[参考译文] SK-AM62B-P1：时基故障特征故障

1/. 使用的是哪个 SDK 版本？
2/. 测试是在 TI 电路板上进行的还是在客户电路板上进行的？
此致！
-hong

您好、Hong：

pengwei yu 说：

1/。 使用的是哪个 SDK 版本？[/QUOT]

不是 SDK Yocto krikstone  

pengwei yu 说：

2/。 在 TI 主板还是客户主板上进行测试？[/QUOT]

TI 董事会：SK-AM62B-P1

[/quote]

我建议参考有关如何签署内核适应映像的 SDK 链接
https://software-dl.ti.com/processor-sdk-linux/esd/AM62X/latest/exports/docs/linux/Foundational_Components_Kernel_Users_Guide．html#creating-the-kernel-fitimage-for-high-security-device-gp-devices
此致！
-hong

尊敬的 Hong：

我已经完成了这个,但不明白信任的根是如何建立在 uboot 和 FIT 之间。  

问题1。 我是否应该用电子保险丝时生成的密钥替换 custMpk.key？

这是另一个 e2e、供您参考、了解如何通过 u-boot 验证内核适配映像
https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1413163/am6412-signing-kernel-fit-image-for-secure-boot/5415574#5415574
A1、是的。
此致！
-hong

您好、Hong：

感谢您的参考！

我正在使用 Yocto krikstone 进行构建,我所做的是附加下面,

用于测试-我 在 Yocto 编译、和中替换了 ti/keys/custMpk.pem 密钥编写器中的 smpk.pem  

已在 conf 文件中启用以下功能、

uBoot_sign_enable ="1"

uBoot_sign_KEYDIR =".../keys"
uboot_sign_keyname ="dev"

然后生成、uboot 和 fitImage、

但仍然发生了相同的错误

=>可以引导至 u-boot

=> bootm 0x90000000
##从 FIT Image 载入内核90000000 ...
  使用'conf-ti_k3-am625-art.dtb'配置
  验证散列完整性... fit_config_verify_required_keys：未找到签名节点：FDT_ERR_NOTFOUND
错误数据哈希
错误：无法获取内核映像！

附加下面的 fitimage.it文件

/dts-v1/;
 
/ {
        description = "Kernel fitImage ..../6.1.83+gitAUTOINC+c1c2f1971f/am62xx";
        #address-cells = <1>;
 
        images {
                kernel-1 {
                        description = "Linux kernel";
                        data = /incbin/("linux.bin");
                        type = "kernel";
                        arch = "arm64";
                        os = "linux";
                        compression = "gzip";
                        load = <0x81000000>;
                        entry = <0x81000000>;
                        hash-1 {
                                algo = "sha512";
                        };
                };
                fdt-ti_k3-am625-art.dtb {
                        description = "Flattened Device Tree blob";
                        data = /incbin/("arch/arm64/boot/dts/ti/k3-am625-art`.dtb");
                        type = "flat_dt";
                        arch = "arm64";
                        compression = "none";
                        load = <0x83000000>;
                        hash-1 {
                                algo = "sha512";
                        };
                };
                ramdisk-1 {
                        description = "*****-image-dev";
                        data = /incbin/("/home/................/tisdk/build/deploy-ti/images/am62xx/*****-image-dev-am62xx.cpio.xz");
                        type = "ramdisk";
                        arch = "arm64";
                        os = "linux";
                        compression = "none";
                        load = <0x84000000>;
                        entry = <0x84000000>;
                        hash-1 {
                                algo = "sha512";
                        };
                };
	};
 
        configurations {
                default = "conf-ti_k3-am625-art.dtb";
                conf-ti_k3-am625-art.dtb {
                        description = "1 Linux kernel, FDT blob, ramdisk";
                        kernel = "kernel-1";
                        fdt = "fdt-ti_k3-am625-art.dtb";
                        ramdisk = "ramdisk-1";

                        hash-1 {
                                algo = "sha512";
                        };
                        signature-1 {
                                algo = "sha512,rsa4096";
                                key-name-hint = "dev";
                                padding = "pkcs-1.5";
                                sign-images = "kernel", "fdt", "ramdisk";
                        };
                };
	};
};

请允许我将您有关 Yocto 的问题交给我的同事、以便跟进。
此致！
-hong

RJ DJ、

用于测试-我 在 Yocto 编译、和中替换了 ti/keys/custMpk.pem 密钥编写器中的 smpk.pem  

已在 conf 文件中启用以下功能、

uBoot_sign_enable ="1"

uBoot_sign_KEYDIR =".../keys"
uboot_sign_keyname ="dev"

然后生成、uboot 和 fitImage、

您是否验证了 U-Boot 构建的时间戳、以确保您实际上正在使用/部署更新的 U-Boot 二进制文件？ 在这方面 Yocto 可能是棘手的。

# Build and deploy "tiboot3.bin" (and it's device-specific variants)
$ MACHINE=am62xx-evm bitbake -c deploy mc:k3r5:u-boot

