cancel
Showing results for 
Search instead for 
Did you mean: 

Unable to decrypt FIP on STM32MP13

arifbalik
Associate II

I have followed the wiki to create my encryption keys;

https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_Package#Creating_encryption_key_for_STM32MP13--STM32MP21--STM32MP23_and_STM32MP25

 

Which suggest creating two keys for TF-A and FIP encryption.

 

But then in the same page it suggest we only load the encryption key for TF-A to OTP registers (i can not fit the FIP key into OTP anyways)

 

After i build my image with the following config;

 

    SIGN_KEY = "../keys/privateKey00.pem"
    SIGN_KEY_stm32mp13 = "../keys/privateKey00.pem"
    EXTERNAL_KEY_CONF = "1"
    SIGN_KEY_PASS = "pass pass pass pass pass pass pass pass"
    SIGN_ENABLE = "1"
    SIGN_TOOL = "/bin/STM32_SigningTool_CLI"

    ENCRYPT_ENABLE = "1"
    ENCRYPT_FSBL_KEY = "../keys/stm32mp_encryption_key.bin"
    ENCRYPT_FSBL_KEY_stm32mp13 = "../keys/stm32mp_encryption_key.bin"
    ENCRYPT_FIP_KEY = "../keys/stm32mp_encryption_key_256bits.bin"
    ENCRYPT_FIP_KEY_stm32mp13 = "../keys/stm32mp_encryption_key_256bits.bin"

 

I get this error;

 

NOTICE:  CPU: STM32MP135F Rev.Y
NOTICE:  Model: EGate Rev D
NOTICE:  Bootrom authentication succeeded
NOTICE:  Reset reason (0x34):
NOTICE:  BL2: v2.10-stm32mp1-r1.0(release):lts-v2.10.5-dirty(7c229848)
NOTICE:  BL2: Built : 16:19:31, Jun 28 2024
NOTICE:  TRUSTED_BOARD_BOOT support enabled
ERROR:   File decryption failed (4)
ERROR:   BL2: Failed to load image id 4 (-2)

 

Which makes sense because I assume TF-A uses the key in the OTP to decrypt the image, which would fail.

 

When I try to encrypt FIP using the same key as TF-A I get the following error;

 

| CMD> encrypt_fw \
|       --key <my-key> \
|       --nonce 1234567890abcdef12345678 \
|       --fw-enc-status 0 \
|       --in /yocto/build/tmp-glibc/work/egate_revd-oe-linux-gnueabi/fip-stm32mp/6.0/recipe-sysroot/optee/tee-header_v2-stm32mp135f-dk-custom-mx-optee.bin \
|       --out /yocto/build/tmp-glibc/work/egate_revd-oe-linux-gnueabi/fip-stm32mp/6.0/recipe-sysroot/optee/tee-header_v2-stm32mp135f-dk-custom-mx-optee_Encrypted.bin
| ERROR:   Unsupported key size: 32
| [TOOLS ERROR]: ENCTOOL optee header error

 

When I completely skip encryption and only use signed binaries I get yet another error;

 

NOTICE:  CPU: STM32MP135F Rev.Y                                                                                                                                      
NOTICE:  Model: EGate Rev D                                                                                                                                          
NOTICE:  Bootrom authentication succeeded                                                                                                                            
NOTICE:  Reset reason (0x34):                                                                                                                                        
NOTICE:  BL2: v2.10-stm32mp1-r1.0(release):lts-v2.10.5-dirty(7c229848)                                                                                               
NOTICE:  BL2: Built : 16:19:31, Jun 28 2024                                                                                                                          
NOTICE:  TRUSTED_BOARD_BOOT support enabled                                                                                                                          
ERROR:   BL2: Failed to load image id 4 (-5)   

 

Any suggestions?

1 REPLY 1
arifbalik
Associate II

My tf-a binary dump;

 

STM32_SigningTool_CLI -dump build/tmp-glibc/deploy/images/egate-revd/arm-trusted-firmware/tf-a-stm32mp135f-dk-custom-mx-optee-programmer-usb_Signed.stm32 
       -------------------------------------------------------------------
                       STM32 Signing Tool v2.19.0                     
       -------------------------------------------------------------------

 
Header description:

    Magic: 0x53544d32
    Signature: 04 17 61 e8 bf d6 13 9d 33 cf 94 ac ac 66 9d 68 b6 05 5b 48 c9 5e 01 34 0c f2 a9 2b de 4d 03 ef 
               27 a0 e2 18 9d 53 f2 82 96 df f6 78 5b eb 07 de 43 4a fa 5f 85 2e 4c 35 83 d8 be 72 62 49 ff b5 
    Checksum: 0x7da8d7
    Header version: 0x20000
    Size: 0x179e0
    Load address: 0x2ffe0000
    Entry point: 0x2ffe5000
    Image version: 0x0
    Extension: 0x80000001

