SK-AM62B-P1: fit signature failure

1/. which SDK release is used?
2/. Is testing on TI board or customer board?
Best,
-Hong

Hi Hong,

Hong Guan64 said:

1/. which SDK release is used?

Not sdk yocto krikstone 

Hong Guan64 said:

2/. Is testing on TI board or customer board?

TI board : SK-AM62B-P1

I'd recommend refer to the SDK link on how to sign the kernel FIT image
https://software-dl.ti.com/processor-sdk-linux/esd/AM62X/latest/exports/docs/linux/Foundational_Components_Kernel_Users_Guide.html#creating-the-kernel-fitimage-for-high-security-device-gp-devices
Best,
-Hong

hi Hong ,

I had gone through this already, but didn't understand how the root of trust is established between uboot and fit . 

Q1. should i replace the custMpk.key with the key generated at time of efuse ?

This is another e2e for your reference on verifying the kernel FIT image by u-boot
https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1413163/am6412-signing-kernel-fit-image-for-secure-boot/5415574#5415574
A1, yes.
Best,
-Hong

Hi Hong,

Thanks for the reference!

I'm using yocto krikstone for build, what i had done is attaching below ,

for testing - i replaced the smpk.pem from key writer of ti/keys/custMpk.pem  in my yocto build, and 

enabled the below in conf files ,

UBOOT_SIGN_ENABLE = "1"

UBOOT_SIGN_KEYDIR = "..../keys"
UBOOT_SIGN_KEYNAME = "dev"

then build , uboot and fitImage,

but still same error occurred

=> able boot till u-boot

=> bootm 0x90000000
## Loading kernel from FIT Image at 90000000 ...
   Using 'conf-ti_k3-am625-art.dtb' configuration
   Verifying Hash Integrity ... fit_config_verify_required_keys: No signature node found: FDT_ERR_NOTFOUND
Bad Data Hash
ERROR: can't get kernel image!

attaching fitimage.its file below

/dts-v1/;
 
/ {
        description = "Kernel fitImage ..../6.1.83+gitAUTOINC+c1c2f1971f/am62xx";
        #address-cells = <1>;
 
        images {
                kernel-1 {
                        description = "Linux kernel";
                        data = /incbin/("linux.bin");
                        type = "kernel";
                        arch = "arm64";
                        os = "linux";
                        compression = "gzip";
                        load = <0x81000000>;
                        entry = <0x81000000>;
                        hash-1 {
                                algo = "sha512";
                        };
                };
                fdt-ti_k3-am625-art.dtb {
                        description = "Flattened Device Tree blob";
                        data = /incbin/("arch/arm64/boot/dts/ti/k3-am625-art`.dtb");
                        type = "flat_dt";
                        arch = "arm64";
                        compression = "none";
                        load = <0x83000000>;
                        hash-1 {
                                algo = "sha512";
                        };
                };
                ramdisk-1 {
                        description = "*****-image-dev";
                        data = /incbin/("/home/................/tisdk/build/deploy-ti/images/am62xx/*****-image-dev-am62xx.cpio.xz");
                        type = "ramdisk";
                        arch = "arm64";
                        os = "linux";
                        compression = "none";
                        load = <0x84000000>;
                        entry = <0x84000000>;
                        hash-1 {
                                algo = "sha512";
                        };
                };
	};
 
        configurations {
                default = "conf-ti_k3-am625-art.dtb";
                conf-ti_k3-am625-art.dtb {
                        description = "1 Linux kernel, FDT blob, ramdisk";
                        kernel = "kernel-1";
                        fdt = "fdt-ti_k3-am625-art.dtb";
                        ramdisk = "ramdisk-1";

                        hash-1 {
                                algo = "sha512";
                        };
                        signature-1 {
                                algo = "sha512,rsa4096";
                                key-name-hint = "dev";
                                padding = "pkcs-1.5";
                                sign-images = "kernel", "fdt", "ramdisk";
                        };
                };
	};
};

Let me pass your questions on Yocto to my colleague to follow up.
Best,
-Hong

RJ DJ,

RJ DJ said:

for testing - i replaced the smpk.pem from key writer of ti/keys/custMpk.pem  in my yocto build, and 

enabled the below in conf files ,

UBOOT_SIGN_ENABLE = "1"

UBOOT_SIGN_KEYDIR = "..../keys"
UBOOT_SIGN_KEYNAME = "dev"

then build , uboot and fitImage,

Did you verify the timestamp of your U-Boot builds to make sure you are actually using/deploying your updated U-Boot binaries? Yocto can be tricky in this regard.

# Build and deploy "tiboot3.bin" (and it's device-specific variants)
$ MACHINE=am62xx-evm bitbake -c deploy mc:k3r5:u-boot

# Build and deploy "tispl.bin" and "u-boot.img"
$ MACHINE=am62xx-evm bitbake -c deploy u-boot

Regards, Andreas

Hi Andreas Dannenberg,

Rebuild both but same error occurred ,

is key-name-hint should be folder name?

RJ DJ said:

attaching fitimage.its file below

here is it key name ,

also attaching uboot log , here signature is not listed in the blob,

=> bdinfo

fdt_blob    = 0x00000000fded7840

=> fdt addr 0x00000000fded7840
Working FDT set to fded7840

=> fdt list/signature
/ {
        model = "Texas Instruments AM625 SK";
        compatible = "ti,am625-sk", "ti,am625";
        interrupt-parent = <0x00000001>;
        #address-cells = <0x00000002>;
        #size-cells = <0x00000002>;
        chosen {
        };
        firmware {
        };
        timer-cl0-cpu0 {
        };
        pmu {
        };
        bus@f0000 {
        };
        cpus {
        };
        opp-table {
        };
        l2-cache0 {
        };
        aliases {
        };
        memory@80000000 {
        };
        reserved-memory {
        };
        regulator-0 {
        };
        regulator-1 {
        };
        regulator-2 {
        };
        regulator-3 {
        };
        regulator-4 {
        };
        leds {
        };
        panel-lvds {
        };
        binman {
        };
        __symbols__ {
        };
};

I'm i missing something ?  and also can you also point which class is appending public key to uboot.img, i already fit image kernel class. 

-RJ