Home/Support/Support Forum/Why fails authenticating image?
Welcome to Digi Forum, where you can ask questions and receive answers from other members of the community.

Why fails authenticating image?

0 votes
Hi

I wanted to enable Secure Boot with Trustfence. With singed images and without any encrypted images. It fails.

Local.conf
INHERIT += "trustfence"
TRUSTFENCE_SIGN = "1"
TRUSTFENCE_ENCRYPT_ENVIRONMENT = "0"
TRUSTFENCE_INITRAMFS_IMAGE = ""

bitbake did:
- signed u-boot.imx
- SRK_efuses.bin
- my-image-signed.boot.ubifs
- my-image-signed.rootfs.ubifs

I did:
=> update uboot tftp u-boot.imx
reset the device and trustfence status OK.

=> tftp $loadaddr SRK_efuses.bin
=> trustfence prog_srk $loadaddr $filesize
=> trustfence close
=> reset

U-Boot starts up..

=> update linux tftp my-image-signed.boot.ubifs
=> update rootfs tftp my-image-signed.rootfs.ubifs

=> reset


U-Boot starts up:
...
Done
Authenticating image from DDR location 0x80800000... FAILED!

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99

HAB Event 1
event data:
0xdb 0x00 0x14 0x42 0x33 0x06 0xc0 0x00
0xbe 0x00 0x0c 0x01 0xbb 0x00 0x00 0x00
0x80 0x7f 0xff 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_COMMAND (0x06)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

=>

Has anyone an advice?

Regards
Michael
asked Dec 3, 2019 in Linux by hellsmoke New to the Community (6 points)

Please log in or register to answer this question.

3 Answers

0 votes
You need to program a signed U-Boot before closing the device. Check the big warning in the 'Close the device' section:
https://www.digi.com/resources/documentation/digidocs/embedded/dey/2.6/cc6ul/yocto-trustfence_t_secure-boot-set-up


Are you using an encrypted U-Boot? you can check the output of "trustfence status" to see if an encrypted U-Boot is being used.

The most common causes for that HAB event are:

1) The customer is trying to use encrypted kernel/DTB/bootscript with a signed-only (not-encrypted) U-Boot. Solution: Customer needs to flash an encrypted U-Boot file (using the trustfence update command, as documented)
2) The customer has changed the key index used but has updated only some artifacts (U-Boot updated but DTB/kernel/bootscript not updated, or the other way around). Solution: to ensure the same key is used, execute:

bitbake -c cleansstate u-boot linux-dey dey-image-qt core-image-base
bitbake core-image-base/dey-image-qt
and re-flash all artifacts (including U-Boot)
answered Dec 4, 2019 by LeonidM Veteran of the Digi Community (3,556 points)
0 votes
Hi

I fixed it. The tftp server and the IPs didn't correspond correctly.

Now I could update the encrypted uboot and now the system starts with the secure-boot.

Regards
Michael
answered Dec 5, 2019 by hellsmoke New to the Community (6 points)
0 votes
Hi

Thank you for your answer. I appreciate that.

Yes, I have still a singed U-Boot stored.

Unfortunately I cannot update the encrypted U-Boot with the trustfence update command. It stops update after a while with "Error loading firmware file to RAM".

Thanks for your advice.

Regards
Michael
answered Dec 5, 2019 by hellsmoke New to the Community (6 points)
...