STM32MP157F-EV1 Signing Tool crash during bitbake build

jdebaud · ‎2023-10-23

Hello,

I am trying to enable secure boot on my STM32MP157F-EV1 board. I'm following the https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_package Tutorial.

The keys are created, the public hash is fused.

I've added the required information in the local.conf file to enable signature. (I also noticed that the compilation stop if the SIGN_KEY_stm32mp13 is not in this file, which I find weird because the conf file is made for a stm32mp15 board.)

SIGN_KEY = "key/stm32mp15/privateKey.pem"
SIGN_KEY_stm32mp15 = "key/stm32mp15/privateKey.pem"
SIGN_KEY_stm32mp13 = "key/stm32mp13/privateKey00.pem"
EXTERNAL_KEY_CONF = "1"
SIGN_KEY_PASS = "<password>"
SIGN_ENABLE = "1"
SIGN_TOOL = "/home/viveris/julien/STM32CubeProgrammer-2.14.0/bin/STM32MP_SigningTool_CLI"

The bitbake st-image-weston goes well until T-FA build. STM32MP Signing Tool v2.14.0 crash with a Segmentation Fault. Here is the console error:

|        -------------------------------------------------------------------
|                        STM32MP Signing Tool v2.14.0
|        -------------------------------------------------------------------
| 
|  Prime256v1 curve is selected.
| Segmentation fault (core dumped)
| WARNING: exit code 139 from a shell command.
ERROR: Task (/home/julien/new/layers/meta-st/meta-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.8.bb:do_compile) failed with exit code '1'

Could it be an issue with keys path ?

I also tried to use the Signing Tool with an already compiled firmware, but same results: the Signing Tool crash when I give the key path.

Any hints ?

Thanks for your help,

Regards

Erwan SZYMANSKI · ‎2023-11-16

Hello @jdebaud ,
Are you still stuck with this issue ? We did not notice a such status in our internal test.

Kind regards,
Erwan.

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

jdebaud · ‎2023-11-17

Hello @Erwan SZYMANSKI

Yes, I am still having the issue. After some tests, it seems to be caused by the privateKey password. The one I use is 30 characters long. But I tryed with a 5 long with a new key pair and this one works.

Regards

Erwan SZYMANSKI · ‎2023-11-17

Thank you for your precious feedback, we will check it internally as a segmentation fault is a not wanted status.

Kind regards,
Erwan.

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

Erwan SZYMANSKI · ‎2023-11-17

Unfortunately, I am not able to reproduce with KeyGen and Signingtool the error above. If you have a way to reproduce, do not hesitate to share.

Kind regards,
Erwan.

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

jdebaud · ‎2023-11-17

Here is the process I followed: (most of it is on this link https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_package )

- generation of mp15 key pair using a 30 character long password, using the STM32MP_KeyGen_CLI.

- prepared the distribution package for the secure boot, including add the "SIGN" config in the build.../conf/local.conf file. See my first post for the content.

- started the compilation using bitbake st-image-weston. After around 4k tasks, bitbake exits with error 1:

ERROR: tf-a-stm32mp-v2.8.6-stm32mp-r1-r0 do_compile: ExecutionError('/home/viveris/julien/test-key/build-openstlinuxweston-stm32mp15-eval/tmp-glibc/work/stm32mp15_eval-ostl-linux-gnueabi/tf-a-stm32mp/v2.8.6-stm32mp-r1-r0/temp/run.do_compile.1174119', 139, None, None)
ERROR: Task (/home/viveris/julien/test-key/layers/meta-st/meta-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.8.bb:do_compile) failed with exit code '1'

Hope this helps.

Regards.

jdebaud · ‎2023-11-17

I am mostly unable to use the Signing Tool. Even in standalone mode, it's having also a segmentation fault.

I used gdb to have a better vison of what is happening, here's the log:

Starting program: /home/viveris/julien/STM32CubeProgrammer-2.14.0/bin/STM32MP_SigningTool_CLI 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
       -------------------------------------------------------------------
                       STM32MP Signing Tool v2.14.0                     
       -------------------------------------------------------------------
 STM32AP Signing Tool [Version v2.14.0 ] <'-?' for help>
Copyright (c) 2022 STMicroelectronics. All rights reserved.

Please enter the binary image file Path
/home/viveris/julien/tf-a-stm32mp157f-ev1-sdcard.stm32

Please select decrypting algorithm  1. prime256v1 2. brainpoolP256t1 (1/2)?
1

Please enter the public key file Path
/home/viveris/julien/keys/stm32mp15/publicKey.pem

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff73417f4 in QString::append(QString const&) () from /home/viveris/julien/STM32CubeProgrammer-2.14.0/bin/../lib/libQt5Core.so.5

I do not think the 2 Segmentation Fault are related because this one happen using the publicKey, whereas with bitbake it tends to occur using a too long password for the private key.

Regards.

Erwan SZYMANSKI · ‎2023-11-17

@jdebaud ,
Thank you for taking time to help to understand this issue.

I took the same version of cubeProgrammer as you have and made the following commands :

- STM32MP_KeyGen_CLI -abs ./ -pwd azertyuiopsdfghjkmlkjfhdgsfdhfnzeivnzrgnpzergbvepzbpzengvpzqbnpzbrg -n 1

- STM32MP_SigningTool_CLI -pubk ./publicKey00.pem -prvk ./privateKey00.pem -pwd azertyuiopsdfghjkmlkjfhdgsfdhfnzeivnzrgnpzergbvepzbpzengvpzqbnpzbrg -t fsbl -bin <my_tfa_path>/tf-a-stm32mp157f-dk-sdcard.stm32 -o ./tf-a-sdcard_Signed.stm32

I do not face any issue ... Did you try to reinstall your CubeProgrammer tool ? I would like to let you with something working.

Kind regards,
Erwan.

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

jdebaud · ‎2023-11-17

I've just tryied to uninstall and reinstall the CubeProgrammer tools but I have the exact same result in standalone mode.

To add some context, here is the content of my /etc/os-release file:

NAME="Linux Mint"
VERSION="21.2 (Victoria)"
ID=linuxmint

I have more to tell about the error. I tried to used it passing the args in the command line just as you wrote it in your last post :

./STM32MP_SigningTool_CLI -pubk path/publicKey.pem -prvk path/privateKey.pem -pwd password -t fsbl -bin path/tf-a-stm32mp157f-ev1-sdcard.stm32 -o path/tf-a-stm32mp157f-ev1-sdcard-SIGNED.stm32

With gdb I have the following:

       -------------------------------------------------------------------
                       STM32MP Signing Tool v2.14.0                     
       -------------------------------------------------------------------

 Prime256v1 curve is selected. 
 Error: extracting public key fails
 Error: extracting public key fails
 Error: extracting public key fails

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b27e62 in EVP_PKEY_cmp () from /home/viveris/julien/STM32CubeProgrammer-2.14.0/bin/../lib/libcrypto.so.1.0.0

Erwan SZYMANSKI · ‎2023-11-17

@jdebaud ,
I asked some colleagues to do the same test with me on Ubuntu 20.04 and 22.04, and with openssl v3.x (libcrypto3) and openssl v1 (libcrypto1) but we did not notice a such error. Unfortunately I do not have a Linux Mint distribution PC somewhere here, and I will not be able to test with the exact same conditions, but as Mint is based on Ubuntu, it seems weird to see a such delta in the final status.

Regards,
Erwan.

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.