cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ratin
Observer
Observer
527 Views
Registered: ‎02-22-2021

u-boot load issue in secure mode (SD boot mode)

Hi,  I am working with a ZC706 eval board, I enabled AES encryption (BBRAM) and RSA PSK/SSK (eFuse) and created boot.bin with encryption enabled. If I use my own bare metal apps to test, I can get past all the secure boot processes and my app runs properly. But if I load u-boot.img + linux/ramdisk image, boot fails throwing the error INVALID_LOAD_ADDRESS_FAIL (partition 2 is u-boot.img) 

 

================== BEGIN =========================================

Xilinx First Stage Boot Loader

<SNIP>

PCAP MCTRL 0xF8007080: 0x34800100

...................................................................................................

DMA Done !

.......................................................

FPGA Done !

In FsblHookAfterBitstreamDload function

Partition Number: 2

Header Dump

Image Word Len: 0x0001DE0B

Data Word Len: 0x0001DD4C

Partition Word Len:0x0001DFC0

Load Addr: 0x00000000

Exec Addr: 0x00000000

Partition Start: 0x0033D400

Partition Attr: 0x00008010

Partition Checksum Offset: 0x00000000

Section Count: 0x00000001

Checksum: 0xFF905C67

Application

Encrypted

RSA Signed

INVALID_LOAD_ADDRESS_FAIL

FSBL Status = 0xA00F

 

This Boot Mode 0x5 Doesn't Support Fallback

In FsblHookFallback function

 

 

================== END ============================

The info on u-boot.img: 

u-boot.img: u-boot legacy uImage, U-Boot 2017.01 for zynq board, Firmware/ARM, Firmware Image (Not compressed), 488688 bytes, Thu Mar 25 22:12:39 2021, Load Address: 0x04000000, Entry Point: 0x04000000, Header CRC: 0xD99DD5F7, Data CRC: 0x674D1203

I compiled u-boot from uboot-mathworks_zynq_R20.2.0 distro

My bif file:

//arch = zynq; split = false; format = BIN
the_ROM_image:
{
[aeskeyfile]output.nky
[ppkfile] /home/ratin/work/rsa/ppkfile.pub
[pskfile] /home/ratin/work/rsa/pskfile.pem
[spkfile] /home/ratin/work/rsa/spkfile.pub
[sskfile] /home/ratin/work/rsa/sskfile.pem
[bootloader, encryption = aes, authentication=rsa]ratin_fsbl_debug_enabled.elf
[encryption = aes, authentication=rsa, offset = 0x40000]system_wrapper.bit
[encryption = aes, authentication=rsa, offset = 0xCF5000]../u-boot.img
[encryption = aes, authentication=rsa, offset = 0xd80000]../uImage
[encryption = aes, authentication=rsa, offset = 0x11E0580]../uramdisk.image.gz
[encryption = aes, authentication=rsa, offset = 0x3a00000]devicetree.dtb
}

Keeping everything else intact, just changing the u-boot.img to my own bare-metal app makes it to work.

Any idea why the load/exec  addr reported as 0x000000 for the u-boot.img? 

 

Thanks

Ratin

0 Kudos
8 Replies
ibaie
Xilinx Employee
Xilinx Employee
461 Views
Registered: ‎10-06-2016

Hi @ratin 

You BIF file does not seem to be appropriate for me, I mean you are loading a bunch of binary blobs but you do not specify where to load any of them, so not surprisingly the FSBL seems to be using address 0x0 for all of them. As documented in UG1283, you should use the load attribute to provide the load address of the different blobs.

Regards


Ibai
Don’t forget to reply, kudo, and accept as solution.
0 Kudos
ratin
Observer
Observer
422 Views
Registered: ‎02-22-2021

Hi Ibalie,

 Thanks a lot for your reply - I modified the bif file to add DDR offsets, now it goes thru loading them in the DDR offsets but handoff still 0x0 - How can I force it to be where u-boot.img is loaded (0xD000000)? 

