cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mark@bish.net
Adventurer
Adventurer
3,069 Views
Registered: ‎09-19-2017

Questions on Secure Boot / Not booting from BOOT.BIN created from SDK

I am familiar that petalinux will create everything I need to boot if I am not using encryption and authentication.  If I am wrong in this assumption please correct me.

 

However, I want to use encryption and authentication.  Therefore I am trying to create a BOOT.BIN from the SDK that boots.  THe first pass I am not using encryption/authentication and will save that for the second pass.  My .bif settings are below with the linux partition set to load 0x1000000 (got this value off another post - not entirely sure this would be the correct load address).  On bootup it looks like it gets through the FSBL but hangs in uboot.  Does that look right with the TeraTerm capture?  Or maybe when uboot tries to load linux at that address......

 

Capture.PNG

 

Capture.PNG

 

 

 

Capture.PNG

 

 

 

13 Replies
denist
Xilinx Employee
Xilinx Employee
3,033 Views
Registered: ‎10-11-2011

I am not 100% the load address is correct for your design. Can you try to build an image without image.ub, boot up to the u-boot prompt and then do a "printenv"? it should tell you where u-boot is expecting the image.ub (offset in qspi) and where it's going to load it (your load address). Use those numbers when you include the image.ub back in to your image.

Hope this helps.

-------------------------------------------------------------------------
Don’t forget to reply, kudo, and accept as solution.
-------------------------------------------------------------------------
0 Kudos
rrj4zxyffvy_6
Visitor
Visitor
2,961 Views
Registered: ‎02-05-2017

I'm having a similar issue with 2017.2.  The BIF generated from XSDK looks like this (I've not actually enabled secure boot yet, just trying to get image.ub packaged up in to BOOT.BIN so it can be encrypted):

 

//arch = zynq; split = false; format = BIN
the_ROM_image:
{
	[bootloader]/home/pl/Documents/secure_zed/images/linux/zynq_fsbl.elf
	/home/pl/Documents/secure_zed/images/linux/download.bit
	/home/pl/Documents/secure_zed/images/linux/u-boot.elf
	[load = 0x10000000]/home/pl/Documents/secure_zed/images/linux/image.ub
}

Booting this gives:

 

U-Boot 2017.01 (Dec 13 2017 - 09:32:06 +0000)

Model: Zynq Zed Development Board
Board: Xilinx Zynq
DRAM:  ECC disabled 512 MiB
MMC:   sdhci@e0100000: 0 (SD)
SF: Detected s25fl256s_64k with page size 256 Bytes, erase size 64 KiB, total 64 MiB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ZYNQ GEM: e000b000, phyaddr 0, interface rgmii-id
eth0: ethernet@e000b000
U-BOOT for avnet-digilent-zedboard-2017_2

ethernet@e000b000 Waiting for PHY auto negotiation to complete......... TIMEOUT !
Hit any key to stop autoboot:  0 
Device: sdhci@e0100000
Manufacturer ID: 3
OEM: 5344
Name: SD02G 
Tran Speed: 25000000
Rd Block Len: 512
SD version 1.10
High Capacity: No
Capacity: 1.9 GiB
Bus Width: 4-bit
Erase Group Size: 512 Bytes
reading image.ub
** Unable to read file image.ub **

printenv gives:

Zynq> printenv
autoload=no
baudrate=115200
boot_img=BOOT.BIN
bootcmd=run default_bootcmd
bootdelay=4
bootenvsize=0x20000
bootenvstart=0x500000
clobstart=0x10000000
console=console=ttyPS0,115200
cp_kernel2ram=mmcinfo && fatload mmc 0 ${netstart} ${kernel_img}
default_bootcmd=run cp_kernel2ram && bootm ${netstart}
dtb_img=system.dtb
dtbnetstart=0x11800000
eraseenv=sf probe 0 && sf erase ${bootenvstart} ${bootenvsize}
ethact=ethernet@e000b000
ethaddr=00:0a:35:00:1e:53
fault=echo ${img} image size is greater than allocated place - partition ${img} is NOT UPDATED
fdtcontroladdr=1ffa8550
importbootenv=echo "Importing environment from SD ..."; env import -t ${loadbootenv_addr} $filesize
install_boot=mmcinfo && fatwrite mmc 0 ${clobstart} ${boot_img} ${filesize}
install_jffs2=sf probe 0 && sf erase ${jffs2start} ${jffs2size} && sf write ${clobstart} ${jffs2start} ${filesize}
install_kernel=mmcinfo && fatwrite mmc 0 ${clobstart} ${kernel_img} ${filesize}
jffs2_img=rootfs.jffs2
kernel_img=image.ub
load_boot=tftpboot ${clobstart} ${boot_img}
load_dtb=tftpboot ${clobstart} ${dtb_img}
load_jffs2=tftpboot ${clobstart} ${jffs2_img}
load_kernel=tftpboot ${clobstart} ${kernel_img}
loadaddr=0x10000000
loadbootenv=load mmc $sdbootdev:$partid ${loadbootenv_addr} ${bootenv}
nc=setenv stdout nc;setenv stdin nc;
netboot=tftpboot ${netstart} ${kernel_img} && bootm
netstart=0x10000000
psserial0=setenv stdout ttyPS0;setenv stdin ttyPS0
sd_uEnvtxt_existence_test=test -e mmc $sdbootdev:$partid /uEnv.txt
sd_update_dtb=echo Updating dtb from SD; mmcinfo && fatload mmc 0:1 ${clobstart} ${dtb_img} && run install_dtb
sd_update_jffs2=echo Updating jffs2 from SD; mmcinfo && fatload mmc 0:1 ${clobstart} ${jffs2_img} && run install_jffs2
sdboot=echo boot Petalinux; run uenvboot ; mmcinfo && fatload mmc 0 ${netstart} ${kernel_img} && bootm 
serial=setenv stdout serial;setenv stdin serial
serverip=172.16.158.14
test_crc=if imi ${clobstart}; then run test_img; else echo ${img} Bad CRC - ${img} is NOT UPDATED; fi
test_img=setenv var "if test ${filesize} -gt ${psize}; then run fault; else run ${installcmd}; fi"; run var; setenv var
uenvboot=if run sd_uEnvtxt_existence_test; thenrun loadbootenvecho Loaded environment from ${bootenv};run importbootenv; 
update_boot=setenv img boot; setenv psize ${bootsize}; setenv installcmd "install_boot"; run load_boot ${installcmd}; setenv img; setenv psize; setenv installcmd
update_dtb=setenv img dtb; setenv psize ${dtbsize}; setenv installcmd "install_dtb"; run load_dtb test_img; setenv img; setenv psize; setenv installcmd
update_jffs2=setenv img jffs2; setenv psize ${jffs2size}; setenv installcmd "install_jffs2"; run load_jffs2 test_img; setenv img; setenv psize; setenv installcmd
update_kernel=setenv img kernel; setenv psize ${kernelsize}; setenv installcmd "install_kernel"; run load_kernel ${installcmd}; setenv img; setenv psize; setenv installcmd

Environment size: 2978/131068 bytes

I can't see a relevant 'offset' in there to apply to image.ub.

 

Any help would be much appreciated.


Thanks

0 Kudos
ibaie
Xilinx Employee
Xilinx Employee
2,953 Views
Registered: ‎10-06-2016

Hi @rrj4zxyffvy_6

 

The boot image generation using Bootgen and the Linux boot process from U-Boot are not automatically synced, so you need to check and customize how the Linux image is loaded into memory and boot in your target.

 

An small analysis to your enviromental variables:

1. Boot commmand is defined as default_bootcmd vairable

bootcmd=run default_bootcmd

2. This commands loads the image.ub (Linux image) from SD card

cp_kernel2ram=mmcinfo && fatload mmc 0 ${netstart} ${kernel_img}
default_bootcmd=run cp_kernel2ram && bootm ${netstart}

3. And actually the log file shows that fact as well

Hit any key to stop autoboot:  0 
Device: sdhci@e0100000
Manufacturer ID: 3
OEM: 5344

 

mark@bish.net From your debug log it seems that U-Boot is not booting properly as you don't get the command prompt at all. I would suggest you to remove the linux image from the boot image as proposed by denis and then do the same exercise as @rrj4zxyffvy_6.