# Build and deploy "tispl.bin" and "u-boot.img"
$ MACHINE=am62xx-evm bitbake -c deploy u-boot

此致、Andreas

尊敬的 Andreas Dannenberg：

重建两个、但发生了相同的错误、

Q1 key-name-hint 是否应为文件夹名称？

Unknown 说：

在下面附加 fitimage.its 文件

这里是密钥名称,我错过了什么?  您还可以指出哪个类将公钥附加到 uboot.img、我已经拟合了图像内核类。  

Q2、 为了测试目的、我在 configs 以下禁用、 清理并重建 k3r5、uboot、fimage  

uBoot_sign_enable ="1"

uBoot_sign_KEYDIR =".../keys"
uboot_sign_keyname ="dev

并将其引导至根目录、我假设我用于刷写到 OTP 的 custMpk.pem 是相同的、这就是为什么它会引导、但它如何在 uboot 和 FIT 映像之间进行身份验证？ IT 用户是否有责任添加固定映像签名？ ,在下面附加日志,

U-Boot SPL 2023.04-ti-g836606420854 (May 09 2024 - 05:42:45 +0000)
SYSFW ABI: 3.1 (firmware rev 0x0009 '9.2.8--v09.02.08 (Kool Koala)')
SPL initial stack usage: 13408 bytes
Trying to boot from DFU
##########################################################DOWNLOAD ... OK
Ctrl+C to exit ...
Authentication passed
Authentication passed
Authentication passed
Loading Environment from nowhere... OK
init_env from device 10 not supported!
Authentication passed
Authentication passed
Starting ATF on ARM64 core...
 
NOTICE:  BL31: v2.10.0(release):v2.10.0-367-g00f1ec6b87-dirty
NOTICE:  BL31: Built : 16:09:05, Feb  9 2024
 
U-Boot SPL 2023.04-ti-g836606420854 (May 09 2024 - 05:42:45 +0000)
SYSFW ABI: 3.1 (firmware rev 0x0009 '9.2.8--v09.02.08 (Kool Koala)')
SPL initial stack usage: 1856 bytes
MMC: no card present
** Bad device specification mmc 1 **
Couldn't find partition mmc 1:1
Error: could not access storage.
Trying to boot from DFU
####DOWNLOAD ... OK
Ctrl+C to exit ...
Authentication passed
Authentication passed
 
 
U-Boot 2023.04-ti-g836606420854 (May 09 2024 - 05:42:45 +0000)
 
SoC:   AM62X SR1.0 HS-SE
Model: Texas Instruments AM625 SK
EEPROM not available at 80, trying to read at 81
Board: AM62B-SKEVM-P1 rev A
DRAM:  no bloblist found!2 GiB
Core:  72 devices, 32 uclasses, devicetree: separate
MMC:   mmc@fa10000: 0, mmc@fa00000: 1
Loading Environment from nowhere... OK
In:    serial
Out:   serial
Err:   serial
Net:   eth0: ethernet@8000000port@1
Hit any key to stop autoboot:  0 
=> 
=> 
=> 
=> 
=> 
=> bdinfo
boot_params = 0x0000000000000000
DRAM bank   = 0x0000000000000000
-> start    = 0x0000000080000000
-> size     = 0x0000000080000000
flashstart  = 0x0000000000000000
flashsize   = 0x0000000000000000
flashoffset = 0x0000000000000000
baudrate    = 115200 bps
relocaddr   = 0x00000000fff06000
reloc off   = 0x000000007f706000
Build       = 64-bit
current eth = ethernet@8000000port@1
ethaddr     = 1c:63:49:1f:d9:2e
IP addr     = <NULL>
fdt_blob    = 0x00000000fded7840
new_fdt     = 0x00000000fded7840
fdt_size    = 0x000000000000f540
Video       = dss@30200000 inactive
multi_dtb_fit= 0x0000000000000000
lmb_dump_all:
memory.cnt  = 0x1
memory[0]      [0x80000000-0xffffffff], 0x80000000 bytes flags: 0
reserved.cnt  = 0x4
reserved[0]    [0x9ca00000-0x9cafffff], 0x00100000 bytes flags: 0
reserved[1]    [0x9cb00000-0x9e6fffff], 0x01c00000 bytes flags: 4
reserved[2]    [0x9e780000-0x9fffffff], 0x01880000 bytes flags: 4
reserved[3]    [0xfced2000-0xffffffff], 0x0312e000 bytes flags: 0
devicetree  = separate
arch_number = 0x0000000000000000
TLB addr    = 0x00000000ffff0000
irq_sp      = 0x00000000fded6ff0
sp start    = 0x00000000fded6ff0
Early malloc usage: 3c28 / 8000
=> fdt addr 0x00000000fded7840
Working FDT set to fded7840
=> fdt list/signature
/ {
        model = "Texas Instruments AM625 SK";
        compatible = "ti,am625-sk", "ti,am625";
        interrupt-parent = <0x00000001>;
        #address-cells = <0x00000002>;
        #size-cells = <0x00000002>;
        signature {
        };
        chosen {
        };
        firmware {
        };
        timer-cl0-cpu0 {
        };
        pmu {
        };
        bus@f0000 {
        };
        cpus {
        };
        opp-table {
        };
        l2-cache0 {
        };
        aliases {
        };
        memory@80000000 {
        };
        reserved-memory {
        };
        regulator-0 {
        };
        regulator-1 {
        };
        regulator-2 {
        };
        regulator-3 {
        };
        regulator-4 {
        };
        leds {
        };
        panel-lvds {
        };
        binman {
        };
        __symbols__ {
        };
};

