FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Hello,I want to konw how to turn on the verification of the images(op-tee)

Go to solution
DDing.1
Associate II

‎2021-04-09 07:52 AM

0693W000008z8EKQAY.png0693W000008z8EFQAY.pngI used the latest official version(2021-03-31) to configure the stm32mp157c-dk2 of the optee version, and used the official tutorial to generate fip.bin and burn it to the corresponding partition, but it seems that the image is not checked,in other worlds, I did not see the successful prompt for the verification of the mirror image.

Labels:
0 Kudos
13 REPLIES 13
Go to solution
LionelD
Associate II
In response to DDing.1

‎2021-04-16 01:01 AM

Hi @DDing.1​ 

Sorry, late reply, try to figure out what append.

First thing.

The bl2 produce in the fip target is a kind of 'fake' BL2, just used to generate the certificate Trusted_key certificate file used to authenticate FW config and HW config file.

It is not used, just required to create the certificate and embed the key.

After looking deeper to your command, I'm afraid about one this you wrtoe me:

ROT_KEY=./plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem

We only support ECDSA configuration on our stm32_crypto_module.

You must not use a rsa key, and I'm suspected that it causes the failure.

The ROT_KEY must be the private.pem file you've generated and the one which HASH as been fuses in your OTP board.

Could you please retry and confirm?

BR,

Lionel

0 Kudos
Go to solution
DDing.1
Associate II
In response to DDing.1

‎2021-04-19 12:37 AM

Sorry for the late reply. After reassigning the key and algorithm, it started successfully.But it seems that I did not see the log output related to the successful verification.I want to know if this is correct.Thanks.

0 Kudos
Go to solution
LionelD
Associate II
In response to DDing.1

‎2021-04-19 01:08 AM

Hi @DDing.1​ ,

Go to know, in the FIP management there is no formal "Authentication success" to be printed.

If it boots, it works 😉

The only way can you can ensure that it works is that the complete firmware + certificate are loaded:

Image 31 (FW_CONFIG) required Image 6 (Trusted Boot Firmware Certificate).

You have mode loaded images (ID must correspond to all certificates) to confirm that it works.

There is no possibility to skip the authentication so if OP-TEE/U-Boot are launched, authentication is successful.

BR,

Lionel

0 Kudos
Go to solution
DDing.1
Associate II
In response to DDing.1

‎2021-04-19 01:18 AM

Thank you very much for your help.

0 Kudos
Top