I’ve successfully integrated mender into Yocto build for iMX 6UL EVK and verified the update mechanism. Now, as I try to sign the generated u-boot and kernel (with mender integration) it fails at kernel verification stage as follows,
Hit any key to stop autoboot: 0
37183 bytes read in 125 ms (290 KiB/s)
7738296 bytes read in 522 ms (14.1 MiB/s)
Kernel image @ 0x80800000 [ 0x000000 - 0x7613b8 ]
## Flattened Device Tree blob at 83000000
Booting using the fdt blob at 0x83000000
Authenticate image from DDR location 0x80800000...
bad magic magic=0x0 length=0x00 version=0x0
bad length magic=0x0 length=0x00 version=0x0
bad version magic=0x0 length=0x00 version=0x0
Error: Invalid IVT structure
Allowed IVT structure:
IVT HDR = 0x4X2000D1
IVT ENTRY = 0xXXXXXXXX
IVT RSV1 = 0x0
IVT DCD = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF = 0xXXXXXXXX
IVT CSF = 0xXXXXXXXX
IVT RSV2 = 0x0
Authenticate zImage Fail, Please check
So, I have a question here. Normally, iMX 6UL EVK would boot from boot partition so we would sign the zImage and copy it to the boot partition to implement signed boot.
I did the same here in mender integrated image (sign the zImage in boot partition). But as you said here,
Do I need to sign the kernel image in/bootof rootfs A? If so, do you mind brief the role of boot partition?
Yes, or you need to make sure that the image is signed during the build so that the images that you deploy using .mender files includes a signed image already.
If so, do you mind brief the role of boot partition?
In your case, it probably has no role. You should be able to disable it using,