----------- here signature is listed but which is used is not shown---?

------------------------------------
=> bootm 0x90000000
## Loading kernel from FIT Image at 90000000 ...
   Using 'conf-ti_k3-am625-XXX.dtb' configuration
   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK
   Trying 'kernel-1' kernel subimage
     Description:  Linux kernel
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x900000f4
     Data Size:    8246853 Bytes = 7.9 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x81000000
     Entry Point:  0x81000000
     Hash algo:    sha512
     Hash value:   1b42c827f92afac2653db3a482937882904f2c2daceab0f3bc6215f89f22395939a98442e560403acf43a915311552a8c78fdb2182e65993234c2a54ef8209db
   Verifying Hash Integrity ... sha512+ OK
## Loading ramdisk from FIT Image at 90000000 ...
   Using 'conf-ti_k3-am625-XXX.dtb' configuration
   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK
   Trying 'ramdisk-1' ramdisk subimage
     Description:  artemis-image-dev
     Type:         RAMDisk Image
     Compression:  uncompressed
     Data Start:   0x907ec444
     Data Size:    19734856 Bytes = 18.8 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x84000000
     Entry Point:  0x84000000
     Hash algo:    sha512
     Hash value:   be307e738f462572b9cb84044113a30d0281eb550b17c7cf7163f353f4651f671c2057cf819ed53b72e76682d1d440942316d81489de72f04ec097b32a5d10b4
   Verifying Hash Integrity ... sha512+ OK
   Loading ramdisk from 0x907ec444 to 0x84000000
## Loading fdt from FIT Image at 90000000 ...
   Using 'conf-ti_k3-am625-XXX.dtb' configuration
   Verifying Hash Integrity ... sha512,rsa4096:custMpk+ OK
   Trying 'fdt-ti_k3-am625-XXX.dtb' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x907dd870
     Data Size:    60118 Bytes = 58.7 KiB
     Architecture: AArch64
     Load Address: 0x83000000
     Hash algo:    sha512
     Hash value:   7bf126eefc13ccad05daf33f6e7554653e8ffab051a1baf70219f9a339d9ae0d6718cc6a660d991f83ffa6b3046cad148b7a08a7f05a18312518988170e36fe6
   Verifying Hash Integrity ... sha512+ OK
   Loading fdt from 0x907dd870 to 0x83000000
   Booting using the fdt blob at 0x83000000
Working FDT set to 83000000
   Uncompressing Kernel Image
   Loading Ramdisk to 8ed2d000, end 8ffff148 ... OK
   Loading Device Tree to 000000008ed1b000, end 000000008ed2cad5 ... OK
Working FDT set to 8ed1b000
 
Starting kernel ...

问题3。  配置后出现的波形  

uBoot_sign_enable ="1"

uBoot_sign_KEYDIR =".../keys"
uboot_sign_keyname ="dev"

并重建所有的图像,仍然得到签名错误。。 ！ 附加以下日志  

=> bdinfo

fdt_blob    = 0x00000000fded7840

=> fdt addr 0x00000000fded7840
Working FDT set to fded7840

=> fdt list/signature
/ {
        model = "Texas Instruments AM625 SK";
        compatible = "ti,am625-sk", "ti,am625";
        interrupt-parent = <0x00000001>;
        #address-cells = <0x00000002>;
        #size-cells = <0x00000002>;
        chosen {
        };
        firmware {
        };
        timer-cl0-cpu0 {
        };
        pmu {
        };
        bus@f0000 {
        };
        cpus {
        };
        opp-table {
        };
        l2-cache0 {
        };
        aliases {
        };
        memory@80000000 {
        };
        reserved-memory {
        };
        regulator-0 {
        };
        regulator-1 {
        };
        regulator-2 {
        };
        regulator-3 {
        };
        regulator-4 {
        };
        leds {
        };
        panel-lvds {
        };
        binman {
        };
        __symbols__ {
        };
};

=> bootm 0x90000000
## Loading kernel from FIT Image at 90000000 ...
   Using 'conf-ti_k3-am625-xxx.dtb' configuration
   Verifying Hash Integrity ... fit_config_verify_required_keys: No signature node found: FDT_ERR_NOTFOUND
Bad Data Hash
ERROR: can't get kernel image!

