secure boot on i.MX8MP
Hello, I want to secure boot my customized i.MX8MP SoC using Yocto Project. I have added the meta-secure-imx layer to bblayers. I have inherited the class in my uboot bbappend recipe. I have also added CONFIG_HAB_IMX in my defconfig. Also added this in uboot
HAB Settings
HAB_ENABLE= "1" HAB_DIR = "${BSPDIR}/cst-3.3.2" SRKTAB = "${HAB_DIR}/crts/SRK_1_2_3_4_table.bin" CSFK = "${HAB_DIR}/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem" SIGN_CERT = "${HAB_DIR}/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
Using the CST-3.3.2 tool I have created all the keys. After I build uboot I get the following error
bitbake u-boot-imx Loading cache: 100% |##########################################################| Time: 0:00:01 Loaded 5137 entries from dependency cache. Parsing recipes: 100% |########################################################| Time: 0:00:01 Parsing of 3526 .bb files complete (3525 cached, 1 parsed). 5138 targets, 557 skipped, 1 masked, 0 errors. NOTE: Resolving any missing task queue dependencies
Build Configuration: BB_VERSION = "1.48.0" BUILD_SYS = "x86_64-linux" NATIVELSBSTRING = "ubuntu-18.04" TARGET_SYS = "aarch64-poky-linux" MACHINE = "taswp500" DISTRO = "fsl-imx-xwayland" DISTRO_VERSION = "5.10-gatesgarth" TUNE_FEATURES = "aarch64 armv8a crc cortexa53 crypto" TARGET_FPU = "" meta meta-poky = "HEAD:943ef2fad8428f002850e3655a3312e13d0dcb2c" meta-oe meta-multimedia meta-python = "HEAD:ac4ccd2fbbb599d75ca4051911fcbaca39dbe6d7" meta-freescale = "HEAD:668ba2168b7574d7ef1af364f11025c7d16f02dc" meta-freescale-3rdparty = "HEAD:b85d08a55cb833bfc4e8b5034ff804286c67620e" meta-freescale-distro = "HEAD:11be3f01962df8436c5c7b0d61cd3dbd1b872905" meta-tas = "HEAD:53ebf59b74cfd7618f0308e3e15a7c864f9748e8" meta-bsp meta-sdk meta-ml = "HEAD:f26acd2ade40e1c075aa48f52927180056b440c4" meta-nxp-demo-experience = "HEAD:67086a771dc58b53c6bb0c53ce1c718852753678" meta-browser = "HEAD:ee3be3b5986a4aa0e73df2204a625ae1fe5df37e" meta-rust = "HEAD:53bfa324891966a2daf5d36dc13d4a43725aebed" meta-clang = "HEAD:61faae011fb95712064f2c58abe6293f0daeeab5" meta-gnome meta-networking meta-filesystems = "HEAD:ac4ccd2fbbb599d75ca4051911fcbaca39dbe6d7" meta-qt5 = "HEAD:8d5672cc6ca327576a814d35dfb5d59ab24043cb" meta-python2 = "HEAD:c43c29e57f16af4e77441b201855321fbd546661" meta-swupdate = "HEAD:744d6b96fc0290a7df9045e60c734c4924abfd4a" meta-virtualization = "HEAD:9fe997733d9bad4ac24dfb41e91a0e06b9e82791" meta-java = "HEAD:984f25b6deb5fe4acf82d51c04b2c1392a542723" meta-se05x-tas = "HEAD:ac68b7b35d7136881912eb7a6b4d01d06e422acc" meta-secure-imx = "dunfell:20d409a5"
Initialising tasks: 100% |#####################################################| Time: 0:00:00 Sstate summary: Wanted 8 Found 0 Missed 8 Current 162 (0% match, 95% complete) NOTE: Executing Tasks ERROR: u-boot-imx-1_2020.04-r0 do_sign_uboot: Execution of '/media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280' failed with exit code 1: +++ fdtget /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/git/taswp500_4g_boot_defconfig/u-boot.itb /images/atf load Couldn't open blob from '/media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/git/taswp500_4g_boot_defconfig/u-boot.itb': No such file or directory ++ val= WARNING: /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280:416 exit 1 from 'atf_loadaddr=$(fit_get_loadaddr ${bd}/u-boot.itb "atf")' WARNING: Backtrace (BB generated script): #1: get_atf_loadaddr, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 416 #2: set_variables, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 308 #3: sign_uboot_common, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 169 #4: do_sign_uboot, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 152 #5: main, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 601
