On 05/19/2018 02:40 AM, Davis Roman wrote: > Hello, Hi,
> We're currently using i.mx6 with u-boot 2017.03 Is there any reason why you wouldn't use something newer ? Or is that the NXP fork of U-Boot ? > and kernel 4.9 and our > goal is to implement a chain of trust in our product. > > So far we've done the following: > > 1. We're using u-boot fitimage in our system in order to put our > kernel, initramfs and 10 device trees into a boot.itb container. > > 2. We've gone ahead and enabled verified-boot which signs the > u-boot.itb and then is verified by u-boot using the attached control > fdt which contains the public key. > > 3. Finally, we're enabling i.mx6 high assurance boot so that the > bootrom can verify u-boot. ( All previous HAB events have been > resolved. Unit is ready to go from open -> closed ) > > The issue that we're seeing is that when we enable secure boot, this > breaks the verified-boot feature ( in step 2 ) > > This is the error that we get: > > Failed to verify required signature 'key-dev' > Bad Data Hash > ERROR: can't get kernel image! > => > > If I don't enable secure boot, I don't get this error. Board boots fine. > > I believe that the issue lies in the fact that secureboot adds the csf > blob data at the end of u-boot-dtb.imx and now u-boot is not longer > able to find the controlfdt blob with the key information needed for > verified-boot to work. > > Additionally, after performing a hex comparison between two u-boots > with secure boot enabled and not enabled, I can see that the > controlfdt info is available in both cases. > > If anyone has any thoughts on this, I would greatly appreciate it. Can you try latest 2018.05 or u-boot/master and see if that's still broken ? -- Best regards, Marek Vasut _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