请参阅两个日志中的签名节点差异、它是构建问题吗？..

此致

-RJ

尊敬的 Andreas Dannenberg：

任何更新,我还附加一个日志 iminfo 日志,你可以看到哈希值不可用  

## Checking Image at 90000000 ...
   FIT image found
   FIT description: Kernel fitImage for xxxxxx/6.1.83+gitAUTOINC+c1c2f1971f/am62xx-xxx
    Image 0 (kernel-1)
     Description:  Linux kernel
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x900000f4
     Data Size:    8246853 Bytes = 7.9 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x81000000
     Entry Point:  0x81000000
     Hash algo:    sha512
     Hash value:   1b42c827f92afac2653db3a482937882904f2c2daceab0f3bc6215f89f22395939a98442e560403acf43a915311552a8c78fdb2182e65993234c2a54ef8209db
    Image 1 (fdt-ti_k3-am625-xxx.dtb)
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x907dd870
     Data Size:    60118 Bytes = 58.7 KiB
     Architecture: AArch64
     Load Address: 0x83000000
     Hash algo:    sha512
     Hash value:   7bf126eefc13ccad05daf33f6e7554653e8ffab051a1baf70219f9a339d9ae0d6718cc6a660d991f83ffa6b3046cad148b7a08a7f05a18312518988170e36fe6
    Image 2 (ramdisk-1)
     Description:  xxxxxxxx-image-dev
     Type:         RAMDisk Image
     Compression:  uncompressed
     Data Start:   0x907ec444
     Data Size:    19734856 Bytes = 18.8 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x84000000
     Entry Point:  0x84000000
     Hash algo:    sha512
     Hash value:   be307e738f462572b9cb84044113a30d0281eb550b17c7cf7163f353f4651f671c2057cf819ed53b72e76682d1d440942316d81489de72f04ec097b32a5d10b4
    Default Configuration: 'conf-ti_k3-am625-xxx.dtb'
    Configuration 0 (conf-ti_k3-am625-xxx.dtb)
     Description:  1 Linux kernel, FDT blob, ramdisk
     Kernel:       kernel-1
     Init Ramdisk: ramdisk-1
     FDT:          fdt-ti_k3-am625-xxx.dtb
     Hash algo:    sha512
     Hash value:   unavailable
     Sign algo:    sha512,rsa4096:custMpk
     Sign padding: pkcs-1.5
     Sign value:   0c349e6ddddac43ae4ac431c994128664c2dcb08b5f6ff11204b3a0685921489cc7fa76ead4080344d7b2527070a6c66489106ce4a56e9e0f29331dab7a115ecd9b2661c75b409b4326cc4604ee2347188d9a92869bde4f92abf46e662950318
## Checking hash(es) for FIT Image at 90000000 ...
   Hash(es) for Image 0 (kernel-1): sha512+ 
   Hash(es) for Image 1 (fdt-ti_k3-am625-xxx.dtb): sha512+ 
   Hash(es) for Image 2 (ramdisk-1): sha512+ 

同时还附加 log.do_assembly_fitImage log ,这里你可以看到 signate-1节点错误它来自 uboot/tools/image-host.c 行号951,我在黑暗中刮,为什么会发生这种情况..?

DEBUG: Executing python function extend_recipe_sysroot
NOTE: Direct dependencies are [..........................]

