From: Benjamin Lemouzy <blemouzy.ml@gmail.com>
To: Sean Anderson <sean.anderson@seco.com>
Cc: u-boot@lists.denx.de
Subject: Re: HABv4 with SPL and u-boot-dtb.img on i.MX6
Date: Thu, 22 Feb 2024 09:05:56 +0100 [thread overview]
Message-ID: <20240222090556.00001ea3@gmail.com> (raw)
In-Reply-To: <92a814a0-aaa5-47db-ab8f-7e799ab3e82d@seco.com>
On Tue, 20 Feb 2024 11:29:53 -0500
Sean Anderson <sean.anderson@seco.com> wrote:
> On 2/20/24 04:50, Benjamin Lemouzy wrote:
> > Using fdtdump shows that crc32 is used as hash algorithm for FIT image which is a super weak one.
> > I tried to pass another algo (sha256) using mkimage -o option but that doesn't work.
> >
> > ./tools/mkimage -f auto -A arm -T firmware -C none -O u-boot -a 0x17800000 -e 0x17800000 -p 0x0 -n "U-Boot 2024.04-rc2-00025-g9e00b6993f-dirty for mx6sabresd board" -E -b arch/arm/dts/imx6q-sabresd.dtb -b arch/arm/dts/imx6qp-sabresd.dtb -b arch/arm/dts/imx6dl-sabresd.dtb -d u-boot-nodtb.bin -o sha256 u-boot-dtb.img
> >
> > Is there any way to change U-Boot FIT image hash?
>
> I believe these options are only used for signed FIT images (e.g. for
> verified boot [1]). Since you are using an external signing process,
> they have no effect. I suggest creating your FIT manually (e.g. -f
> u-boot.its instead of -f auto). You should be able to specify the hashes
> manually that way.
Using "fdtdump -s u-boot-dtb.img" output as reference to create a u-boot.its file, I now have a u-boot.itb file with sha256 hashes.
> > I also try to use image format and force the HAB to verify the whole u-boot-dtb.img file by patching the FIT image size:
> >
> > image_size=$(stat -tc %s u-boot-dtb.img)
> > printf "00000004: %08x" "$image_size" | xxd -r - u-boot-dtb.img
> >
> > SPL starts, authentication looks fine but the boot fails.
> > Is there any chance to make it work or is it insane to try to use this format?
>
> I have always just used verified boot for U-Boot and the kernel, and
> only used vendor-specific stuff for SPL.
That indeed a good idea but CONFIG_SPL_FIT_SIGNATURE and CONFIG_SPL_DM (as dependency) take a lot of space and SPL overflows i.MX6 OCRAM.
I finally succeed to make U-Boot check with HAB work using the new u-boot.itb image with the following signature format:
------- +-----------------------------+ <-- *load_address
^ | |
| | |
| | Image data |
Signed | | |
Data | | |
| +-----------------------------+
| | Padding Next Boundary |
| +-----------------------------+ <-- *ivt
v | Image Vector Table |
------- +-----------------------------+ <-- *csf
| |
| Command Sequence File (CSF) |
| |
+-----------------------------+
| Padding (optional) |
+-----------------------------+
I don't really understand what u-boot-dtb.img file is but it doesn't work with U-Boot CONFIG_IMX_HAB.
Thanks for help!
Benjamin
prev parent reply other threads:[~2024-02-22 8:06 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-20 9:50 HABv4 with SPL and u-boot-dtb.img on i.MX6 Benjamin Lemouzy
2024-02-20 16:29 ` Sean Anderson
2024-02-22 8:05 ` Benjamin Lemouzy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240222090556.00001ea3@gmail.com \
--to=blemouzy.ml@gmail.com \
--cc=sean.anderson@seco.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.