spitfire

@xeniter now that secure spl is working, i guess, is there any way to disable fel? as securing the spl does not overcome someone to gain access over fel.... and program the rotpk to all '1' and run their own "certified spl" i guess there might be a SID-bit to burn after which no modification is allowed to the SID... I will keep digging and see if you have info as well.

@xeniter finally good news: i was able to boot the SoC in secure mode... using the jmk's egon2toc did the trick. Before i was using the lichee's toc generator, i guess that has some sort of bug. I used sunxi-fel to burn my keys. The keys should be of course burned "little-endian" anyways, thanks for your tremendous work and help. wbr

Hi @xeniter I used tocgen from the lichee repository. So far i was able to generate ,/x509_rotpk.bin file which holds the hash-value to be programmed. the resulting toc0.fex boots ok when the rotpk-hash is all '0's and '1's. (or all keys are the same) with secure-bit burned. My read_register routine: def read_register(register_addr): sid_ctrl_data = (0xAC<<8) sid_ctrl_data = sid_ctrl_data+(register_addr<<16) sid_ctrl_data = sid_ctrl_data+0x02 #print("SID ctrl content ",hex(sid_ctrl_data)) writel(sid_base_addr+0x40,sid_ctrl_data) while((readl(sid_base_addr+0x40)&0x02)==0x02): print("finishing read ..") time.sleep(1) read_val= readl(sid_base_addr+0x40) #print("read val:",hex(read_val)) reg_val = readl(sid_base_addr+0x60) return reg_val programmed HASH in the rotpk section: ('reg ', '0x64', ':', '0xe9e6181a') ('reg ', '0x68', ':', '0x5fb19a8f') ('reg ', '0x6c', ':', '0xf91d6e62') ('reg ', '0x70', ':', '0x652b9fd8') ('reg ', '0x74', ':', '0x3573e89e') ('reg ', '0x78', ':', '0x6f9c3d21') ('reg ', '0x7c', ':', '0xa8f92947') ('reg ', '0x80', ':', '0xf5326ac5') ('reg ', '0x84', ':', '0x0') ('reg ', '0x88', ':', '0x0') ('reg ', '0x8c', ':', '0x0') ('reg ', '0x90', ':', '0x0') ('reg ', '0x94', ':', '0x0') ('reg ', '0x98', ':', '0x0') ('reg ', '0x9c', ':', '0x0') ('reg ', '0xa0', ':', '0x0') ('reg ', '0xa4', ':', '0x0') ('reg ', '0xa8', ':', '0x0') ('reg ', '0xac', ':', '0x0') ('reg ', '0xb0', ':', '0x0') ('reg ', '0xb4', ':', '0x0') ('reg ', '0xb8', ':', '0x0') ('reg ', '0xbc', ':', '0x0') ('reg ', '0xc0', ':', '0x0') ('reg ', '0xc4', ':', '0x0') ('reg ', '0xc8', ':', '0x0') ('reg ', '0xcc', ':', '0x0') ('reg ', '0xd0', ':', '0x0') ('reg ', '0xd4', ':', '0x0') ('reg ', '0xd8', ':', '0x0') ('reg ', '0xdc', ':', '0x0') ('reg ', '0xe0', ':', '0x0') ('reg ', '0xe4', ':', '0x0') ('reg ', '0xe8', ':', '0x0') ('reg ', '0xec', ':', '0x0') ('reg ', '0xf0', ':', '0x0') ('reg ', '0xf4', ':', '0x800') ('reg ', '0xf8', ':', '0x0') ('reg ', '0xfc', ':', '0x0') my x509_rotpk_: unsigned char x509_rotpk_bin[] = { 0x1a, 0x18, 0xe6, 0xe9, 0x8f, 0x9a, 0xb1, 0x5f, 0x62, 0x6e, 0x1d, 0xf9, 0xd8, 0x9f, 0x2b, 0x65, 0x9e, 0xe8, 0x73, 0x35, 0x21, 0x3d, 0x9c, 0x6f, 0x47, 0x29, 0xf9, 0xa8, 0xc5, 0x6a, 0x32, 0xf5 }; unsigned int x509_rotpk_bin_len = 32; RSA .pem file: -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA4T91fvEiHwHeNYKY/mgQ4qWUU7CpzzknpOWAy/MQpwrcAUwy TCX/nq6FrDPa2yyucpL4Sd3zPACTUURFSzSTYwkglm8fjWX+iCgWlvOYYXlA3Zjl 6nSEhe08mIvbdNHuhEF0yEdHZ1JfHkbwhIU8yq4oqh4sdYshAgLC5WmOoSBoVQOz 7uNms1wHo3Hy2hT9TQ5ed0ttKoPVgH5CgyA19yW+TKVjvpK8vqw1KuHnZILxH9V7 Id/ElSuNPgE8JIdghl9k/cA5HQ4dglWu2pVyKZfIC3VGB1+M5uJCQmatIU9dmoHL sPaWi79Sn/3qhuxu47en96tShDZL9gasy4qoXwIDAQABAoIBAGeBBJnPblF3R0ep emo1IcU0NwN6A53QcrIoL9YIHFfV+qCyBc7OCzc8lPo7Xc8nKgZGGMfAsLuavBc0 2u6i+zMgB5R4/bO48YxZd3/n8dagpDjvwH7LCfaMvDKQ2chFi2fEuEgr0NjelgzQ pkcO/o9YFiGN+foNc5577FkE92B8KgRCsXrKHMx8UZLCmM1Fw3LIsTKWQCm+/7SL 2gb+D3GDwuCnMRrKxQ7J6oYVeMZ/dqxkHhfZdZXy6ofmdmxvabJAism1xXBPJaBl OD1HX+UAdK2bkIEQDWzVhI+sm2K/0N6MkM3xHxf1gnE0H0Icm8hy6FeZuYm65erc RlIXsXECgYEA+F6e9Wmh2c2SL7mjxYU1cFj7R3OXE6kR7ln3I/QN7fzH2vmcysB/ 3+WhHiWA49rGEMQUjHb9AJ+EYcjyz9PXSLWEWd2rd/78i3SFZvmdZIpNsFJVbhao hELV/6541ehNymr0XmfU9wCnHY3JUq03Yahrlmabt0h2vRGw3vyVJtcCgYEA6Cr9 eInMhisempaXEgloRT61vkxddQXIfwdZ0GMn4uhgnzRPsQHZXWq4iVj5sD1OOID/ R/oF52MhPrItQKf97unAlrsfFwrVwFX+p8wGwg5OY2Vw44ElfQItWaFXgSZLVtPM 2RRO7pDLHn7dnjuEmSuiBX3DgarzixGTE2ajQbkCgYAFi18zDUueqBcmV5ePVjzu KB5b5vmtZ63Ny1ZYCB+ze1weyEm2wPtZzS9+k8m/zGd1glsPE6zsMaNr52d8Ojdp GRw+QVONlzSeDFjaBqJ71xaK5BuiHIFginlqfsOVytzJsv+Hh/vaE7qnTz36SYGd /XuBXQMG4Wg9KkLvh2Xw+wKBgQCBlEz4U+DFGZfxLA+RT5LU4xVI6xJWWC35SD8G ofEHIi+ba/T2lFOfYgsxDWn+xZi8zLKul4toA9nwRj4fkiOWjvygpDvL/o4i1VxW hvdWo+l4bIu/Trt/tBFfrz9Jo/f0tC3nEwCjAkl78c77m7h8TPAXJIRUAPgBLIPs FiMUcQKBgEjAqVqrYpxf/LjVDmE97lzKwR2Yb+BIuzH+4e7QlQEtg9IqVK53+Re1 p4nb46r643RJEkoDLwJqvZQoqngCsSkKCd5jAG1cE9mMyaT/shNDwefYMULf7FLr ScKN2oP6LVdye+2shTMDKfv6fbb2NQ2E3xYThzhUmNvMnkZbj4d8 -----END RSA PRIVATE KEY----- I have used the /keys folder which i first used the create_keys script for and the posted key is the Trustkey.pem Still unable to boot in secure-mode, any help is appreciated. wbr spitfire