NOTE: Invalidating stamps for task do_deploy
NOTE: Installed into sysroot: []
NOTE: Skipping as already exists in sysroot: ['u-boot-ti-staging', 'binutils-cross-aarch64', 'gcc-cross-aarch64', 'quilt-native', 'ti-k3-secdev-native', 'u-boot-tools-native', 'openssl-native', 'bison-native', 'patch-native', 'pkgconfig-native', 'pseudo-native', 'bc-native', 'dtc-native', 'kmod-native', 'gmp-native', 'libmpc-native', 'python3-native', 'flex-native', 'trusted-firmware-a', 'ti-dm-fw', 'optee-os', 'ti-sci-fw', 'glibc', 'gcc-runtime', 'libtool-native', 'attr-native', 'zlib-native', 'gnu-config-native', 'texinfo-dummy-native', 'readline-native', 'xz-native', 'gettext-minimal-native', 'perl-native', 'mpfr-native', 'zstd-native', 'linux-libc-headers', 'sqlite3-native', 'bzip2-native', 'ncurses-native', 'libnsl2-native', 'gdbm-native', 'libffi-native', 'libtirpc-native', 'util-linux-libuuid-native', 'm4-native', 'opkg-utils', 'libgcc', 'make-native']
DEBUG: Python function extend_recipe_sysroot finished
DEBUG: Executing shell function do_assemble_fitimage
gzip
FIT description: Kernel fitImage for xxxxxx/6.1.83+gitAUTOINC+c1c2f1971f/am62xx-xxx
Created:         Mon May 13 20:19:51 2024
Image 0 (kernel-1)
  Description:  Linux kernel
  Created:      Mon May 13 20:19:51 2024
  Type:         Kernel Image
  Compression:  gzip compressed
  Data Size:    8243836 Bytes = 8050.62 KiB = 7.86 MiB
  Architecture: AArch64
  OS:           Linux
  Load Address: 0x81000000
  Entry Point:  0x81000000
  Hash algo:    sha512
  Hash value:   90153f6b9e995d8d0e6364e4c169ca7266f21d96a8ba91676875db40883b25ecae731fdfc944891ca0dcfad65d35580ad4faabd3313e58a64f4d5eb7dcc619b7
Image 1 (fdt-ti_k3-am625-xxx.dtb)
  Description:  Flattened Device Tree blob
  Created:      Mon May 13 20:19:51 2024
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    60118 Bytes = 58.71 KiB = 0.06 MiB
  Architecture: AArch64
  Load Address: 0x83000000
  Hash algo:    sha512
  Hash value:   7bf126eefc13ccad05daf33f6e7554653e8ffab051a1baf70219f9a339d9ae0d6718cc6a660d991f83ffa6b3046cad148b7a08a7f05a18312518988170e36fe6
Default Configuration: 'conf-ti_k3-am625-xxx.dtb'
Configuration 0 (conf-ti_k3-am625-xxx.dtb)
  Description:  1 Linux kernel, FDT blob
  Kernel:       kernel-1
  FDT:          fdt-ti_k3-am625-xxx.dtb
  Hash algo:    sha512
  Hash value:   unavailable
  Sign algo:    sha512,rsa4096:dev
  Sign padding: pkcs-1.5
  Sign value:   unavailable
  Timestamp:    unavailable
WARNING: debug ****************************************************************
Failed to add verification data for 'signature-1' signature node in 'conf-ti_k3-am625-xxx.dtb' configuration node
FIT description: Kernel fitImage for xxxxxx/6.1.83+gitAUTOINC+c1c2f1971f/am62xx-xxx
Created:         Mon May 13 20:19:51 2024
Image 0 (kernel-1)
  Description:  Linux kernel
  Created:      Mon May 13 20:19:51 2024
  Type:         Kernel Image
  Compression:  gzip compressed
  Data Size:    8243836 Bytes = 8050.62 KiB = 7.86 MiB
  Architecture: AArch64
  OS:           Linux
  Load Address: 0x81000000
  Entry Point:  0x81000000
  Hash algo:    sha512
  Hash value:   90153f6b9e995d8d0e6364e4c169ca7266f21d96a8ba91676875db40883b25ecae731fdfc944891ca0dcfad65d35580ad4faabd3313e58a64f4d5eb7dcc619b7
Image 1 (fdt-ti_k3-am625-xxx.dtb)
  Description:  Flattened Device Tree blob
  Created:      Mon May 13 20:19:51 2024
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    60118 Bytes = 58.71 KiB = 0.06 MiB
  Architecture: AArch64
  Load Address: 0x83000000
  Hash algo:    sha512
  Hash value:   7bf126eefc13ccad05daf33f6e7554653e8ffab051a1baf70219f9a339d9ae0d6718cc6a660d991f83ffa6b3046cad148b7a08a7f05a18312518988170e36fe6
Default Configuration: 'conf-ti_k3-am625-xxx.dtb'
Configuration 0 (conf-ti_k3-am625-xxx.dtb)
  Description:  1 Linux kernel, FDT blob
  Kernel:       kernel-1
  FDT:          fdt-ti_k3-am625-xxx.dtb
  Hash algo:    sha512
  Hash value:   unavailable
  Sign algo:    sha512,rsa4096:dev
  Sign padding: pkcs-1.5
  Sign value:   7dccd8511b41129623a7669b0cd43d2c410c265a3deadcfe99137ffe79f67cc75e9758a1396ed368986379f8dd4f31c09a47b485b14cb80d3a40311140291d62ecb014c44cdeb108c8d90ce405bdbde2286e56264ac2910adeb72e721b154312ceb17a12e6db34fc34aeaf2c9171b4f077c6458f3ea8b77fe508afed4af88e405dbc9a0033dae09b14ea365b1936fd33184dee464595e03e9dbb96f7755b378d7fb20da8c8347d932f5124af3b7bb2d8fbbedbb11c77fd58cec1ddb2f9052981f346d94cbed2c602e8fde505137d9cad1be62397d86ad2ab20218bc15f70b373ea61b3bf657912774100e0ee509fa4561f84b209d6bee358e353c66aa4a305f18d02770530339fc7ab3b419706eb4e4d58a162c535f62b3af3d46ff31dc1fff8e0c965bdae93a865efd47d1717b6227552b8e4dd3ec6507dd6acdfce04c82e930b23c7b9be4eb2bc761c6b0de6075b501a2db018de73fb13222899aca35028f8ea88e69cd4f537a5edae582202141e2298a4f0ba73b1934a045dd2200327e6dfe9c0408ac459a7cd352a90863ae8c1ac86752df46e75974dd893ea3ac2ce764cdee1bcd1973cbe8fa99bcb533a730f6efb7bfc4b1ba381746b346296f35fc08678108bda41d230db15a7ef1acf47317e35634874df46c6f30a6d19d09ce198e5a4a6ea10aaa4c79e4c31ff4d4f791e04300c20fbdfacef1131f2e65d658c754e
  Timestamp:    Mon May 13 20:19:51 2024
DEBUG: Shell function do_assemble_fitimage finished