 

Regards,

Ibai


Ibai
Don’t forget to reply, kudo, and accept as solution.
0 Kudos
mark@bish.net
Adventurer
Adventurer
2,949 Views
Registered: ‎09-19-2017

I upgraded my tools to 2017.3 and things are working.  I don't have time to go back and figure out what broke in 2017.2

0 Kudos
mark@bish.net
Adventurer
Adventurer
2,945 Views
Registered: ‎09-19-2017

However, the Vivado tools for 2017.3 aren't loading the key into BBRAM.  Looking for some vendor support on that one.  There is a separate thread outlining the issue.

0 Kudos
rrj4zxyffvy_6
Visitor
Visitor
2,943 Views
Registered: ‎02-05-2017

Hi Ibai,

 

Thanks for your reply.  I'm not sure how to fix this situation.  Previously, I used petalinux-package which put zynq_fsbl.elf, download.bit and u-boot.elf in BOOT.BIN and then I'd put image.ub as a separate file on the SD card and that would boot.

 

I'm now looking to enable secure boot for the system which as far as I can tell means I need to embed image.ub in BOOT.BIN so that when the package is created, it can be encrypted also.

 

What do I need to change in the petalinux config so that u-boot will try and load the kernel correctly when it's embedded in BOOT.BIN/

 

Thanks

0 Kudos
rrj4zxyffvy_6
Visitor
Visitor
2,937 Views
Registered: ‎02-05-2017

If I use just use

 

petalinux-package --boot --fsbl images/linux/zynq_fsbl.elf --fpga images/linux/download.bit --u-boot --kernel

to generate BOOT.BIN then I get the same issue, unable to read image.ub.

 

If I change petalinux config so that kernel image setting is primary flash rather than primary SD (which is how u-boot is configured which is embedded in BOOT.BIN) then I get different errors:

 

U-Boot 2017.01 (Dec 13 2017 - 14:22:55 +0000)

Model: Zynq Zed Development Board
Board: Xilinx Zynq
DRAM:  ECC disabled 512 MiB
MMC:   sdhci@e0100000: 0 (SD)
SF: Detected s25fl256s_64k with page size 256 Bytes, erase size 64 KiB, total 64 MiB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ZYNQ GEM: e000b000, phyaddr 0, interface rgmii-id
eth0: ethernet@e000b000
U-BOOT for avnet-digilent-zedboard-2017_2

ethernet@e000b000 Waiting for PHY auto negotiation to complete......... TIMEOUT !
Hit any key to stop autoboot:  0 
SF: Detected s25fl256s_64k with page size 256 Bytes, erase size 64 KiB, total 64 MiB
device 0 offset 0x520000, size 0xa80000
SF: 11010048 bytes @ 0x520000 Read: OK
Wrong Image Format for bootm command
ERROR: can't get kernel image!

And printenv:

autoload=no
baudrate=115200
boot_img=BOOT.BIN
bootcmd=run default_bootcmd
bootdelay=4
bootenvsize=0x20000
bootenvstart=0x500000
clobstart=0x10000000
console=console=ttyPS0,115200
cp_kernel2ram=sf probe 0 && sf read ${netstart} ${kernelstart} ${kernelsize}
default_bootcmd=run cp_kernel2ram && bootm ${netstart}
dtb_img=system.dtb
dtbnetstart=0x11800000
eraseenv=sf probe 0 && sf erase ${bootenvstart} ${bootenvsize}
ethact=ethernet@e000b000
ethaddr=00:0a:35:00:1e:53
fault=echo ${img} image size is greater than allocated place - partition ${img} is NOT UPDATED
fdtcontroladdr=1ffa8620
importbootenv=echo "Importing environment from SD ..."; env import -t ${loadbootenv_addr} $filesize
install_boot=mmcinfo && fatwrite mmc 0 ${clobstart} ${boot_img} ${filesize}
install_jffs2=sf probe 0 && sf erase ${jffs2start} ${jffs2size} && sf write ${clobstart} ${jffs2start} ${filesize}
install_kernel=sf probe 0 && sf erase ${kernelstart} ${kernelsize} && sf write ${clobstart} ${kernelstart} ${filesize}
jffs2_img=rootfs.jffs2
kernel_img=image.ub
kernelsize=0xa80000
kernelstart=0x520000
load_boot=tftpboot ${clobstart} ${boot_img}
load_dtb=tftpboot ${clobstart} ${dtb_img}
load_jffs2=tftpboot ${clobstart} ${jffs2_img}
load_kernel=tftpboot ${clobstart} ${kernel_img}
loadaddr=0x10000000
loadbootenv=load mmc $sdbootdev:$partid ${loadbootenv_addr} ${bootenv}
nc=setenv stdout nc;setenv stdin nc;
netboot=tftpboot ${netstart} ${kernel_img} && bootm
netstart=0x10000000
psserial0=setenv stdout ttyPS0;setenv stdin ttyPS0
sd_uEnvtxt_existence_test=test -e mmc $sdbootdev:$partid /uEnv.txt
sd_update_dtb=echo Updating dtb from SD; mmcinfo && fatload mmc 0:1 ${clobstart} ${dtb_img} && run install_dtb
sd_update_jffs2=echo Updating jffs2 from SD; mmcinfo && fatload mmc 0:1 ${clobstart} ${jffs2_img} && run install_jffs2
sd_update_kernel=echo Updating kernel from SD; mmcinfo && fatload mmc 0:1 ${clobstart} ${kernel_img} && run install_kernel
sdboot=echo boot Petalinux; run uenvboot ; mmcinfo && fatload mmc 0 ${netstart} ${kernel_img} && bootm 
serial=setenv stdout serial;setenv stdin serial
serverip=172.16.158.14
test_crc=if imi ${clobstart}; then run test_img; else echo ${img} Bad CRC - ${img} is NOT UPDATED; fi
test_img=setenv var "if test ${filesize} -gt ${psize}; then run fault; else run ${installcmd}; fi"; run var; setenv var
uenvboot=if run sd_uEnvtxt_existence_test; thenrun loadbootenvecho Loaded environment from ${bootenv};run importbootenv; 
update_boot=setenv img boot; setenv psize ${bootsize}; setenv installcmd "install_boot"; run load_boot ${installcmd}; setenv img; setenv psize; setenv installcmd
update_dtb=setenv img dtb; setenv psize ${dtbsize}; setenv installcmd "install_dtb"; run load_dtb test_img; setenv img; setenv psize; setenv installcmd
update_jffs2=setenv img jffs2; setenv psize ${jffs2size}; setenv installcmd "install_jffs2"; run load_jffs2 test_img; setenv img; setenv psize; setenv installcmd
update_kernel=setenv img kernel; setenv psize ${kernelsize}; setenv installcmd "install_kernel"; run load_kernel test_crc; setenv img; setenv psize; setenv installcmd

Environment size: 3194/131068 bytes
0 Kudos
ibaie
Xilinx Employee
Xilinx Employee
2,928 Views
Registered: ‎10-06-2016

Hi @rrj4zxyffvy_6

 

The petalinux setting you select (selecting  the primary flash) is the right way to make the boot image, now as you can see in the enviromental variables the default boot command refers to the flash device.

cp_kernel2ram=sf probe 0 && sf read ${netstart} ${kernelstart} ${kernelsize}

 

Based on the log message of U-Boot it seams that the loaded data does not containt the Linux image, or it's not complete or it's kind of corrupted.

SF: 11010048 bytes @ 0x520000 Read: OK
Wrong Image Format for bootm command
ERROR: can't get kernel image!

 

I would expect to petalinux set all the offset and size values properly but it might usefull to cross-check it yourself. You can use bootgen_utility to read the BOOT.bin image and check the offset and size of the image.ub file within the boot image.

 

Regards,

Ibai


Ibai
Don’t forget to reply, kudo, and accept as solution.
0 Kudos
rrj4zxyffvy_6
Visitor
Visitor
2,921 Views
Registered: ‎02-05-2017

It looks like petalinux isn't putting the kernel image at the correct offset.  The boot.bin generated with petalinux-package contains

 

[0x00000d40]         (0x00)        Encrypted Data Length              - 0x240c56 
[0x00000d44]         (0x04)        Unencrypted Data Length            - 0x240c56 
[0x00000d48]         (0x08)        Total Data Length                  - 0x240c56 
[0x00000d4c]         (0x0C)        Destination Load Address           - 0x00 
[0x00000d50]         (0x10)        Destination Execution Address      - 0x00 
[0x00000d54]         (0x14)        Actual Partition Word Offset       - 0x115fd0 
[0x00000d58]         (0x18)        Attributes                         - 0x10010 
                                                                          # Tail Alignment     : 0
                                                                          # Head Alignment     : 0
                                                                          # Checksum Type      : [PS]
                                                                          # Destination Device : [None]
                                                                          # Checksum Type      : [None]
                                                                          # Authentication     : [UBOOT]
[0x00000d5c]         (0x1C)        Section Count                      - 0x01 
[0x00000d60]         (0x20)        Checksum Word Offset               - 0x00 
[0x00000d64]         (0x24)        Corresponding Image Header Offset  - 0x270 
[0x00000d68]         (0x28)        Authentication Certificate Offset  - 0x00 
[0x00000d7c]         (0x3C)        Partition Header Checksum          - 0xff8178ac 

And partition 4 is

 

[0x00457f40]
	Refer file "_partition_4.txt"
[0x00698b96]

This could be related to https://www.xilinx.com/support/answers/69111.html (although I'm using 2017.2, not 2017.1) however if I try the solution posted there, but with offset of 0x520000, I get the same error from u-boot:

SF: Detected s25fl256s_64k with page size 256 Bytes, erase size 64 KiB, total 64 MiB
device 0 offset 0x520000, size 0xa80000
SF: 11010048 bytes @ 0x520000 Read: OK
Wrong Image Format for bootm command
ERROR: can't get kernel image!

The size in BOOT.BIN is correct but the size of 0xa80000 that u-boot is using isn't.

0 Kudos
rrj4zxyffvy_6
Visitor
Visitor
1,991 Views
Registered: ‎02-05-2017


@rrj4zxyffvy_6 wrote:

 

SF: Detected s25fl256s_64k with page size 256 Bytes, erase size 64 KiB, total 64 MiB
device 0 offset 0x520000, size 0xa80000
SF: 11010048 bytes @ 0x520000 Read: OK
Wrong Image Format for bootm command
ERROR: can't get kernel image!

Does the first line not indicate that u-boot is actually looking the QSPI flash in this instance for the kernel image rather than the BOOT.BIN image?

0 Kudos
ibaie
Xilinx Employee
Xilinx Employee
1,982 Views
Registered: ‎10-06-2016

Hi @rrj4zxyffvy_6

 

The partition information of extracted by bootgen_utility shows that your image.ub file has been located at address 0x00457f40 and it's size is 0x240c56. Can you check that the image.ub file corresponds to this size?

[0x00457f40]
	Refer file "_partition_4.txt"
[0x00698b96]

 

As you can see the the U-Boot default command is trying to load the image.ub from offset 0x520000 so it's expected to not work as the image that is loading is not really the image.ub on its own. The AR you mentined should fix this issue and place the image.ub in the correct offset (size does not mather too much if you load more than the whole image), but it might be you are doing something wrong in the process.

 

The following line only points that sf read command is reading 0xa80000 bytes from offset 0x520000 of the flash device. That should correspond to the image.ub file within your BOOT.bin image loaded in the Flash device.

device 0 offset 0x520000, size 0xa80000

 

I would suggest you to load a BOOT.bin file generated by petalinux, check with bootgen_utility to check where the partition is located (offset) and size, and finally MANUALLY read the file from memory and try to boot it.

1. Stop the U-Boot execution
2. sf probe 0 0 0
3. sf read 0x10000000 <offset> <size>
4. bootm 0x10000000

 

Regards,

Ibai 


Ibai
Don’t forget to reply, kudo, and accept as solution.
0 Kudos
rrj4zxyffvy_6
Visitor
Visitor
1,975 Views
Registered: ‎02-05-2017

Hi Ibai,

 

I've managed to get it working this morning.  It appears that u-boot won't/doesn't look inside the BOOT.BIN on the SD card for the kernel.  This is all handled by the FSBL.  So specifying a load= in the BIF tells the FSBL to load image.ub at that address which it is indeed doing before u-boot is executed.

 

Then issuing a 'bootm ${netstart}' to u-boot does then execute the kernel.

 

But it looks like there is no way to specify this through the petalinux config so following https://www.xilinx.com/support/answers/69979.html I've been able to change the default boot command to just 'bootm ${netstart}' and the system will now fully boot in to Linux from a cold start.

 

I've also changed the kernel image location to 'manual' as 'primary flash' seem seems to configure u-boot for qspi loading and primary sd makes it look on the SD card for image.ub.  It looks like another option is needed there.

 

I find it surprising that there isn't an example/tech note of exactly how to do secure boot with Petalinux from an SD card as I'm trying to achieve and that it isn't just a configuration option which will allow you to package image.ub in BOOT.BIN and have u-boot boot it.

 

XAPP1175 mentions that the FSBL handles everything in secure mode and u-boot isn't really used but is out of date and doesn't mention Petalinux exactly nor image.ub and how to configure it correctly.  Nor does UG1025.

 

Thanks for your help.

bnewlin
Contributor
Contributor
191 Views
Registered: ‎03-10-2015

I can't give enough kudos for this one.  I ran into the same problem trying to get Secure Boot going (Zynq 7020, Petalinux 2018.1).  I've been trying to figure out how to include image.ub in the boot image (BOOT.bin) and still get it to boot.  I'm booting from the SD card and the u-boot stage it would complain the same way you described:

Hit any key to stop autoboot:  1  0 
Device: sdhci@e0100000
Manufacturer ID: 3
OEM: 5054
Name: SL32G 
Tran Speed: 50000000
Rd Block Len: 512
SD version 3.0
High Capacity: Yes
Capacity: 29 GiB
Bus Width: 4-bit
Erase Group Size: 512 Bytes
** Unable to read file image.ub **
Zynq>

 

To finally get it to work I pretty much followed your steps:

1) I added the load address for the image.ub file in the *bif to match that of the ${netstart} value (printenv from u-boot cmd line).

//arch = zynq; split = false; format = BIN
the_ROM_image:
{
	[bootloader]/images/linux/zynq_fsbl.elf
	/images/linux/system.bit
	/images/linux/u-boot.elf
	[load = 0x10000000]/images/linux/image.ub
}

2) Then I followed the steps in AR #69979 and copied the Extra U-boot env settings from <proj-proj-root>/project-spec/meta-plnx-generated/recipes-bsp/u-boot/configs/platform-auto.h to <proj-proj-root>/project-spec/meta-user/recipes-bsp/u-boot/files/platform-top.h.  I figured out that the cp_kernel2ram line was the culprit.  It's called from the default_bootcmd and tries to load the image.ub file from the SD card and when it can't find it, it prints ** Unable to read file image.ub ** and quits.  

So I changed it from:

cp_kernel2ram=mmcinfo && fatload mmc ${sdbootdev} ${netstart} ${kernel_img}

to this:

cp_kernel2ram=echo Kernel is in boot image so no need to copy; mmcinfo

 

And now everything boots correctly from the single BOOT.bin file, which contains image.ub.

Hit any key to stop autoboot:  1  0 
Kernel is in boot image so no need to copy
Device: sdhci@e0100000
Manufacturer ID: 3
OEM: 5054
Name: SL32G 
Tran Speed: 50000000
Rd Block Len: 512
SD version 3.0
High Capacity: Yes
Capacity: 29 GiB
Bus Width: 4-bit
Erase Group Size: 512 Bytes
## Loading kernel from FIT Image at 10000000 ...

 

Now that I've got that working I can try my hand at adding authentication and encryption.

0 Kudos