Backtrace (metadata-relative locations): #1: get_atf_loadaddr, /media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-secure-imx/classes/uboot-hab-sign.bbclass, line 71 #2: set_variables, /media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-secure-imx/classes/uboot-hab-sign.bbclass, line 109 #3: sign_uboot_common, /media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-secure-imx/classes/uboot-hab-sign.bbclass, line 542 #4: do_sign_uboot, /media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-secure-imx/classes/uboot-hab-sign.bbclass, line 561 ERROR: Logfile of failure stored in: /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/log.do_sign_uboot.8280 Log data follows: | DEBUG: Executing shell function do_sign_uboot | +++ fdtget /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/git/taswp500_4g_boot_defconfig/u-boot.itb /images/atf load | Couldn't open blob from '/media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/git/taswp500_4g_boot_defconfig/u-boot.itb': No such file or directory | ++ val= | WARNING: /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280:416 exit 1 from 'atf_loadaddr=$(fit_get_loadaddr ${bd}/u-boot.itb "atf")' | WARNING: Backtrace (BB generated script): | #1: get_atf_loadaddr, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 416 | #2: set_variables, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 308 | #3: sign_uboot_common, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 169 | #4: do_sign_uboot, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 152 | #5: main, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 601 | ERROR: Execution of '/media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280' failed with exit code 1: | +++ fdtget /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/git/taswp500_4g_boot_defconfig/u-boot.itb /images/atf load | Couldn't open blob from '/media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/git/taswp500_4g_boot_defconfig/u-boot.itb': No such file or directory | ++ val= | WARNING: /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280:416 exit 1 from 'atf_loadaddr=$(fit_get_loadaddr ${bd}/u-boot.itb "atf")' | WARNING: Backtrace (BB generated script): | #1: get_atf_loadaddr, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 416 | #2: set_variables, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 308 | #3: sign_uboot_common, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 169 | #4: do_sign_uboot, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 152 | #5: main, /media/tas/NewVolume2/Projects/taswp500-yocto/build_folder/tmp/work/taswp500-poky-linux/u-boot-imx/1_2020.04-r0/temp/run.do_sign_uboot.8280, line 601 | | Backtrace (metadata-relative locations): | #1: get_atf_loadaddr, /media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-secure-imx/classes/uboot-hab-sign.bbclass, line 71 | #2: set_variables, /media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-secure-imx/classes/uboot-hab-sign.bbclass, line 109 | #3: sign_uboot_common, /media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-secure-imx/classes/uboot-hab-sign.bbclass, line 542 | #4: do_sign_uboot, /media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-secure-imx/classes/uboot-hab-sign.bbclass, line 561 ERROR: Task (/media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-myir/meta-bsp/recipes-bsp/u-boot/u-boot-imx_2020.04.bb:do_sign_uboot) failed with exit code '1' NOTE: Tasks Summary: Attempted 692 tasks of which 682 didn't need to be rerun and 1 failed. NOTE: Writing buildhistory NOTE: Writing buildhistory took: 3 seconds
Summary: 1 task failed: /media/tas/NewVolume2/Projects/taswp500-yocto/sources/meta-myir/meta-bsp/recipes-bsp/u-boot/u-boot-imx_2020.04.bb:do_sign_uboot Summary: There was 1 ERROR message shown, returning a non-zero exit code.
It seems that it cannot find uboot.itb. How can I generate this file?