sbobade
commented
2 months ago @BaochengSu please review the secureboot logs and advise if any updates we can follow. thanks
Open rakeshk7097 opened 2 months ago
sbobade
commented
2 months ago @BaochengSu please review the secureboot logs and advise if any updates we can follow. thanks
huaqianli
commented
2 months ago @rakeshk7097 it appears there's been a misunderstanding. We utilize eMMC RPMB for UEFI key storage, so the secure boot path you've followed seems incorrect. Here are the correct steps:
In your case, you've flashed the image onto a USB disk instead of the eMMC. This doesn't align with the trust chain requirements. Please follow the steps above to ensure a secure boot process.
More details please refer to the secure boot manual: IOT2050_Secure_Boot_en.pdf - IOT2050 Secure Boot Example Implementation.
rakeshk7097
commented
2 months ago Hi @huaqianli , thanks for your response.
Now we have flashed the wic image into sd card and boot the device with mmc0, but unfortunately getting issue while booting. Attached the boot log. fail.txt
Looks like it's not able to get the rootfs partition's UUID with we are giving in wic file as
part --source rawcopy --sourceparams "file=${IMAGE_FULLNAME}.verity" --align 1024 --fixed-size 4G --uuid "${ABROOTFS_PART_UUID_A}"
part --source empty --align 1024 --fixed-size 4G --uuid "${ABROOTFS_PART_UUID_B}"If I am not wrong .verity will be treated as rootfs to boot. Here :ABROOTFS_PART_UUID_A is assigned in the
conf/distro/iot2050-debian.confABROOTFS_PART_UUID_A ?= "fedcba98-7654-3210-cafe-5e0710000001"
Should this ABROOTFS_PART_UUID_A value which seems as UUID of rootfs be equal to what UUID is generated in image.verity.env
/build/tmp/deploy/images/iot2050$ cat iot2050-image-swu-example-iot2050-debian-iot2050.verity.env
UUID=81fffc2e-86d7-41bb-8ecc-c9abb8704725
HASH_TYPE=1
DATA_BLOCKS=745260
DATA_BLOCK_SIZE=1024
HASH_BLOCKS=24042
HASH_BLOCK_SIZE=1024
HASH_ALGORITHM=sha256
SALT=e8874e91e63aed90f2e080a9a0bfc4d12782ea3830cefdcbd2f70fb2a7faea08
ROOT_HASH=2d77c3e6938b38a4ecb9983af23ed779356314c402545fe3444b0a6b11cbbf32
HASH_OFFSET=763146240Could you please give your inputs on these?
huaqianli
commented
2 months ago @rakeshk7097 Sorry, I couldn't understand your problem completely without the picture that you have done. Since you were following the old version of secure boot documentation. Perhaps it would be beneficial to revisit the issue after obtaining the latest documentation release.
sbobade
commented
2 months ago @huaqianli sure no problem. we will wait for the new document to be available for use.
Hi team,
I am using the IOT2050 PG2 advanced boad and trying to boot the secure boot image(iot2050-image-swu-example-iot2050-debian-iot2050.wci) in there.
I have used the below command to generate the signed image.
Using the below command to generate the signed firmware image, ./kas-container build kas-iot2050-boot.yml:kas/opt/secure-boot.yml:kas/opt/otpcmd/key-provision.yml
Using below command to generate the signed UKI image. ./kas-container build kas-iot2050-swupdate.yml:kas/opt/secure-boot.yml
Currently i am using the default key which is stored in below location. meta-iot2050/recipes-devtools/secure-boot-secrets/files/
I have flashed the signed firmware image and now trying to boot the flashed wic image from USB and getting below error at boot time.
Attached the full boot log file. meta-iot2050_boot_log.txt
Please give any suggestions on this error.