Part Number: AM623
We previously developed our system based on SDK 09.00.00.03 and are now migrating to the latest SDK 12.00.00.07.04. But we are still using the U-Boot and Linux versions from SDK 09.00.00.03.
Secure Boot worked correctly with the previous system. However, after upgrading to the new SDK, Secure Boot fails when loading the fitImage during boot, with the following error. Based on our initial analysis, it appears that the issue may be related to how U-Boot signs the Linux fitImage.
Could you please help us look into this issue and advise where we should start debugging or tracing the problem? Thank you.
Are there any specific differences or points to note when configuring U-Boot to compile a fitImage between SDK 09.00.00.03 and SDK 12.00.00.07.04?
U-Boot 2023.04-ti-g (Jun 25 2026 - 05:40:36 +0000)
SoC: AM62X SR1.0 HS-SE
Model: Texas Instruments AM625 SK
DRAM: 1 GiB
Core: 75 devices, 29 uclasses, devicetree: separate
MMC: mmc@fa10000: 0, mmc@fa00000: 1
Loading Environment from MMC... *** Warning - bad CRC, using default environment
In: serial
Out: serial
Err: serial
Net: eth0: ethernet@8000000port@1, eth1: ethernet@8000000port@2
Hit any key to stop autoboot: 0
gpio: pin gpio@601000_48 (gpio 164) value is 0
SD found on device 1
emmc_flashing_flag exist, begin to flash emmc
Erasing Environment on MMC...
1024 blocks erased at 0x20000: OK
OK
574 bytes read in 15 ms (37.1 KiB/s)
Loaded env from uEnv.txt
Importing environment from mmc1 ...
8454074 bytes read in 370 ms (21.8 MiB/s)
name_fit_config=conf-ti_k3-am625-customer.dtb
## Loading kernel from FIT Image at 90000000 ...
Using 'conf-ti_k3-am625-customer.dtb' configuration
Verifying Hash Integrity ... fit_config_verify_required_keys: No signature node found: FDT_ERR_NOTFOUND
Bad Data Hash
ERROR: can't get kernel image!
=> bdinfo
boot_params = 0x0000000000000000
DRAM bank = 0x0000000000000000
-> start = 0x0000000080000000
-> size = 0x0000000040000000
flashstart = 0x0000000000000000
flashsize = 0x0000000000000000
flashoffset = 0x0000000000000000
baudrate = 115200 bps
relocaddr = 0x00000000bfeec000
reloc off = 0x000000003f6ec000
Build = 64-bit
current eth = ethernet@8000000port@1
ethaddr = 28:b5:e8:dd:2f:00
IP addr = <NULL>
fdt_blob = 0x00000000bde9c3c0
new_fdt = 0x00000000bde9c3c0
fdt_size = 0x000000000000f9c0
multi_dtb_fit= 0x0000000000000000
lmb_dump_all:
memory.cnt = 0x1
memory[0] [0x80000000-0xbfffffff], 0x40000000 bytes flags: 0
reserved.cnt = 0x7
reserved[0] [0x87f00000-0x87f12fff], 0x00013000 bytes flags: 0
reserved[1] [0x9ca00000-0x9cafffff], 0x00100000 bytes flags: 0
reserved[2] [0x9cb00000-0x9e6fffff], 0x01c00000 bytes flags: 4
reserved[3] [0x9cb00000-0x9e6fffff], 0x01c00000 bytes flags: 4
reserved[4] [0x9e780000-0x9fffffff], 0x01880000 bytes flags: 4
reserved[5] [0xbce6b000-0xbfffffff], 0x03195000 bytes flags: 0
reserved[6] [0xbde969e0-0xbfffffff], 0x02169620 bytes flags: 0
devicetree = separate
arch_number = 0x0000000000000000
TLB addr = 0x00000000bfff0000
irq_sp = 0x00000000bde9aff0
sp start = 0x00000000bde9aff0
Early malloc usage: 3b88 / 8000
=> fdt addr 0x00000000bde9c3c0
Working FDT set to bde9c3c0
=> fdt list /signature
libfdt fdt_path_offset() returned FDT_ERR_NOTFOUND
=> fdt list /signature
libfdt fdt_path_offset() returned FDT_ERR_NOTFOUND
=> run get_fit_mmc
8454066 bytes read in 111 ms (72.6 MiB/s)
=> bootm 0x90000000
## Loading kernel from FIT Image at 90000000 ...
Using 'conf-ti_k3-am625-customer.dtb' configuration
Verifying Hash Integrity ... fit_config_verify_required_keys: No signature node found: FDT_ERR_NOTFOUND
Bad Data Hash
ERROR: can't get kernel image!