 

Log

================================

//arch = zynq; split = false; format = BIN
the_ROM_image:
{
[aeskeyfile]output.nky
[ppkfile] /home/ratin/work/rsa/ppkfile.pub
[pskfile] /home/ratin/work/rsa/pskfile.pem
[spkfile] /home/ratin/work/rsa/spkfile.pub
[sskfile] /home/ratin/work/rsa/sskfile.pem
[bootloader, encryption = aes, authentication=rsa, load=0x0]ratin_fsbl_debug_enabled.elf
[encryption = aes, authentication=rsa, load=0x100000, offset = 0x40000]system_wrapper.not
[encryption = aes, authentication=rsa, load=0xD00000, offset = 0xCF5000]../u-boot.bin
[encryption = aes, authentication=rsa, load=0xE00000, offset = 0xd80000]../uImage
[encryption = aes, authentication=rsa, load=0x2000000, offset = 0x11E0580]../uramdisk.image.gz
[encryption = aes, authentication=rsa, load=0x6000000, offset = 0x3a00000]devicetree.dtb
}

FSBL is running from internal ram so I didn't provide a load= attribute for it (am I supposed to?). 

Xilinx First Stage Boot Loader

Release 2018.2 Mar 25 2021-14:08:57

Devcfg driver initialized

Silicon Version 3.1

Boot mode is SD

SD: rc= 0

SD Init Done

Flash Base Address: 0xE0100000

Reboot status register: 0x60400000

Multiboot Register: 0x0000C000

Image Start Address: 0x00000000

Partition Header Offset:0x00000C80

Partition Count: 6

RSA enabled for Chip

Partition Number: 1

Header Dump

Image Word Len: 0x0032D20B

Data Word Len: 0x0032D14B

Partition Word Len:0x0032D3C0

Load Addr: 0x00100000

Exec Addr: 0x00000000

Partition Start: 0x00010000

Partition Attr: 0x00008012

Partition Checksum Offset: 0x00000000

Section Count: 0x00000001

Checksum: 0xFF223476

Application

Encrypted

RSA Signed

Authentication Done

PCAP:StatusReg = 0x40000A30

PCAP:device ready

PCAP:Clear done

PCAP register dump:

PCAP CTRL 0xF8007000: 0x4E80EE80

PCAP LOCK 0xF8007004: 0x00000012

PCAP CONFIG 0xF8007008: 0x00000508

PCAP ISR 0xF800700C: 0x00030000

PCAP IMR 0xF8007010: 0xFFFFFFFF

PCAP STATUS 0xF8007014: 0x0066FA30

PCAP DMA SRC ADDR 0xF8007018: 0x00100001

PCAP DMA DEST ADDR 0xF800701C: 0x00100001

PCAP DMA SRC LEN 0xF8007020: 0x0032D20B

PCAP DMA DEST LEN 0xF8007024: 0x0032D14B

PCAP ROM SHADOW CTRL 0xF8007028: 0xFFFFFFFF

PCAP MBOOT 0xF800702C: 0x0000C000

PCAP SW ID 0xF8007030: 0x00000000

PCAP UNLOCK 0xF8007034: 0x757BDF0D

PCAP MCTRL 0xF8007080: 0x34800100

...................................................................................................

DMA Done !

Partition Number: 2

Header Dump

Image Word Len: 0x0001DDFB

Data Word Len: 0x0001DD3C

Partition Word Len:0x0001DFB0

Load Addr: 0x00D00000

Exec Addr: 0x00000000

Partition Start: 0x0033D400

Partition Attr: 0x00008010

Partition Checksum Offset: 0x00000000

Section Count: 0x00000001

Checksum: 0xFEC05CA7

Application

Encrypted

RSA Signed

Authentication Done

PCAP:StatusReg = 0x40000A30

PCAP:device ready

PCAP:Clear done

PCAP register dump:

PCAP CTRL 0xF8007000: 0x4E80EE80

PCAP LOCK 0xF8007004: 0x00000012

PCAP CONFIG 0xF8007008: 0x00000508

PCAP ISR 0xF800700C: 0x00033000

PCAP IMR 0xF8007010: 0xFFFFFFFF

PCAP STATUS 0xF8007014: 0x50000A30

PCAP DMA SRC ADDR 0xF8007018: 0x00D00001

PCAP DMA DEST ADDR 0xF800701C: 0x00D00001

PCAP DMA SRC LEN 0xF8007020: 0x0001DDFB

PCAP DMA DEST LEN 0xF8007024: 0x0001DD3C

PCAP ROM SHADOW CTRL 0xF8007028: 0xFFFFFFFF

PCAP MBOOT 0xF800702C: 0x0000C000

PCAP SW ID 0xF8007030: 0x00000000

PCAP UNLOCK 0xF8007034: 0x757BDF0D

PCAP MCTRL 0xF8007080: 0x34800100

 

DMA Done !