此致

-RJ

你好、RJ

您是否尝试过使用绝对路径的  uBoot_sign_KEYDIR 仔细检查了它是否有效？ 我遇到这是在其他构建类型场景中的一个常见问题、即系统在使用相对路径时实际上找不到您认为的位置。 或者、有时构建系统会出现混乱/混乱、或者以其他方式错误地处理相对路径。 我觉得值得一试

此致、Andreas

尊敬的 Andreas Dannenberg：

Xiange Tian 说：

的绝对路径  uBoot_sign_KEYDIR [报价]

我已经在使用绝对路径,  

uBoot_sign_KEYDIR =/home/rj/avoided/avoided/meta-avoided/keys
uboot_sign_keyname ="dev"

uboot_MKIMAGE_DTCOPTS ="-i dts -O dtb -p 2000"
uBoot_sign_enable ="1"

我检查了,改变的路径  uBoot_sign_KEYDIR  To out workspace directory and、和日志显示 permission denied error。 我认为这不是问题的任何其他方式来检查..

同时、我发现另一个类似问题的 e2e 线程、但无法从它下面的连接链接破解解决方案、

https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1275844/tmds64evm-issue-to-boot-fitimage-with-secure-boot-enabled

此致、

-RJ

尊敬的 Andreas Dannenberg：

我还通过 禁用 我为签名拟合图像所做的所有工作来进行检查,  

第109行显示  使用默认 custMpk 时未能为中的"signate-1"签名节点错误添加验证数据。

FIT 签名是默认启用的吗？

附加日志  log.do_assembly_ftimage_initramfs

DEBUG: Executing shell function do_assemble_fitimage_initramfs

gzip

NOTE: Did not find initramfs image: /home/

NOTE: Did not find initramfs image: /home/

NOTE: Did not find initramfs image: /

NOTE: Found initramfs image: /home/

FIT description: Kernel fitImage for AAAAAAAA/6.1.105+gitAUTOINC+92ce8d7d2a/am62xx-XXX

Created:         Tue Oct  8 22:45:21 2024

Image 0 (kernel-1)

  Description:  Linux kernel

  Created:      Tue Oct  8 22:45:21 2024

  Type:         Kernel Image

  Compression:  gzip compressed

  Data Size:    8240981 Bytes = 8047.83 KiB = 7.86 MiB

  Architecture: AArch64

  OS:           Linux

  Load Address: 0x81000000

  Entry Point:  0x81000000

  Hash algo:    sha512

  Hash value:   0d9d4d380c51a7770f74d630dff8e86668f756a4b1eb4f564581805eb5528d8f53aeb39b848142a046b5f8ac243b3342fc6002ef93e9c390ac888a5616c15f7f

Image 1 (fdt-ti_k3-am625-XXX.dtb)

  Description:  Flattened Device Tree blob

  Created:      Tue Oct  8 22:45:21 2024

  Type:         Flat Device Tree

  Compression:  uncompressed

  Data Size:    60266 Bytes = 58.85 KiB = 0.06 MiB

  Architecture: AArch64

  Load Address: 0x83000000

  Hash algo:    sha512

  Hash value:   fca9782226539c2c200a8d6d14d4f69ceac227d030a0c4109117f0b4061bdd87d26703893891da83f499d79a1527bb4843375ba6382a12f74123582a093f4ac8

Image 2 (ramdisk-1)

  Description:  AAAAAAAA-image-dev

  Created:      Tue Oct  8 22:45:21 2024

  Type:         RAMDisk Image

  Compression:  uncompressed

  Data Size:    20019024 Bytes = 19549.83 KiB = 19.09 MiB

  Architecture: AArch64

  OS:           Linux

  Load Address: 0x84000000

  Entry Point:  0x84000000

  Hash algo:    sha512

  Hash value:   431fb5b55bd08e14353ac4120d0342743eea8f64fbc5f74b2215fc635e011da95e506d8c3cf56d0a446eb7fd7a86e4faedbc5e941480c9a20ffb5974cb8c4537

