Why fails authenticating image?

hellsmoke · December 3, 2019, 10:43am

Hi

I wanted to enable Secure Boot with Trustfence. With singed images and without any encrypted images. It fails.

Local.conf
INHERIT += “trustfence”
TRUSTFENCE_SIGN = “1”
TRUSTFENCE_ENCRYPT_ENVIRONMENT = “0”
TRUSTFENCE_INITRAMFS_IMAGE = “”

bitbake did:

signed u-boot.imx
SRK_efuses.bin
my-image-signed.boot.ubifs
my-image-signed.rootfs.ubifs

I did:
=> update uboot tftp u-boot.imx
reset the device and trustfence status OK.

=> tftp $loadaddr SRK_efuses.bin
=> trustfence prog_srk $loadaddr $filesize
=> trustfence close
=> reset

U-Boot starts up…

=> update linux tftp my-image-signed.boot.ubifs
=> update rootfs tftp my-image-signed.rootfs.ubifs

=> reset

U-Boot starts up:
…
Done
Authenticating image from DDR location 0x80800000… FAILED!

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x06 0xc0 0x00
0xbe 0x00 0x0c 0x01 0xbb 0x00 0x00 0x00
0x80 0x7f 0xff 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_COMMAND (0x06)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

=>

Has anyone an advice?

Regards
Michael

LeonidM · December 4, 2019, 10:27am

You need to program a signed U-Boot before closing the device. Check the big warning in the ‘Close the device’ section:
https://www.digi.com/resources/documentation/digidocs/embedded/dey/2.6/cc6ul/yocto-trustfence_t_secure-boot-set-up

Are you using an encrypted U-Boot? you can check the output of “trustfence status” to see if an encrypted U-Boot is being used.

The most common causes for that HAB event are:

The customer is trying to use encrypted kernel/DTB/bootscript with a signed-only (not-encrypted) U-Boot. Solution: Customer needs to flash an encrypted U-Boot file (using the trustfence update command, as documented)
The customer has changed the key index used but has updated only some artifacts (U-Boot updated but DTB/kernel/bootscript not updated, or the other way around). Solution: to ensure the same key is used, execute:

bitbake -c cleansstate u-boot linux-dey dey-image-qt core-image-base
bitbake core-image-base/dey-image-qt
and re-flash all artifacts (including U-Boot)

hellsmoke · December 5, 2019, 11:25am

Hi

Thank you for your answer. I appreciate that.

Yes, I have still a singed U-Boot stored.

Unfortunately I cannot update the encrypted U-Boot with the trustfence update command. It stops update after a while with “Error loading firmware file to RAM”.

Thanks for your advice.

Regards
Michael

hellsmoke · December 5, 2019, 11:25am

Hi

I fixed it. The tftp server and the IPs didn’t correspond correctly.

Now I could update the encrypted uboot and now the system starts with the secure-boot.

Regards
Michael

Topic		Replies	Views
Secure boot - building image by enabling trustfence-cst Linux firmware-update , security , yocto , trustfence	1	330	March 31, 2020
How can I verify Rootfs from U-Boot? Linux boot , secure , hab	3	557	December 11, 2019
Bad data CRC after enabled trustfence Linux bitbake , ccimx6ul , trustfence	3	377	July 22, 2020
Trustfence unpack failure Linux yocoto , trustfence	3	413	March 31, 2020
Set up secure boot Linux linux , ccimx6ul	5	319	July 1, 2021

Why fails authenticating image?

Related Topics