blob with the key information needed for verified-boot to work.
Additionally, after performing a hex comparison between two u-boots with secure boot enabled and not enabled, I can see that the controlfdt info is available in both cases.
If anyone has any thoughts on this, I would greatly appreciate it.
Thank you,
Davis Roman
On 05/19/2018 02:40 AM, Davis Roman wrote:
Hello,
Hi,
We're currently using i.mx6 with u-boot 2017.03
Is there any reason why you wouldn't use something newer ? Or is that the NXP fork of U-Boot ?
and kernel 4.9 and our goal is to implement a chain of trust in our product.
So far we've done the following:
- We're using u-boot fitimage in our system in order to put our
kernel, initramfs and 10 device trees into a boot.itb container.
- We've gone ahead and enabled verified-boot which signs the
u-boot.itb and then is verified by u-boot using the attached control fdt which contains the public key.
- Finally, we're enabling i.mx6 high assurance boot so that the
bootrom can verify u-boot. ( All previous HAB events have been resolved. Unit is ready to go from open -> closed )
The issue that we're seeing is that when we enable secure boot, this breaks the verified-boot feature ( in step 2 )
This is the error that we get:
Failed to verify required signature 'key-dev' Bad Data Hash ERROR: can't get kernel image! =>
If I don't enable secure boot, I don't get this error. Board boots fine.
I believe that the issue lies in the fact that secureboot adds the csf blob data at the end of u-boot-dtb.imx and now u-boot is not longer able to find the controlfdt blob with the key information needed for verified-boot to work.
Additionally, after performing a hex comparison between two u-boots with secure boot enabled and not enabled, I can see that the controlfdt info is available in both cases.
If anyone has any thoughts on this, I would greatly appreciate it.
Can you try latest 2018.05 or u-boot/master and see if that's still broken ?
participants (2)
-
Davis Roman -
Marek Vasut