Unable to decrypt FIP on STM32MP13

Question

I have followed the wiki to create my encryption keys;https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_Package#Creating_encryption_key_for_STM32MP13--STM32MP21--STM32MP23_and_STM32MP25 Which suggest creating two keys for TF-A and FIP encryption. But then in the same page it suggest we only load the encryption key for TF-A to OTP registers (i can not fit the FIP key into OTP anyways) After i build my image with the following config;  SIGN_KEY = "../keys/privateKey00.pem"
 SIGN_KEY_stm32mp13 = "../keys/privateKey00.pem"
 EXTERNAL_KEY_CONF = "1"
 SIGN_KEY_PASS = "pass pass pass pass pass pass pass pass"
 SIGN_ENABLE = "1"
 SIGN_TOOL = "/bin/STM32_SigningTool_CLI"

ENCRYPT_ENABLE = "1"
 ENCRYPT_FSBL_KEY = "../keys/stm32mp_encryption_key.bin"
 ENCRYPT_FSBL_KEY_stm32mp13 = "../keys/stm32mp_encryption_key.bin"
 ENCRYPT_FIP_KEY = "../keys/stm32mp_encryption_key_256bits.bin"
 ENCRYPT_FIP_KEY_stm32mp13 = "../keys/stm32mp_encryption_key_256bits.bin" I get this error; NOTICE: CPU: STM32MP135F Rev.Y
NOTICE: Model: EGate Rev D
NOTICE: Bootrom authentication succeeded
NOTICE: Reset reason (0x34):
NOTICE: BL2: v2.10-stm32mp1-r1.0(release):lts-v2.10.5-dirty(7c229848)
NOTICE: BL2: Built : 16:19:31, Jun 28 2024
NOTICE: TRUSTED_BOARD_BOOT support enabled
ERROR: File decryption failed (4)
ERROR: BL2: Failed to load image id 4 (-2) Which makes sense because I assume TF-A uses the key in the OTP to decrypt the image, which would fail. When I try to encrypt FIP using the same key as TF-A I get the following error; | CMD> encrypt_fw \
| --key <my-key> \
| --nonce 1234567890abcdef12345678 \
| --fw-enc-status 0 \
| --in /yocto/build/tmp-glibc/work/egate_revd-oe-linux-gnueabi/fip-stm32mp/6.0/recipe-sysroot/optee/tee-header_v2-stm32mp135f-dk-custom-mx-optee.bin \
| --out /yocto/build/tmp-glibc/work/egate_revd-oe-linux-gnueabi/fip-stm32mp/6.0/recipe-sysroot/optee/tee-header_v2-stm32mp135f-dk-custom-mx-optee_Encrypted.bin
| ERROR: Unsupported key size: 32
| [TOOLS ERROR]: ENCTOOL optee header error When I completely skip encryption and only use signed binaries I get yet another error; NOTICE: CPU: STM32MP135F Rev.Y 
NOTICE: Model: EGate Rev D 
NOTICE: Bootrom authentication succeeded 
NOTICE: Reset reason (0x34): 
NOTICE: BL2: v2.10-stm32mp1-r1.0(release):lts-v2.10.5-dirty(7c229848) 
NOTICE: BL2: Built : 16:19:31, Jun 28 2024 
NOTICE: TRUSTED_BOARD_BOOT support enabled 
ERROR: BL2: Failed to load image id 4 (-5)  Any suggestions?

arifbalik · Accepted Answer

For those who faced a similar problem, I was unable to use 128-bit key, so i burned a 256-bit key to custom otp fuses and modified tf-a source and device tree to use it.

arifbalik · Answer

My tf-a binary dump;

STM32_SigningTool_CLI -dump build/tmp-glibc/deploy/images/egate-revd/arm-trusted-firmware/tf-a-stm32mp135f-dk-custom-mx-optee-programmer-usb_Signed.stm32 
 -------------------------------------------------------------------
 STM32 Signing Tool v2.19.0 
 -------------------------------------------------------------------

 
Header description:

 Magic: 0x53544d32
 Signature: 04 17 61 e8 bf d6 13 9d 33 cf 94 ac ac 66 9d 68 b6 05 5b 48 c9 5e 01 34 0c f2 a9 2b de 4d 03 ef 
 27 a0 e2 18 9d 53 f2 82 96 df f6 78 5b eb 07 de 43 4a fa 5f 85 2e 4c 35 83 d8 be 72 62 49 ff b5 
 Checksum: 0x7da8d7
 Header version: 0x20000
 Size: 0x179e0
 Load address: 0x2ffe0000
 Entry point: 0x2ffe5000
 Image version: 0x0
 Extension: 0x80000001

