cancel
Showing results for 
Search instead for 
Did you mean: 

STM32MP135f - Secure Boot strange problems

bojanpog
Associate

Hi!

According to the instructions on page https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_package#Creating_signature_key_for_STM32MP15x_lines

1.) Problem at 5.1

 

STM32MP> load mmc 1:8 0xc0000000 publicKeysHashHashes.bin
32 bytes read in 9 ms (2.9 KiB/s)
STM32MP> stm32key fuse 0xc0000000
PKHTH OTP 24: 00000000 lock : 10000000
PKHTH OTP 25: 00000000 lock : 10000000
PKHTH OTP 26: 00000000 lock : 10000000
PKHTH OTP 27: 00000000 lock : 10000000
PKHTH OTP 28: 00000000 lock : 10000000
PKHTH OTP 29: 00000000 lock : 10000000
PKHTH OTP 30: 00000000 lock : 10000000
PKHTH OTP 31: 00000000 lock : 10000000
PKHTH is not locked!
PKHTH is free!
Writing PKHTH with
PKHTH OTP 24: [c0000000] ba7dda6a
PKHTH OTP 25: [c0000004] 3fcc0388
PKHTH OTP 26: [c0000008] e41a498b
PKHTH OTP 27: [c000000c] ea3dcd70
PKHTH OTP 28: [c0000010] e51b284c
PKHTH OTP 29: [c0000014] 25a7369c
PKHTH OTP 30: [c0000018] ca014ca6
PKHTH OTP 31: [c000001c] 1a69811e
Warning: Programming fuses is an irreversible operation!
This may brick your system.
Use this command only if you are sure of what you are doing!

Really perform this fuse programming? <y/N>
y
Fuse PKHTH OTP 24 : ba7dda6a
Fuse PKHTH OTP 25 : 3fcc0388
Fuse PKHTH OTP 26 : e41a498b
Fuse PKHTH OTP 27 : ea3dcd70
Fuse PKHTH OTP 28 : e51b284c
Fuse PKHTH OTP 29 : 25a7369c
Fuse PKHTH OTP 30 : ca014ca6
Fuse PKHTH OTP 31 : 1a69811e
PKHTH updated !
STM32MP> load mmc 1:8 0xc0000000 stm32mp13_encryption_key.bin
16 bytes read in 8 ms (2 KiB/s)
STM32MP> stm32key select EDMK
EDMK selected
STM32MP> stm32key fuse 0xc0000000
optee optee: PTA_BSEC invoke failed TEE err: ffff0001, err:0
EDMK OTP 92: ffffffff lock : 04000000
optee optee: PTA_BSEC invoke failed TEE err: ffff0001, err:0
EDMK OTP 93: ffffffff lock : 04000000
optee optee: PTA_BSEC invoke failed TEE err: ffff0001, err:0
EDMK OTP 94: ffffffff lock : 04000000
optee optee: PTA_BSEC invoke failed TEE err: ffff0001, err:0
EDMK OTP 95: ffffffff lock : 04000000
EDMK lock is invalid!
EDMK is invalid!
Error: can't fuse again the OTP <---- Why??

2.) Another problem with 7.2 
STM32MP_SigningTool_CLI -pubk ~/yocto/secure-boot/publicKey00.pem -prvk ~/yocto/secure-boot/privateKey00.pem -pwd xxxxxxxxxxx -t fsbl -of 0x00000001 -bin ~/yocto/build/tmp-glibc/deploy/images/stm32mp13-ugea/arm-trusted-firmware/tf-a-stm32mp135f-ugea-microdev-mx-emmc.stm32 -o ~/yocto/build/tmp-glibc/deploy/images/stm32mp13-ugea/arm-trusted-firmware/tf-a-stm32mp135f-ugea-microdev-mx-emmc_Signed.stm32

Error below can be solver if removing -of 0x00000001  <---- Why??

-------------------------------------------------------------------
STM32MP Signing Tool v2.15.0
-------------------------------------------------------------------

Binary already contains header

3.) Another problem with 7.3

STM32MP_SigningTool_CLI -pubk ~/yocto/secure-boot/publicKey00.pem -prvk ~/yocto/secure-boot/privateKey00.pem -pwd xxxxxxxxxxx --enc-key ~/yocto/secure-boot/stm32mp13_encryption_key.bin -t fsbl --enc-dc 0x0E5F2025 --image-version 0 -of 0x80000003 -bin ~/yocto/build/tmp-glibc/deploy/images/stm32mp13-ugea/arm-trusted-firmware/tf-a-stm32mp135f-ugea-microdev-mx-emmc.stm32 -o ~/yocto/build/tmp-glibc/deploy/images/stm32mp13-ugea/arm-trusted-firmware/tf-a-stm32mp135f-ugea-microdev-mx-emmc_Encrypted.stm32

Error below can be solved if removing -of 0x80000003  <---- Why??

