FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Secure boot with wrong hash in OTPs

Daniel S.
Associate III

‎2025-01-21 07:12 AM

I'm trying to get SecureBoot running on STM32MP157.
After opening and reading about 30 pages of your wiki and basically following [1] I was able to create keys and convinced yocto into generating "*_Signed*" files.
Sadly I then got confused with publicKeyHash00.bin and publicKeysHashHashes.bin and uploaded the latter one into my OTPs (all instructions always point to publicKeyhash.bin - never the correct file name). My bad.

When I now try to upload new signed images onto the emmc, the process outputs:

 

NOTICE: Bootrom authentication failed
NOTICE: BL2: v2.8-stm32mp1-r1.0(release):lts-v2.8.6-dirty(ff0bd5f9)
NOTICE: BL2: Built : 17:57:15, Apr 21 2023
NOTICE: TRUSTED_BOARD_BOOT support enabled
ERROR: BL2: Failed to load image id 1 (-80)

 

Authentication in boot ROM fails as expected. That's okay. But from the last line I think loading of the fip image also fails.
Page [2] says "The process ends with error authentication error -80 in case of incorrect provisioning.".
Does this mean the boot process or the validation process? Should the board boot or should it (just like the boot ROM) print a warning and continue?

It's not really clear to me what my problem is here. Will everything be solved when I risk flashing the OTPs on a second board. Or might I have another problem in the generation of the fip image (which I should fix before potentially bricking a second board).


[1] https://wiki.stmicroelectronics.cn/stm32mpu/index.php?title=How_to_perform_Secure_Boot_from_Distribution_package&oldid=91129
[2] https://wiki.st.com/stm32mpu/wiki/How_to_enable_secure_boot_on_STM32_MPU

Labels:
0 Kudos
2 REPLIES 2
Febus
ST Employee

‎2025-01-22 07:52 AM

Hello Daniel,

Could you please read the OTP (in Uboot: fuse read 0 0 96) to check if the chip is locked?

I don't think your chip is locked because you would be stuck on line 1 (NOTICE: Bootrom authentication failed) if the SSP is set up correctly. The boot process continued despite the validation failure, which suggests that your chip is not locked.




0 Kudos
Daniel S.
Associate III
In response to Febus

‎2025-01-22 08:19 AM

Hello Febus,

thanks for the answer. I cannot test it at the moment and will do it later.
At least I did not lock the device on purpose (never typed stm32key close in uboot). Uploading unsigned images worked fine - they booted up as before, without a warning/notification/error.

 

In the mean time I got curious and took a second board. This time I uploaded publicKeyHash00.bin into the OTPs and this seems to do the trick:

NOTICE: Bootrom authentication succeeded
NOTICE: BL2: v2.8-stm32mp1-r1.0(release):lts-v2.8.6-dirty(ff0bd5f9)
NOTICE: BL2: Built : 17:57:15, Apr 21 2023
NOTICE: TRUSTED_BOARD_BOOT support enabled
NOTICE: BL2: Booting BL32
I/TC: Early console on UART#1

Signed and unsigned images boot correctly now.

0 Kudos
Top