Default Configuration: 'conf-ti_k3-am625-XXX.dtb'

Configuration 0 (conf-ti_k3-am625-XXX.dtb)

  Description:  1 Linux kernel, FDT blob, ramdisk

  Kernel:       kernel-1

  Init Ramdisk: ramdisk-1

  FDT:          fdt-ti_k3-am625-XXX.dtb

  Hash algo:    sha512

  Hash value:   unavailable

  Sign algo:    sha512,rsa4096:custMpk

  Sign padding: pkcs-1.5

  Sign value:   unavailable

  Timestamp:    unavailable

Failed to add verification data for 'signature-1' signature node in 'conf-ti_k3-am625-XX.dtb' configuration node



DEBUG: Shell function do_assemble_fitimage_initramfs finished

此致、

-RJ

你好、RJ

为了进行测试、您是否可以尝试直接编辑/覆盖此处定义的默认设置：

meta-ti/meta-ti-bsp/conf/machine/include/k3.inc

UBOOT_SIGN_KEYNAME ?= "custMpk"
UBOOT_SIGN_KEYDIR ?= "${TI_SECURE_DEV_PKG}/keys"

或者这些更改发生在这里吗？

此致、Andreas

RJ、

我将请我们的安全专家再看看此处。 如果他可以具体指出可能遗漏的内容、那么我可以帮助在 Yocto 中解决这个问题、但我不确定自己应该如何从这些错误消息中总结哪些内容、或者在这里具体出现了哪些问题、而无需花费大量时间来探索所有这些签名流程的工作方式。

另外、您还可以手动克隆用于唱常规 HS-Yocto 器件歌的"TI 安全开发包"(git.ti.com/.../core-secdev-k3)、然后从那里获取密钥并将您的 FS 配置指向这些密钥、看看一般过程是否有效？ 这可能有助于确定您的设置/路径等是否存在问题、或者是否可能存在 key (？) 您生成了什么？

Andreas

尊敬的 Andreas Dannenberg :

感谢您的意见！  

Xiange Tian 说：

我将请我们的安全专家在此再次查看

任何帮助都被赞赏,这是开始驱动我坚果。

您还可以指出 (文件路径/名称) 签名节点是 由内核配方生成的。

谢谢。此致、

-RJ

在从 Yocto 编译内核 fitImage 时、我们是否已检查 SDK 链接中列出的所有步骤都已执行？ 特别是"3.2.1.6.3. 再次构建 uboot"
https://software-dl.ti.com/processor-sdk-linux/esd/AM62X/10_00_07_04/exports/docs/linux/Foundational_Components_Kernel_Users_Guide．html#creating-the-kernel-fitimage-for-high-security-device-gp-devices
此致！
-hong

您好！

我能够删除其中一个错误,但运行到另一个  

## Loading kernel from FIT Image at 90000000 ...
   Using 'conf-ti_k3-am625-xxx.dtb' configuration
   Verifying Hash Integrity ... sha512,rsa4096:dev-  error!
Verification failed for '<NULL>' hash node in 'conf-ti_k3-am625-xxx.dtb' config node
Failed to verify required signature 'key-dev'
Bad Data Hash
ERROR: can't get kernel image!

还附加   log.do_assembly_fitimage_initramfs、在这里可以看到哈希值  

Default Configuration: 'conf-ti_k3-am625-xxx.dtb'

Configuration 0 (conf-ti_k3-am625-xxx.dtb)

  Description:  1 Linux kernel, FDT blob, ramdisk

  Kernel:       kernel-1

  Init Ramdisk: ramdisk-1

  FDT:          fdt-ti_k3-am625-xxx.dtb

  Hash algo:    sha512

  Hash value:   unavailable

  Sign algo:    sha512,rsa4096:dev

  Sign padding: pkcs-1.5

  Sign value:   18de4161f63429c9dc32cd74******************

-RJ

我强烈建议首先测试 Linux SDK 包作为参考。
安装 Linux SDK 后、运行"make linux"将执行有关生成内核 fitImage 的链接中所述的所有步骤
https://software-dl.ti.com/processor-sdk-linux/esd/AM62X/10_00_07_04/exports/docs/linux/Foundational_Components_Kernel_Users_Guide．html#creating-the-kernel-fitimage-for-high-security-device-gp-devices