-------------------------------------------------------------------
STM32MP Signing Tool v2.15.0
-------------------------------------------------------------------

Binary already contains header

Current local.conf from Yocto:

SIGN_KEY = "~/yocto/secure-boot/privateKey00.pem"
SIGN_KEY_stm32mp13 = "\/yocto/secure-boot/privateKey00.pem"
EXTERNAL_KEY_CONF = "1"
SIGN_KEY_PASS = "xxxxxxxxxxx"
SIGN_ENABLE = "1"
SIGN_TOOL = "~/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/STM32MP_SigningTool_CLI"
ENCRYPT_ENABLE = "1"
ENCRYPT_FSBL_KEY = "~/yocto/secure-boot/stm32mp13_encryption_key.bin"
ENCRYPT_FIP_KEY = "~/yocto-secure-boot/stm32mp13_encryption_key_256bits.txt"
TOOLCHAIN_TARGET_TASK:append = " kernel-devsrc"
 

System info:

NOTICE: CPU: STM32MP135F Rev.Y
NOTICE: Model: STMicroelectronics custom STM32CubeMX board - openstlinux-5.15-yocto-kirkstone-mp1-v22.11.23
ERROR: nvmem node board_id not found
WARNING: VDD unknown
INFO: Reset reason (0x44):
INFO: System reset generated by MPU (MPSYSRST)
INFO: FCONF: Reading TB_FW firmware configuration file from: 0x2ffe0000
INFO: FCONF: Reading firmware configuration information for: stm32mp_io
INFO: Using EMMC
INFO: Instance 2
INFO: Boot used partition fsbl1
NOTICE: BL2: v2.6-stm32mp1-r2.0(debug):devtool-patched(2fee8b56)
NOTICE: BL2: Built : 13:26:30, May 28 2024
INFO: BL2: Doing platform setup
INFO: RAM: DDR3-DDR3L 16bits 533000kHz
INFO: Memory size = 0x20000000 (512 MB)
INFO: BL2: Loading image id 1
INFO: Loading image id=1 at address 0x30006000
INFO: Image id=1 loaded: 0x30006000 - 0x30006246
INFO: FCONF: Reading FW_CONFIG firmware configuration file from: 0x30006000
INFO: FCONF: Reading firmware configuration information for: mce_config
INFO: FCONF: Reading firmware configuration information for: dyn_cfg
INFO: FCONF: Reading firmware configuration information for: stm32mp1_firewall
INFO: BL2: Loading image id 4
INFO: Loading image id=4 at address 0xde200000
INFO: Image id=4 loaded: 0xde200000 - 0xde20001c
INFO: OPTEE ep=0xde200000
INFO: OPTEE header info:
INFO: magic=0x4554504f
INFO: version=0x2
INFO: arch=0x0
INFO: flags=0x0
INFO: nb_images=0x1
INFO: BL2: Loading image id 8
INFO: Loading image id=8 at address 0xde200000
INFO: Image id=8 loaded: 0xde200000 - 0xde273cf0
INFO: BL2: Loading image id 2
INFO: Loading image id=2 at address 0xc0400000
INFO: Image id=2 loaded: 0xc0400000 - 0xc040c2d0
INFO: BL2: Skip loading image id 16
INFO: BL2: Loading image id 5
INFO: Loading image id=5 at address 0xc0000000
INFO: Image id=5 loaded: 0xc0000000 - 0xc00e4534
NOTICE: BL2: Booting BL32
INFO: Entry point address = 0xde200000
INFO: SPSR = 0x1d3
I/TC: Early console on UART#4
I/TC:
I/TC: Non-secure external DT found
I/TC: Embedded DTB found
I/TC: OP-TEE version: 3.16.0-dev (gcc version 11.3.0 (GCC)) #1 Fri Jan 28 02:28:18 PM UTC 2022 arm
I/TC: WARNING: This OP-TEE configuration might be insecure!
I/TC: Primary CPU initializing
I/TC: WARNING: All debug access are allowed
I/TC: Platform stm32mp1: flavor PLATFORM_FLAVOR - DT stm32mp135f-ugea-microdev-mx.dts
I/TC: DTB disables console
optee optee: OP-TEE: revision 3.16 (d0b742d1)


U-Boot 2021.10-stm32mp-r2 (Oct 04 2021 - 15:09:26 +0000)

CPU: STM32MP135F Rev.Y
Model: STMicroelectronics custom STM32CubeMX board - openstlinux-5.15-yocto-kirkstone-mp1-v22.11.23
Board: stm32mp1 in trusted mode (st,stm32mp135d-ugea-microdev-mx)
DRAM: 512 MiB
optee optee: OP-TEE: revision 3.16 (d0b742d1)
Clocks:
- MPU : 1000 MHz
- AXI : 65 MHz
- PER : 64 MHz
- DDR : 520 MHz
WDT: Not found!
NAND: 0 MiB
MMC: STM32 SD/MMC: 0, STM32 SD/MMC: 1
Loading Environment from MMC... OK
In: serial
Out: serial
Err: serial
invalid MAC address 0 in OTP 00:00:00:00:00:00
Net:
Error: eth1@5800a000 address not set.
No ethernet found.

Hit any key to stop autoboot: 0
STM32MP>



0 REPLIES 0