secure boot failed in Ast2600 A3

[ReyhaneSaljooghi]

i wanted to enable secure boot on my A3 ast2600 evaluation board, I configured otp and then set otpstrap[0] to 1, when I tried rebooting in order to enable the secure boot, the UART console only prints "BSA3V", which means boot from SPI flash is failed and the system is trying to boot from VUART, and the failure of the boot is because of the failure of secure boot procedure, I looked at evbA3_rsa4096_sha512.json file which creates the otp-all image and it had some comments which are not allowed in json, is it the problem? can you help me with this cause my board is unreachable right now and I can't disable otp

i entered these commands in u-boot: tftp 83000000 evbA3_RSA4096_SHA512-otp-all.image otp prog 83000000 otp pb strap 0 1

and then secure boot was enabled and from then the uart only prints BSA3V

[Neal-liu]

Have you tried our SDK package? If not, please check this: https://github.com/AspeedTech-BMC/openbmc/releases

Before programming the OTP and firmware images, you can try the socsec verify command to check the validity of the combination. If you have any further questions about SDK, please e-mail to Aspeed contact window. Thanks.

[ReyhaneSaljooghi]

thanks for your recommendation. i checked the sdk user guide for version 9.01 and it only says there are three steps:

1. program the otp image in otp memory using these commands: (using the tftp server) ast# tftp 83000000 evbA3_RSA4096_SHA512-otp-all.image ast# otp prog 83000000
2. program the image-bmc on the spi flash
3. enable secure boot

I said in my last comment which way i enabled secure boot which is toggling OTPSTRAP[0] and verified my image-bmc and here is the result:

socsec verify --sec_image /home/my_name/Downloads/image-bmc-1 --otp_image /home/my_name/Downloads/evbA3_RSA4096_SHA512-otp-all.image

Algorithm: RSA_SHA

RSA length: 4096

HASH length: 512

check RoT header PASS

Verify key ...

Key Type: OEM DSS RSA public keys

ID: 1

M:

00000000: BD 0E AA 00 53 46 38 69 DC FA 32 D8 B2 FE AE 72 ....SF8i..2....r

00000010: B7 5D EE 7F 43 41 C7 5C 7F 93 5B CF 0A 97 37 EE .]..CA...[...7.

00000020: 56 D9 D9 81 24 77 CA B0 D2 17 19 59 D1 6A DD 39 V...$w.....Y.j.9

00000030: 55 A3 CF CE 32 8E BA A6 E6 26 77 11 A4 53 A2 E8 U...2....&w..S..

00000040: DF E7 CE BF C3 B6 F2 A2 FB F6 20 62 85 78 10 6F .......... b.x.o

00000050: B3 73 04 AA 55 2B 68 6B 23 83 A9 EB 44 04 87 B6 .s..U+hk#...D...

00000060: FC 4B 81 2E BC 8A 3B 13 0E 16 4A A4 CC 61 15 EA .K....;...J..a..

00000070: CA 6F DC B0 8E 8A A9 50 48 44 1B E2 1A 3E E4 CB .o.....PHD...>..

00000080: E3 77 2F 56 BB 2D 59 88 7D C3 F5 21 98 B2 B2 6B .w/V.-Y.}..!...k

00000090: AC DA DB 21 03 4B 7A D8 7F 1B 95 5C EB E2 F8 FD ...!.Kz........

000000A0: F9 A8 5E C6 B7 0A BA C6 FC 09 9B 88 5A E9 DA 54 ..^.........Z..T

000000B0: C3 70 BD 45 B0 6D EA 4D E7 F3 F3 F4 CD A1 FF 66 .p.E.m.M.......f

000000C0: AF 28 39 2D 52 50 1A 4E 5F B6 E3 4D 32 D9 E9 25 .(9-RP.N_..M2..%

000000D0: 40 3E B8 CF 38 EF DE 37 85 06 1D 29 29 1C 82 88 @>..8..7...))...

000000E0: 4B 51 43 C8 18 DD DC DF 4A DB EB 56 9F 38 BA 30 KQC.....J..V.8.0

000000F0: 57 8E 33 68 90 D6 24 25 39 AA 24 B3 8A 8D 1F FD W.3h..$%9.$.....

00000100: 42 3E AC EC 66 65 BB DF 71 8F AA CA DF DB D5 A5 B>..fe..q.......

00000110: 46 D8 99 FF EB 75 67 EA 79 5E 94 FA 7C 2A 16 21 F....ug.y^..|*.!

00000120: B5 A4 AF FF F3 73 5B 84 A3 AE 41 F8 9C 1C 85 F5 .....s[...A.....

00000130: 70 9A D3 80 21 96 13 82 F5 AF 8D 52 E7 FC 60 5F p...!......R..`_

00000140: AA 63 E1 01 08 D1 84 74 EB 24 EF 45 95 29 97 EE .c.....t.$.E.)..

00000150: 64 91 A8 1F 39 C2 5F 4E F6 3C 35 AF 00 4D FE 20 d...9._N.<5..M.

00000160: EA C4 7A A2 99 A5 30 5B 5F 6F EF 80 1B C3 9C A3 ..z...0[_o......

00000170: 4C A9 2B 16 46 89 C6 2E 7A A7 93 9C 1E 15 EA D3 L.+.F...z.......

00000180: 0B 64 FE FD 7E 7C 59 48 05 B1 27 23 30 F6 65 98 .d..~|YH..'#0.e.

00000190: 33 8C AD BE F9 EA 1B 2A 10 0A E6 38 07 1C E5 06 3......*...8....

000001A0: 4C C9 97 C0 EC 0B A4 BE 7B 10 61 F5 FF 4F 39 99 L.......{.a..O9.

000001B0: 1D F4 C8 70 D2 F0 1A 47 2D AA 2E 83 2E 38 5C AE ...p...G-....8.

000001C0: 9C 6C DD 77 6A 8C 84 31 DE EC 31 E8 0A 51 15 7E .l.wj..1..1..Q.~

000001D0: E4 11 17 35 BF 0B BD 48 C1 F6 EC 37 A7 A2 46 8C ...5...H...7..F.

000001E0: 04 93 2A 8B D8 3B 04 14 B0 81 85 BE 39 2A 69 A1 ....;......9i.

000001F0: 26 39 C3 49 66 F7 A7 0D C0 97 96 9B 60 DE 81 3B &9.If.......`..;

E:

00000000: 01 00 01 ...

check RoT integrity PASS

i programmed this image on my boot spi flash and when i try to boot, it only prints "BSAV3". can you please give information on how can i recover my board or are there any ways to disable the secure boot?

[Neal-liu]

Please send your image-bmc and evbA3_RSA4096_SHA512-otp-all.image to my contact mail (neal_liu@aspeedtech.com).

You cannot disable OTPSTRAP[0] if you cannot secure boot successfully.

[ReyhaneSaljooghi]

I’ve emailed the requested images (image-bmc and evbA3_RSA4096_SHA512-otp-all.image) to your address. Thank you for taking the time to help resolve my issue