Hello, We're currently using i.mx6 with u-boot 2017.03 and kernel 4.9 and our goal is to implement a chain of trust in our product.
So far we've done the following: 1. We're using u-boot fitimage in our system in order to put our kernel, initramfs and 10 device trees into a boot.itb container. 2. We've gone ahead and enabled verified-boot which signs the u-boot.itb and then is verified by u-boot using the attached control fdt which contains the public key. 3. Finally, we're enabling i.mx6 high assurance boot so that the bootrom can verify u-boot. ( All previous HAB events have been resolved. Unit is ready to go from open -> closed ) The issue that we're seeing is that when we enable secure boot, this breaks the verified-boot feature ( in step 2 ) This is the error that we get: Failed to verify required signature 'key-dev' Bad Data Hash ERROR: can't get kernel image! => If I don't enable secure boot, I don't get this error. Board boots fine. I believe that the issue lies in the fact that secureboot adds the csf blob data at the end of u-boot-dtb.imx and now u-boot is not longer able to find the controlfdt blob with the key information needed for verified-boot to work. Additionally, after performing a hex comparison between two u-boots with secure boot enabled and not enabled, I can see that the controlfdt info is available in both cases. If anyone has any thoughts on this, I would greatly appreciate it. Thank you, Davis Roman _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