Hi Xeniter, Still haven't succeded into booting a TOC0 spl image. - Wrote the generated ROTPK as little endian SHA256 = 18 D8 E4 D5 A2 4D 8B F2 AA 00 61 98 9B 92 15 E7 9B 99 0A 82 F9 21 A6 5B 0F 56 0D A6 D2 05 E8 CE wrote these values in the Key-section of the efuse(0x64...) as little endian : D5 E4 D8 18 .....CE E8 05 D2 Burned 0xF4(LCJS) -> 0x800 (bit 11->'1' to enable secure boot) Used jmek's Ruby script and used the spl which i compiled from a FriendlyArm's Uboot repository(19KB). After jmek's script, a restuling TOC file generated. The file boots ok if the keys are burned either as 0's or 1's and secure bit-11 in the 0xF4 is set to '1', but when the nanopi neo board is burned with the exact sha256 , it doesn't boot. Can you please describe step by step what you did in order to get a correct spl and how you programmed the exact sha256 of a .pem file in the Key-efuse section. Thank you wbr Spitfire

Hi @xeniter, were you able to verify the secure boot on H3? I have some spare boards i am willing try on. Jmks script generates the files, the rotpk-hash is then also programmed but like yours, the nanopi doesnt boot. When setting all the rotpk-hash to all 0xff, the board boots. any help is highly appreciated wbr