cancel
Showing results for 
Search instead for 
Did you mean: 

Hello,I want to konw how to turn on the verification of the images(op-tee)

DDing.1
Associate II

0693W000008z8EKQAY.png0693W000008z8EFQAY.pngI used the latest official version(2021-03-31) to configure the stm32mp157c-dk2 of the optee version, and used the official tutorial to generate fip.bin and burn it to the corresponding partition, but it seems that the image is not checked,in other worlds, I did not see the successful prompt for the verification of the mirror image.

13 REPLIES 13

Hi @DDing.1​ 

Sorry, late reply, try to figure out what append.

First thing.

The bl2 produce in the fip target is a kind of 'fake' BL2, just used to generate the certificate Trusted_key certificate file used to authenticate FW config and HW config file.

It is not used, just required to create the certificate and embed the key.

After looking deeper to your command, I'm afraid about one this you wrtoe me:

ROT_KEY=./plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem

We only support ECDSA configuration on our stm32_crypto_module.

You must not use a rsa key, and I'm suspected that it causes the failure.

The ROT_KEY must be the private.pem file you've generated and the one which HASH as been fuses in your OTP board.

Could you please retry and confirm?

BR,

Lionel

Sorry for the late reply. After reassigning the key and algorithm, it started successfully.But it seems that I did not see the log output related to the successful verification.I want to know if this is correct.Thanks.

Hi @DDing.1​ ,

Go to know, in the FIP management there is no formal "Authentication success" to be printed.

If it boots, it works ;)

The only way can you can ensure that it works is that the complete firmware + certificate are loaded:

Image 31 (FW_CONFIG) required Image 6 (Trusted Boot Firmware Certificate).

You have mode loaded images (ID must correspond to all certificates) to confirm that it works.

There is no possibility to skip the authentication so if OP-TEE/U-Boot are launched, authentication is successful.

BR,

Lionel

Thank you very much for your help.