    ECDSA  : 256 
 
Authentication header detected:
    Type: 0x53540002
    Size: 0x154
    Key index: 0x0
    Key number: 0x8
    ECDSA Algo: 0x1
    ECDSA pub key: 45 c4 98 50 f7 4b f5 33 67 c1 bf 52 dc 2a 28 f0 2e 89 07 6a b2 8e 24 1f df 8f 75 48 80 da 1e f5 
                   21 64 26 d8 53 d6 ac b1 f7 38 b0 d5 e3 2d a2 b7 2a 18 16 96 ab 72 4d 2a 17 87 25 aa 62 32 08 fa 
                 
    Key 0: 0c 83 ca 35 5e 04 f8 5f 91 36 a6 54 7d 26 4b 44 f7 07 b3 3c a7 e8 e7 d9 58 bd fc 50 be 55 a6 f2 
    Key 1: 39 74 65 5e 76 e5 0b a5 6a 02 60 c2 3b e7 61 d6 bd c8 17 42 89 cf 56 19 c2 32 0f 18 a6 70 c3 bc 
    Key 2: be 0b 2f ff ef 9b 31 11 71 a1 97 ef 8a 72 3c 0f 91 60 56 ee 04 07 ba 3c 34 42 b2 9c 70 38 96 8c 
    Key 3: 27 db 2a 44 1b b2 af c2 7d 59 c7 38 da 9a 66 d3 80 9c be 99 97 63 f5 13 6c 98 a9 e3 49 60 89 17 
    Key 4: de 58 04 6f 77 15 54 2f 19 9d a2 13 c2 f5 9c 31 4f be 15 cd 51 a8 14 c1 81 aa 61 6b b6 e4 85 d9 
    Key 5: e6 61 12 23 10 a6 72 d4 9a fa 93 cf c4 57 14 d1 be f1 0f 9e f0 bc 45 89 19 27 53 d3 f6 0a 55 5c 
    Key 6: 0b 87 c6 72 fb 14 da f3 2c ea 8f 44 5c 1d 37 86 c1 61 7f 4b e7 29 26 7f 8e 51 dd 6a 6b 75 d1 1a 
    Key 7: fd 61 59 63 b5 d7 b6 ba 59 13 ce 83 91 bc d2 fe 2b 48 62 eb 5a df 5f 00 48 73 b3 0c 1e 15 a2 76 
 
Pad header detected:
    Type: 0x5354ffff
    Size: 0x2c
    Padding values: 02 1c f2 fa 14 a0 d0 03 1e 93 9e 7a dc 78 78 88 a2 23 1b 0f d8 37 54 d8 21 6e 0b db d6 0c 69 
                    01 79 61 ab ad 

 

and fip info;

 

build/tmp-glibc/sysroots-components/x86_64/tf-a-tools-native/usr/bin/fiptool info build/tmp-glibc/deploy/images/egate-revd/fip/fip-stm32mp135f-dk-custom-mx-optee-emmc_Signed.bin
Secure Payload BL32 (Trusted OS): offset=0x240, size=0x1C, cmdline="--tos-fw"
Secure Payload BL32 Extra1 (Trusted OS Extra1): offset=0x25C, size=0x8BFE0, cmdline="--tos-fw-extra1"
Non-Trusted Firmware BL33: offset=0x8C23C, size=0x115BC8, cmdline="--nt-fw"
FW_CONFIG: offset=0x1A1E04, size=0x236, cmdline="--fw-config"
HW_CONFIG: offset=0x1A203A, size=0xC530, cmdline="--hw-config"
Trusted key certificate: offset=0x1AE56A, size=0x283, cmdline="--trusted-key-cert"
Trusted OS Firmware key certificate: offset=0x1AE7ED, size=0x22B, cmdline="--tos-fw-key-cert"
Non-Trusted Firmware key certificate: offset=0x1AEA18, size=0x22E, cmdline="--nt-fw-key-cert"
Trusted Boot Firmware BL2 certificate: offset=0x1AEC46, size=0x2C9, cmdline="--tb-fw-cert"
Trusted OS Firmware content certificate: offset=0x1AEF0F, size=0x2E2, cmdline="--tos-fw-cert"
Non-Trusted Firmware content certificate: offset=0x1AF1F1, size=0x255, cmdline="--nt-fw-cert"
STM32MP CONFIG CERT: offset=0x1AF446, size=0x286, cmdline="--stm32mp-cfg-cert"