Partition Number: 3

Header Dump

Image Word Len: 0x00113FAB

Data Word Len: 0x00113EE8

Partition Word Len:0x00114160

Load Addr: 0x00E00000

Exec Addr: 0x00000000

Partition Start: 0x00360000

Partition Attr: 0x00008010

Partition Checksum Offset: 0x00000000

Section Count: 0x00000001

Checksum: 0xFE6E7DDB

Application

Encrypted

RSA Signed

Authentication Done

PCAP:StatusReg = 0x40000A30

PCAP:device ready

PCAP:Clear done

PCAP register dump:

PCAP CTRL 0xF8007000: 0x4E80EE80

PCAP LOCK 0xF8007004: 0x00000012

PCAP CONFIG 0xF8007008: 0x00000508

PCAP ISR 0xF800700C: 0x00030000

PCAP IMR 0xF8007010: 0xFFFFFFFF

PCAP STATUS 0xF8007014: 0x0046CA30

PCAP DMA SRC ADDR 0xF8007018: 0x00E00001

PCAP DMA DEST ADDR 0xF800701C: 0x00E00001

PCAP DMA SRC LEN 0xF8007020: 0x00113FAB

PCAP DMA DEST LEN 0xF8007024: 0x00113EE8

PCAP ROM SHADOW CTRL 0xF8007028: 0xFFFFFFFF

PCAP MBOOT 0xF800702C: 0x0000C000

PCAP SW ID 0xF8007030: 0x00000000

PCAP UNLOCK 0xF8007034: 0x757BDF0D

PCAP MCTRL 0xF8007080: 0x34800100

 

DMA Done !

Partition Number: 4

Header Dump

Image Word Len: 0x009B11DB

Data Word Len: 0x009B1117

Partition Word Len:0x009B1390

Load Addr: 0x02000000

Exec Addr: 0x00000000

Partition Start: 0x00478160

Partition Attr: 0x00008011

Partition Checksum Offset: 0x00000000

Section Count: 0x00000001

Checksum: 0xFB04324B

Application

Encrypted

RSA Signed

Authentication Done

PCAP:StatusReg = 0x40000A30

PCAP:device ready

PCAP:Clear done

PCAP register dump:

PCAP CTRL 0xF8007000: 0x4E80EE80

PCAP LOCK 0xF8007004: 0x00000012

PCAP CONFIG 0xF8007008: 0x00000508

PCAP ISR 0xF800700C: 0x00030000

PCAP IMR 0xF8007010: 0xFFFFFFFF

PCAP STATUS 0xF8007014: 0x00A6FA30

PCAP DMA SRC ADDR 0xF8007018: 0x02000001

PCAP DMA DEST ADDR 0xF800701C: 0x02000001

PCAP DMA SRC LEN 0xF8007020: 0x009B11DB

PCAP DMA DEST LEN 0xF8007024: 0x009B1117

PCAP ROM SHADOW CTRL 0xF8007028: 0xFFFFFFFF

PCAP MBOOT 0xF800702C: 0x0000C000

PCAP SW ID 0xF8007030: 0x00000000

PCAP UNLOCK 0xF8007034: 0x757BDF0D

PCAP MCTRL 0xF8007080: 0x34800100

...................................................................................................

DMA Done !

Partition Number: 5

Header Dump

Image Word Len: 0x0000135B

Data Word Len: 0x00001299

Partition Word Len:0x00001510

Load Addr: 0x06000000

Exec Addr: 0x00000000

Partition Start: 0x00E80000

Partition Attr: 0x00008012

Partition Checksum Offset: 0x00000000

Section Count: 0x00000001

Checksum: 0xF82F2EF8

Application

Encrypted

RSA Signed

Authentication Done

PCAP:StatusReg = 0x40000A30

PCAP:device ready

PCAP:Clear done

PCAP register dump:

PCAP CTRL 0xF8007000: 0x4E80EE80

PCAP LOCK 0xF8007004: 0x00000012

PCAP CONFIG 0xF8007008: 0x00000508

PCAP ISR 0xF800700C: 0x00033000

PCAP IMR 0xF8007010: 0xFFFFFFFF

PCAP STATUS 0xF8007014: 0x50000A30

PCAP DMA SRC ADDR 0xF8007018: 0x06000001

PCAP DMA DEST ADDR 0xF800701C: 0x06000001

PCAP DMA SRC LEN 0xF8007020: 0x0000135B

PCAP DMA DEST LEN 0xF8007024: 0x00001299

PCAP ROM SHADOW CTRL 0xF8007028: 0xFFFFFFFF

PCAP MBOOT 0xF800702C: 0x0000C000

PCAP SW ID 0xF8007030: 0x00000000

PCAP UNLOCK 0xF8007034: 0x757BDF0D

PCAP MCTRL 0xF8007080: 0x34800100

 

DMA Done !

