Hi,

I am trying to get verified u-boot working on a Tegra TX2 board. I get an error while trying to verify the signature. I am not quite sure how to proceed forward to resolve this. Any help would be appreciated.

U-boot version: U-Boot 2016.07-dirty (Jun 07 2019 - 10:46:18 -0700) aarch64-linux-gnu-gcc (Linaro GCC 7.4-2019.02) 7.4.1 20181213 [linaro-7.4-2019.02 revision 56ec6f6b99cc167ff0c2f8e1a2eed33b1edc85d4] GNU ld (Linaro_Binutils-2019.02) 2.28.2.20170706

This is the verification error I got:

Tegra186 (P2771-0000-500) # load mmc 0:1 0x80000000 boot/fitImage_Tegra 34393994 bytes read in 867 ms (37.8 MiB/s) Tegra186 (P2771-0000-500) # bootm 0x80000000 ## Loading kernel from FIT Image at 80000000 ... Using 'conf@1' configuration Verifying Hash Integrity ... sha256,rsa4096:tx2_key- Failed to verify required signature 'key-tx2_key' Bad Data Hash ERROR: can't get kernel image! I realize that there may be some issues with the load address of the image - not sure if that is why the error "can't get kernel image!" happens. But I am trying to resolve the signature error first.

Using fit_check_sign There is a tool called fit_check_sign to check if the signature is fine. I got the following results when I ran the tool sudo ../sources/u-boot/tools/fit_check_sign -f fitImage_Tegra -k tegra186-p2771-0000-500_pubkey.dtb

Verifying Hash Integrity ... sha256,rsa4096:tx2_key+ ## Loading kernel from FIT Image at 7fd7974db000 ... Using 'conf@1' configuration Verifying Hash Integrity ... sha256,rsa4096:tx2_key+ OK

Trying 'kernel@1' kernel subimage Description: Linux kernel Created: Mon Jun 10 10:27:57 2019 Type: Kernel Image Compression: uncompressed Data Size: 34048008 Bytes = 33250.01 kB = 32.47 MB Architecture: AArch64 OS: Linux Load Address: 0x80400000 Entry Point: 0x80400000 Hash algo: sha256 Hash value: 1ab04b15e67dad84c467cd354acb791cd5089ece37491d1771270e4f37af5f13 Verifying Hash Integrity ... sha256+ OK

Loading Kernel Image ... Image too large: increase CONFIG_SYS_BOOTM_LEN Must RESET board to recover ## Loading fdt from FIT Image at 7fd7974db000 ... Using 'conf@1' configuration Trying 'fdt@1' fdt subimage Description: DTB for Tegra TX2 Created: Mon Jun 10 10:27:57 2019 Type: Flat Device Tree Compression: uncompressed Data Size: 344105 Bytes = 336.04 kB = 0.33 MB Architecture: AArch64 Hash algo: sha256 Hash value: e8fbc4d332c0c1d957a77a57576191dfea0e1151193cedc671aecfb415d2782a Verifying Hash Integrity ... sha256+ OK

Loading Flat Device Tree ... OK

## Loading ramdisk from FIT Image at 7fd7974db000 ... Using 'conf@1' configuration Could not find subimage node

Signature check Bad (error 1)

Steps I used to create the fitImage

Generate a new key-pair using openssl mkdir keys openssl genrsa -F4 -out keys/tx2_key.key 4096 (Use 2048 instead of 4096 if boot time is unacceptable) openssl req -batch -new -x509 -key keys/tx2_key.key -out keys/tx2_key.crt

sudo ../sources/u-boot/tools/mkimage -f fitImage_Tegra.its -K tegra186-p2771-0000-500_pubkey.dtb -k keys -r fitImage_Tegra This will create the fitimage FIT description: fitImage for Tegra Created: Thu Jun 6 13:11:36 2019 Image 0 (kernel@1) Description: Linux kernel Created: Thu Jun 6 13:11:36 2019 Type: Kernel Image Compression: uncompressed Data Size: 34048008 Bytes = 33250.01 kB = 32.47 MB Architecture: AArch64 OS: Linux Load Address: 0x80000000 Entry Point: 0x80000000 Hash algo: sha256 Hash value: 1ab04b15e67dad84c467cd354acb791cd5089ece37491d1771270e4f37af5f13 Image 1 (fdt@1) Description: DTB for Tegra TX2 Created: Thu Jun 6 13:11:36 2019 Type: Flat Device Tree Compression: uncompressed Data Size: 344105 Bytes = 336.04 kB = 0.33 MB Architecture: AArch64 Hash algo: sha256 Hash value: e8fbc4d332c0c1d957a77a57576191dfea0e1151193cedc671aecfb415d2782a Default Configuration: 'conf@1' Configuration 0 (conf@1) Description: Boot Linux kernel and FDT Kernel: kernel@1 FDT: fdt@1

Then I rebuild u-boot from source to incorporate the public key into its dtb. make EXT_DTB=../../fit/tegra186-p2771-0000-500_pubkey.dtb

Thanks a lot for your help

Rayees Shamsuddin