Hi, On Wed, 2022-06-08 at 17:39 +0200, Michael Nazzareno Trimarchi wrote: > Hi Tim > > On Wed, Jun 8, 2022 at 5:25 PM Tim Harvey <thar...@gateworks.com> > wrote: > > > > On Wed, Jun 8, 2022 at 8:09 AM Tommaso Merciai > > <tommaso.merc...@amarulasolutions.com> wrote: > > > > > > Hi, > > > > > > On Wed, Jun 08, 2022 at 04:14:51PM +0200, Michael Nazzareno > > > Trimarchi wrote: > > > > Hi > > > > > > > > On Wed, Jun 8, 2022 at 4:13 PM Fabio Estevam > > > > <feste...@gmail.com> wrote: > > > > > > > > > > Hi, > > > > > > > > > > On top of tree U-Boot, when CONFIG_IMX_HAB=y is selected in > > > > > imx8mm_evk_defconfig, the following error messages are seen: > > > > > > > > > > U-Boot SPL 2022.07-rc3-00097-g26aa5e5c3fbc-dirty (Jun 08 2022 > > > > > - 10:59:56 -0300) > > > > > SEC0: RNG instantiated > > > > > Normal Boot > > > > > WDT: Started watchdog@30280000 with servicing (60s timeout) > > > > > Trying to boot from MMC1 > > > > > hab fuse not enabled > > > > > > > > > > Authenticate image from DDR location 0x401fcdc0... > > > > > bad magic magic=0x0 length=0x00 version=0x0 > > > > > bad length magic=0x0 length=0x00 version=0x0 > > > > > bad version magic=0x0 length=0x00 version=0x0 > > > > > Error: Invalid IVT structure > > > > > > > > You need to have a sign image > > > > > > Agree > > > > > > Maybe this page can help you Fabio > > > https://boundarydevices.com/high-assurance-boot-hab-i-mx8m-edition/ > > > > > > > Tommaso, > > > > Is that info still applicable to mainline U-Boot where binman is > > used > > to generate images? > > > > I'm not clear how the image signing is affected when using binman. > > I > > believe Heiko was talking about getting binman to sign images at > > one > > point but I'm not sure if anyone has worked on that. > > > > We should use the CST to sign image. I don't know if anyone is > working > on this for binman > > Michael > > > Best Regards, > > > > Tim > > >
I've been working on creating the CSF within Binman. I basically introduced two novelties in my code: 1. Fully generate the CSF for the U-Boot SPL within Binman 2. Embed a sha256 hash of U-Boot TPL in the SPL (wich is signed through the CSF). So the TPL can be verified using a simple hash check. See https://gitlab.com/hberntsen/u-boot/-/commits/secure-boot for my commits on top of v2022.04. I did not submit those yet as I wanted to internally test and review. Unfortunately, due to other priorities this has not happened yet. So if anyone wants to help, let me know :). Kind regards, Harm