=> iminfo 0x90000000
## Checking Image at 90000000 ...
FIT image found
FIT description: Kernel fitImage for Arago/6.1/am62xx-evm
Image 0 (kernel-1)
Description: Linux kernel
Type: Kernel Image
Compression: gzip compressed
Data Start: 0x900000dc
Data Size: 8308570 Bytes = 7.9 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x81000000
Entry Point: 0x81000000
Hash algo: sha512
Hash value: 4a55fc29f10509a4de0589c1d0890f99571d09697917b4b4bcca7757c1947f3f0d613fb7b89f817db82a4ba8f4aa4c60c2397235a6eb445c031dfaaf0fb121fa
Image 1 (fdt-ti_k3-am625-customer.dtb)
Description: Flattened Device Tree blob
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x907ec970
Data Size: 53997 Bytes = 52.7 KiB
Architecture: AArch64
Load Address: 0x83000000
Hash algo: sha512
Hash value: 72f65007757ba30f981699ab546830b4a7f7748a2a9906bb09143558505f41ed81de24f9722f568d14a32c9c2eb87e4c4e7df0fcffab61880390e38bb6a5d804
Default Configuration: 'conf-ti_k3-am625-customer.dtb'
Configuration 0 (conf-ti_k3-am625-customer.dtb)
Description: 1 Linux kernel, FDT blob
Kernel: kernel-1
FDT: fdt-ti_k3-am625-customer.dtb
Hash algo: sha512
Hash value: unavailable
Sign algo: sha512,rsa4096:custMpk
Sign padding: pkcs-1.5
Sign value: 2dd032571d17ee890c626a83b43b5be17c3e82bfe4ef55441a0cbad172d4d965a8647e5e55eb9ce2a3c6fc42aea1ec9f6bc776818eee9ce2dd31d462f7ce3ce2d7eff8340d339f0582059207a01b364663143909801d666819f0b4d66773d765903bc9d212c7c01ff55ee4a4ebda87a51ab6a4a5498b1ddadff962160beff2a7b1075cdd56060f9b16c827125cc8757ab0a99096b0d34d84d350a38055bd944a9a3cfa8be76511338eaea46bfe63e9c47039c6cc5797e5dde79a16102bcc3640f37422f5403c786488d1926940aa2bdbcb8e11f28c0afed3623730199d91ba4557348709e4ee841e1a6c296e348c31bb739006b4464ee505ee5a0727932b04e1c3129e12ab39c81001fea3793e225a67da4594cc2010c987dc0ec2f9e01f63632b5b5dba9788b758e1fc59abd46dc79b325737c5cac8c1bad2557a6b37b3ef66bbc35376beb01aabaa5b587e8d0659a8c38cd2731d8bddc6b65993de178eb6fa29b558b1f645c877f4c96085bac43fb5c2451ca9c8b42662c15e803516e34932d716264a61eb162769d276f330bf03fb5160022986aaea8fd0c08ca8e542e47cf07436368204e0f7682ea7e12b383b5c87c7662b95db3da257bc6ecfbcf4a1f513c930ae9a697268a2886a1f046b0e22ddf82094d90c29cd6cfb1b78a5dcd77af0da546c166122505b76293f1a8143dcd9f0492e27b94f1e7c8224dc2bf52092
## Checking hash(es) for FIT Image at 90000000 ...
Hash(es) for Image 0 (kernel-1): sha512+
Hash(es) for Image 1 (fdt-ti_k3-am625-customer.dtb): sha512+