此致！
-hong

嗨@ Hong Guan64 Andreas Dannenberg  ,

感谢您的输入, 下载 Linux SDK,并尝试运行"使 Linux "同样的错误也发生了,没有做任何事情来签署 fimage 在 SDK,

SDK 版本-  SDK-LINUX-AM62xx-EVM-09.02.01.10

附加 SDK 构建日志、

:~/ti-processor-sdk-linux-am62xx-evm-09.02.01.10$ make linux
=====================================
Building the Linux Kernel DTBs
=====================================
.....
.
.
.
.
# Build FitImage
cd /home/rj/ti-processor-sdk-linux-am62xx-evm-09.02.01.10/board-support/ti-linux-kernel* ; cp arch/arm64/boot/Image.gz ./linux.bin ; cd ..
cp /home/rj/ti-processor-sdk-linux-am62xx-evm-09.02.01.10/board-support/prebuilt-images/am62xx-evm/fitImage-its-am62xx-evm /home/rj/ti-processor-sdk-linux-am62xx-evm-09.02.01.10/board-support/ti-linux-kernel*
mkimage -r -f /home/rj/ti-processor-sdk-linux-am62xx-evm-09.02.01.10/board-support/ti-linux-kernel*/fitImage-its-am62xx-evm -k /home/rj/ti-processor-sdk-linux-am62xx-evm-09.02.01.10/board-support/ti-u-boot*/board/ti/keys -K /home/rj/ti-processor-sdk-linux-am62xx-evm-09.02.01.10/board-support/u-boot-build/a53/arch/arm/dts/k3-am625-sk.dtb /home/roopak/ti-processor-sdk-linux-am62xx-evm-09.02.01.10/board-support/built-images/fitImage
Can't set hash 'value' property for 'hash-1' node(FDT_ERR_NOSPACE)
Can't set hash value for 'hash-1' hash node in 'fdt-ti_k3-am625-sk-microtips-mf103hie-lcd2.dtbo' image node
Invalid key name '/home/rj/keys': contains '/' 
Failed to sign 'signature-1' signature node in 'conf-ti_k3-am625-sk.dtb' conf node
mkimage Can't add hashes to FIT blob: -1
make: *** [makerules/Makefile_linux:13: linux] Error 255
:~/ti-processor-sdk-linux-am62xx-evm-09.02.01.10$

此致、

-RJ

我附上运行"make Linux"与 AM62x SDK 10.0.7.4时的构建日志、供您参考。
内核 fitImage 是在日志中存在一些构建错误的情况下创建的、内核 fitImage 在 HS-SE 上引导正常。
此致！
-hong

e2e.ti.com/.../am62_2D00_sk_5F00_10.0.7.4_5F00_fitImage.log

尊敬的 Hong：

下载 AM62x SDK 10.0.7.4 ,从运行"make linux"附加构建日志仍然错误,并且 在我的最新 SDK 中缺少 ti/keys 路径,为什么?

# Build FitImage
cd /home/user1/ti-processor-sdk-linux-am62xx-evm-10.00.07.04/board-support/ti-linux-kernel* ; cp arch/arm64/boot/Image.gz ./linux.bin ; cd ..
cp /home/user1/ti-processor-sdk-linux-am62xx-evm-10.00.07.04/board-support/prebuilt-images/am62xx-evm/fitImage-its-am62xx-evm /home/user1/ti-processor-sdk-linux-am62xx-evm-10.00.07.04/board-support/ti-linux-kernel*
mkimage -r -f /home/user1/ti-processor-sdk-linux-am62xx-evm-10.00.07.04/board-support/ti-linux-kernel*/fitImage-its-am62xx-evm -k /home/user1/ti-processor-sdk-linux-am62xx-evm-10.00.07.04/board-support/ti-u-boot*/board/ti/keys -K /home/user1/ti-processor-sdk-linux-am62xx-evm-10.00.07.04/board-support/u-boot-build/a53/arch/arm/dts/k3-am625-sk.dtb /home/user1/ti-processor-sdk-linux-am62xx-evm-10.00.07.04/board-support/built-images/fitImage
Couldn't open RSA private key: '/home/user1/ti-processor-sdk-linux-am62xx-evm-10.00.07.04/board-support/ti-u-boot*/board/ti/keys/custMpk.key': No such file or directory
Failed to sign 'signature-1' signature node in 'conf-ti_k3-am625-sk.dtb' conf node
FIT description: Kernel fitImage for Arago/6.6.32+git/am62xx-evm
Created:         Fri Dec 20 14:42:10 2024
Image 0 (kernel-1)
  Description:  Linux kernel
  Created:      Fri Dec 20 14:42:10 2024
  Type:         Kernel Image

从 SDK 10.x 开始对密钥文件夹位置进行了更改
https://git.ti.com/cgit/ti-u-boot/ti-u-boot/commit/arch/arm/dts/k3-binman.dtsi?h=10.00.07&id=110b07c8bcb611ddf5b6bed44f5eb9ac14ebecec

我忘了提及,我在上次回复中使用 SDK 10.0.7.4运行"make Linux"时,在 makerules/Makefile_linux 中进行了如下更改
--k $(uBoot_SRC_DIR)/board/ti/keys
+-k $(uBoot_SRC_DIR)/arch/arm/mach-k3/keys

此致！
-hong