Handoff Address: 0x00000000

In FsblHookBeforeHandoff function

No Execution Address JTAG handoff

0 Kudos
ratin
Observer
Observer
406 Views
Registered: ‎02-22-2021

It would be interesting to know how the handoff process work. I noticed if I use an older u-boot.elf file, fsbl spits out its exec address properly (0x4000000). So after I modified to also load uboot into 0x4000000, handoff succeeds now but then its completely silent, looks like linux is not booting. With the new u-boot.img file, the same result if I hardcode the handoff address in FSBL. So with the handoff succeeding, what could be the issue thats preventing linux to run? Is there a boot.bin from Xilinx I could try for SD card boot?  

<snip>
DMA Done !

Handoff Address: 0x04000000

In FsblHookBeforeHandoff function

SUCCESSFUL_HANDOFF

FSBL Status = 0x1

 

here is u-boot partition info printed: 

Partition Number: 2

Header Dump

Image Word Len: 0x00022E8B

Data Word Len: 0x00022DC4

Partition Word Len:0x00023040

Load Addr: 0x04000000

Exec Addr: 0x04000000

Partition Start: 0x0033D400

Partition Attr: 0x00008010

Partition Checksum Offset: 0x00000000

Section Count: 0x00000001

Checksum: 0xF78F1A6F

Application

Encrypted

RSA Signed

Authentication Done

PCAP:StatusReg = 0x40000A30

PCAP:device ready

0 Kudos
ibaie
Xilinx Employee
Xilinx Employee
373 Views
Registered: ‎10-06-2016

Hi @ratin 

If you take a look to the Bootgen documentation you will notice that the tool does not read header information from img files so is treated as binary blob. Binary blobs does not have any information about the load address or entry point so there is no way for Bootgen to provide that information to FSBL, that's why you need to specify the load address and execution address if you are expecting to handoff to the partition (see load and startup attributes).

Once FSBL handoffs to U-Boot, you should be able to see first U-Boot serial printouts not Linux, which I guess is not happening from your previous comments. If that is not working probably the issue is in your U-Boot image. How did you build? Can you provide information about the steps you have followed?

For Xilinx evaluation boards you can find pre-built images or you can use provided Petalinux BSPs to build or us pre-built individual components.

Regards


Ibai
Don’t forget to reply, kudo, and accept as solution.
0 Kudos
ratin
Observer
Observer
319 Views
Registered: ‎02-22-2021

I am not able to reply - will try again after logging out 

0 Kudos
ratin
Observer
Observer
319 Views
Registered: ‎02-22-2021

Hi Ibai,

Thanks for your reply. Yes, no u-boot prompt, the u-boot was build from Mathworks buildroot as part of the linux kernel build, they provide a few python scripts. Normal location for it is specified in buildroot/configs/zynq_zc706_defconfig is u-boot-xlnx.git from github

which has latest changes, however the the build version located in out/build is uboot-mathworks_zynq_R20.2.0 (probably locked into this rev since buildroot itself was from that version)

in either case, this same u-boot image works its put into the SD card as is along with script generated SD card image and doesnt work if I wrap it in boot.bin as part of bootgen. I dont understand the difference yet, the SD card image has a flat file system with a smaller boot.bin, no FSBL (unless it gets put into the boot.bin), u-boot.img, linux kernel, system.bit and the dtb files  

Ratin

0 Kudos
ratin
Observer
Observer
299 Views
Registered: ‎02-22-2021

After some digging, I think I need to disable SPL from u-boot build

0 Kudos
ratin
Observer
Observer
260 Views
Registered: ‎02-22-2021

I am now getting DATA_ABORT_HANDLER - is this because the dtb file doesnt match the hardware, or something like that? What basic config do I need to enable in uboot defconfig for zc706 that will allow me to use the UART? I think I only have axi-uartlite enabled in my board's block design, the dtb has the relevant entry but not sure what u-boot config items I have to enable.

Handoff Address: 0x04000000

In FsblHookBeforeHandoff function

SUCCESSFUL_HANDOFF

FSBL Status = 0x1

DATA_ABORT_HANDLER

FSBL Status = 0xA304

This Boot Mode 0x5 Doesn't Support Fallback

 

0 Kudos