Kernel signing error after mender integration in iMX 6UL

General Discussions
, , , ,
1

Greetings all,

I’ve successfully integrated mender into Yocto build for iMX 6UL EVK and verified the update mechanism. Now, as I try to sign the generated u-boot and kernel (with mender integration) it fails at kernel verification stage as follows,

Hit any key to stop autoboot:  0 
37183 bytes read in 125 ms (290 KiB/s)
7738296 bytes read in 522 ms (14.1 MiB/s)
Kernel image @ 0x80800000 [ 0x000000 - 0x7613b8 ]
## Flattened Device Tree blob at 83000000
   Booting using the fdt blob at 0x83000000

Authenticate image from DDR location 0x80800000...
bad magic magic=0x0 length=0x00 version=0x0
bad length magic=0x0 length=0x00 version=0x0
bad version magic=0x0 length=0x00 version=0x0
Error: Invalid IVT structure

Allowed IVT structure:
IVT HDR       = 0x4X2000D1
IVT ENTRY     = 0xXXXXXXXX
IVT RSV1      = 0x0
IVT DCD       = 0x0
IVT BOOT_DATA = 0xXXXXXXXX
IVT SELF      = 0xXXXXXXXX
IVT CSF       = 0xXXXXXXXX
IVT RSV2      = 0x0
Authenticate zImage Fail, Please check

The attached file contains detailed log along with u-boot environment variables: https://github.com/danie007/imx6/blob/master/signed_failed.log.txt

Success log(No mender integration - same build configuration): https://github.com/danie007/imx6/blob/master/signed_passed.log.txt

It would be much helpful if you could point me where to look at or what would have gone wrong here.

Happy to provide more details, thanks in advance.

2

Unclear how to help in this case.

I just wanted to highlight that with Mender integrated, it will load the Linux kernel like this,

load ${mender_uboot_root} ${fdt_addr_r} /boot/${mender_dtb_name}; 
load ${mender_uboot_root} ${kernel_addr_r} /boot/${mender_kernel_name};

This will load the files from the /boot directory in the rootfs image. Are these images signed?

3

Hi,

Thanks for the reply!

So, I have a question here. Normally, iMX 6UL EVK would boot from boot partition so we would sign the zImage and copy it to the boot partition to implement signed boot.

I did the same here in mender integrated image (sign the zImage in boot partition). But as you said here,

Do I need to sign the kernel image in /boot of rootfs A? If so, do you mind brief the role of boot partition?

4

Yes, or you need to make sure that the image is signed during the build so that the images that you deploy using .mender files includes a signed image already.

If so, do you mind brief the role of boot partition?

In your case, it probably has no role. You should be able to disable it using,

MENDER_BOOT_PART_SIZE_MB = "0"
1 Like
5

I got it resolved by changing the signed zImage location from the conventional boot partition to rootfs image’s /boot folder.

Thanks @mirzak for pointing the difference in boot process and sheding the light on mender flow.