I wanted to enable Secure Boot with Trustfence. With singed images and without any encrypted images. It fails.
INHERIT += “trustfence”
TRUSTFENCE_SIGN = “1”
TRUSTFENCE_ENCRYPT_ENVIRONMENT = “0”
TRUSTFENCE_INITRAMFS_IMAGE = “”
- signed u-boot.imx
=> update uboot tftp u-boot.imx
reset the device and trustfence status OK.
=> tftp $loadaddr SRK_efuses.bin
=> trustfence prog_srk $loadaddr $filesize
=> trustfence close
U-Boot starts up…
=> update linux tftp my-image-signed.boot.ubifs
=> update rootfs tftp my-image-signed.rootfs.ubifs
U-Boot starts up:
Authenticating image from DDR location 0x80800000… FAILED!
Secure boot enabled
HAB Configuration: 0xcc, HAB State: 0x99
--------- HAB Event 1 -----------------
0xdb 0x00 0x14 0x42 0x33 0x06 0xc0 0x00
0xbe 0x00 0x0c 0x01 0xbb 0x00 0x00 0x00
0x80 0x7f 0xff 0x00
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_COMMAND (0x06)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
Has anyone an advice?
You need to program a signed U-Boot before closing the device. Check the big warning in the ‘Close the device’ section:
Are you using an encrypted U-Boot? you can check the output of “trustfence status” to see if an encrypted U-Boot is being used.
The most common causes for that HAB event are:
- The customer is trying to use encrypted kernel/DTB/bootscript with a signed-only (not-encrypted) U-Boot. Solution: Customer needs to flash an encrypted U-Boot file (using the trustfence update command, as documented)
- The customer has changed the key index used but has updated only some artifacts (U-Boot updated but DTB/kernel/bootscript not updated, or the other way around). Solution: to ensure the same key is used, execute:
bitbake -c cleansstate u-boot linux-dey dey-image-qt core-image-base
and re-flash all artifacts (including U-Boot)
Thank you for your answer. I appreciate that.
Yes, I have still a singed U-Boot stored.
Unfortunately I cannot update the encrypted U-Boot with the trustfence update command. It stops update after a while with “Error loading firmware file to RAM”.
Thanks for your advice.
I fixed it. The tftp server and the IPs didn’t correspond correctly.
Now I could update the encrypted uboot and now the system starts with the secure-boot.