 ECDSA : 256 
 
Authentication header detected:
 Type: 0x53540002
 Size: 0x154
 Key index: 0x0
 Key number: 0x8
 ECDSA Algo: 0x1
 ECDSA pub key: 45 c4 98 50 f7 4b f5 33 67 c1 bf 52 dc 2a 28 f0 2e 89 07 6a b2 8e 24 1f df 8f 75 48 80 da 1e f5 
 21 64 26 d8 53 d6 ac b1 f7 38 b0 d5 e3 2d a2 b7 2a 18 16 96 ab 72 4d 2a 17 87 25 aa 62 32 08 fa 
 
 Key 0: 0c 83 ca 35 5e 04 f8 5f 91 36 a6 54 7d 26 4b 44 f7 07 b3 3c a7 e8 e7 d9 58 bd fc 50 be 55 a6 f2 
 Key 1: 39 74 65 5e 76 e5 0b a5 6a 02 60 c2 3b e7 61 d6 bd c8 17 42 89 cf 56 19 c2 32 0f 18 a6 70 c3 bc 
 Key 2: be 0b 2f ff ef 9b 31 11 71 a1 97 ef 8a 72 3c 0f 91 60 56 ee 04 07 ba 3c 34 42 b2 9c 70 38 96 8c 
 Key 3: 27 db 2a 44 1b b2 af c2 7d 59 c7 38 da 9a 66 d3 80 9c be 99 97 63 f5 13 6c 98 a9 e3 49 60 89 17 
 Key 4: de 58 04 6f 77 15 54 2f 19 9d a2 13 c2 f5 9c 31 4f be 15 cd 51 a8 14 c1 81 aa 61 6b b6 e4 85 d9 
 Key 5: e6 61 12 23 10 a6 72 d4 9a fa 93 cf c4 57 14 d1 be f1 0f 9e f0 bc 45 89 19 27 53 d3 f6 0a 55 5c 
 Key 6: 0b 87 c6 72 fb 14 da f3 2c ea 8f 44 5c 1d 37 86 c1 61 7f 4b e7 29 26 7f 8e 51 dd 6a 6b 75 d1 1a 
 Key 7: fd 61 59 63 b5 d7 b6 ba 59 13 ce 83 91 bc d2 fe 2b 48 62 eb 5a df 5f 00 48 73 b3 0c 1e 15 a2 76 
 
Pad header detected:
 Type: 0x5354ffff
 Size: 0x2c
 Padding values: 02 1c f2 fa 14 a0 d0 03 1e 93 9e 7a dc 78 78 88 a2 23 1b 0f d8 37 54 d8 21 6e 0b db d6 0c 69 
 01 79 61 ab ad

and fip info;

build/tmp-glibc/sysroots-components/x86_64/tf-a-tools-native/usr/bin/fiptool info build/tmp-glibc/deploy/images/egate-revd/fip/fip-stm32mp135f-dk-custom-mx-optee-emmc_Signed.bin
Secure Payload BL32 (Trusted OS): offset=0x240, size=0x1C, cmdline="--tos-fw"
Secure Payload BL32 Extra1 (Trusted OS Extra1): offset=0x25C, size=0x8BFE0, cmdline="--tos-fw-extra1"
Non-Trusted Firmware BL33: offset=0x8C23C, size=0x115BC8, cmdline="--nt-fw"
FW_CONFIG: offset=0x1A1E04, size=0x236, cmdline="--fw-config"
HW_CONFIG: offset=0x1A203A, size=0xC530, cmdline="--hw-config"
Trusted key certificate: offset=0x1AE56A, size=0x283, cmdline="--trusted-key-cert"
Trusted OS Firmware key certificate: offset=0x1AE7ED, size=0x22B, cmdline="--tos-fw-key-cert"
Non-Trusted Firmware key certificate: offset=0x1AEA18, size=0x22E, cmdline="--nt-fw-key-cert"
Trusted Boot Firmware BL2 certificate: offset=0x1AEC46, size=0x2C9, cmdline="--tb-fw-cert"
Trusted OS Firmware content certificate: offset=0x1AEF0F, size=0x2E2, cmdline="--tos-fw-cert"
Non-Trusted Firmware content certificate: offset=0x1AF1F1, size=0x255, cmdline="--nt-fw-cert"
STM32MP CONFIG CERT: offset=0x1AF446, size=0x286, cmdline="--stm32mp-cfg-cert"

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded