Secure Boot -Generating cwe file

Pankaj · December 4, 2022, 7:50am

Able to get the rhash.bin now as seen here:

Okay going through the document, I believe I missed to notice the addition of the image folder so this can be changed as per the location on individual setup as here:

If I understand it correctly line 3 specifies the location of legato image folder. Will definitely first try with a default setup.

Regarding Legato Partition we do not have a problem as we have changed the legato partition to 15MB.

Thanks for your support will update the results here once we complete tests.

Pankaj · December 6, 2022, 6:31am

Hi,

can we use the ubinize.cfg generated in my build folder here:

Also for the legatFS Authentication can we also use the rhash.bin and legato.squashfs generated from systocwe of the legato system.update file as seen below:

jyijyi · December 6, 2022, 7:09am

yes, you can take that ubinize.cfg.
Actually this file is more or less the same as mine attached before, just the path is pointing to the LEAF directory.

For your second question, as mentioned before, you can first test the default one, and then if it works, you can try your method and see if it works.
On my side, i only use “make wp76xx” to generate all the legato image, that is why i recommend to build the application into the legato.cwe by “make wp76xx”.

nls · December 7, 2022, 3:10pm

Hi,
For some reason I cannot load the LGT0-keys.cwe file. The fdt tool says

Firmware download failed.
Primary error code: 77 - Failed in streaming download stage.
Secondary error code: 68 - Received incorrect response.
Device error code: 0x97 - Not allowed.

I have already loaded the keys generated when generating signed yocto image
How does the fdt tool know where to put swi-keys.cwe file and LGT0-keys.cwe file?

jyijyi · December 7, 2022, 4:13pm

Have you loaded the swi-keys.cwe for secure boot of bootloader and kernel?

Btw, which firmware are you testing now?

nls · December 7, 2022, 5:16pm

Yes. I have loaded swi-keys.cwe for secure boot of bootloader and kernel
I am testing R16.1 on WP7608

jyijyi · December 7, 2022, 6:52pm

Does the secure boot work now for bootloader and kernel?
For example, if you load unsigned yocto image, will it reject?

Btw, are you using same key for both swi-keys.cwe file and LGT0-keys.cwe file?

What will happen now if you load unsigned legato image to it now?

nls · December 7, 2022, 7:10pm

Yes. The secure boot for kernel and bootloader works fine.
The input keys to generate swi-keys.cwe and LGT0-keys.swe are same, that is, same keys that are copied to security/verity.pk8 and security/verity.x509.pem
I can load both signed and unsigned legato images.

jyijyi · December 8, 2022, 1:23am

Not sure if fwupdate command can load that LGT0-keys.swe , you can give a try

When you download the LegatoFS keystore CWE image (LGT0-keys.cwe) to module by FDT, did you run the command prompt to be “run as administrator”?

Btw, have you tried one more module?

nls · December 8, 2022, 3:49am

Yes. I always run fdt as administrator.
I will try in another module and see
The question I have is how does fdt tool know which key we are loading, whether it is the keys for the kernel and boot loader or the key for signed legato image?

jyijyi · December 8, 2022, 3:58am

Have you tried fwupdate local update the key cwe?

Pankaj · December 8, 2022, 6:36am

@jyijyi ,

In the module how many keys can we load? From the document it seems we generate 3 keys:

swi-keys.cwe for kernel and bootloader.
LGT0-keys.cwe for Legato.
RFS0-keys.cwe for RootFS.

Do we need to install the 3 Keys or combine them into one and install one key?

jyijyi · December 8, 2022, 8:39am

No, you cannot combine these three keys

nls · December 8, 2022, 8:49am

Ok.If we cannot combine the three keys, then can we download three keys one after the other?
If accidentally wrong key is flashed, can we download the correct key?

jyijyi · December 8, 2022, 8:50am

This is hardware fuse, you need to make sure the key is correct before download

nls · December 8, 2022, 8:52am

Ok. How about downloading multiple keys? What decides what key will go where?

jyijyi · December 8, 2022, 8:55am

Have you verified your three keys are ok to work with signed images?

If they are working fine, you can try the following command to download at one time on another new module after loading the signed image to it:

fdt2 -f swi-keys.cwe RFS0-keys.cwe LGT0-keys.cwe

BTW, for your previous module, error code 0x97 is returned to FDT , this error code means that a keystore CWE has already been stored on the module.
As the module uses ‘write-once’ storage for the keystore CWE image – once written, the keystore cannot be replaced or removed.

nls · December 9, 2022, 2:39pm

Ok.
I tried with a new module and loading of LGT0-keys.cwe works fine. Looks like I generated the LGT0-keys.cwe more than once.
So, now I have have signed yocto and legato images. I haven’t tried signing of root fs yet

Topic		Replies	Views
Generating image using SWICWE Legato Linux distribution (Yocto project)	6	386	December 5, 2022
Make full install image WP7702	3	204	August 23, 2022
Warnings when creating the `spk` file with Modem Firmware from Firmware 15.1 Components Legato Linux distribution (Yocto project)	5	119	March 18, 2024
Rootfs.hash & rootfs.rhash.unsigned file generation Legato Linux distribution (Yocto project)	9	161	May 23, 2023
Create custom image for the FX30 wp76 Legato Linux distribution (Yocto project)	9	873	April 8, 2021

Secure Boot -Generating cwe file

Related Topics