Hi,
has anybody tried to activate/implement the Trusted Board Boot (TBB) feature of ARM Trusted Firmware (ATF) on Hikey or any other 96Board, yet?
Minimal requirement to run TBB is GENERATE_COT, but it should be possible to only generate these Certificates of Trust (CoT) and add them to the your Firmware Image Package (FIP). I've already tested TBB (incl. CoT) with Juno DevBoard and it worked fine. The 96Boards repository does not mention TBB anywhere. But also in Hikey branch it is possible to set the GENERATE_COT flag and the *.crt files get generated.
BUT trying to flash fip.bin including the certificates always freezes while flashing with fastboot.
My Workflow looks like this.
* compile 96boards-arm-trusted-firmware using uefi-tools from linaro (works)
* generate new l-loader.bin and ptable-linux.img with l-loader tool from 96boards
* generating boot-fat.uefi.img with a script following the instructions from 96boards
* flash l-loader.bin, ptable, fip, nvme and boot ...
Same works great with Makefile Targets in DS-5 IDE, but after setting the GENERATE_COT flag flashing process stops while downloading fip.bin. The commandline output of fastboot freezes and these are the last lines from UART output.
INFO: Hisilicon HiKey platform is initializedNOTICE: Enter fastboot mode...INFO: enter usb_configINFO: USB: DMA mode.INFO: USB ULPI PHYINFO: enter reset_endpoints.INFO: Enter downloading mode. Please run fastboot command on Host.INFO: enter reset_endpoints.INFO: enter reset_endpoints.INFO: enter reset_endpoints.INFO: enter reset_endpoints.INFO: usb: online (highspeed)INFO: cmd :getvar:partition-type:ptableINFO: cmd :getvar:max-download-sizeINFO: cmd :download:00004600INFO: cmd :flash:ptableINFO: recog updatefileINFO: cmd :getvar:partition-type:fastbootINFO: cmd :getvar:max-download-sizeINFO: cmd :download:0014605eDoes anybody know that issue or can give me a hint where to search for a solution? Creating the fip.bin (without CoT) in DEBUG mode does result in a bigger file and is still flashable, so size doesn't matter.
The output without CoT Option looks like:
INFO: usb: online (highspeed)INFO: cmd :getvar:partition-type:ptableINFO: cmd :getvar:max-download-sizeINFO: cmd :download:00004600INFO: cmd :flash:ptableINFO: recog updatefileINFO: cmd :getvar:partition-type:fastbootINFO: cmd :getvar:max-download-sizeINFO: cmd :download:00128f08INFO: cmd :flash:fastbootINFO: recog updatefileINFO: cmd :getvar:partition-type:nvmeINFO: cmd :getvar:max-download-sizeINFO: cmd :download:00020000INFO: cmd :flash:nvmeINFO: recog updatefileINFO: cmd :getvar:partition-type:bootINFO: cmd :getvar:max-download-sizeINFO: cmd :download:04000000INFO: cmd :flash:bootINFO: recog updatefile
Could it be a bug in l-loader? I've also tested it with the current state of https://github.com/96boards/arm-trusted-firmware but without any impact. Which components are affected by adding the certificates, without using TBB?
Adding some TBB code from Juno and compiling for Hikey made my BL1 now asking for a BL2 certificate, but without flashing fip ... :-(
NOTICE: TRUSTED_BOARD_BOOT - auth_init()INFO: Using authentication module 'PolarSSL'INFO: Using FIPWARNING: Failed to access image 'bl2.crt' (-1)ERROR: Failed to load BL2 certificate.PANIC at PC : 0x00000000f9807b54
Kind Regards,
Michael