Skip to main content
J
jdebaud
Associate II
October 23, 2023
Question

STM32MP157F-EV1 Signing Tool crash during bitbake build

  • October 23, 2023
  • 4 replies
  • 4811 views

Hello,

I am trying to enable secure boot on my STM32MP157F-EV1 board. I'm following the https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_package Tutorial.

The keys are created, the public hash is fused.

I've added the required information in the local.conf file to enable signature. (I also noticed that the compilation stop if the SIGN_KEY_stm32mp13 is not in this file, which I find weird because the conf file is made for a stm32mp15 board.)

SIGN_KEY = "key/stm32mp15/privateKey.pem"
SIGN_KEY_stm32mp15 = "key/stm32mp15/privateKey.pem"
SIGN_KEY_stm32mp13 = "key/stm32mp13/privateKey00.pem"
EXTERNAL_KEY_CONF = "1"
SIGN_KEY_PASS = "<password>"
SIGN_ENABLE = "1"
SIGN_TOOL = "/home/viveris/julien/STM32CubeProgrammer-2.14.0/bin/STM32MP_SigningTool_CLI"

The bitbake st-image-weston goes well until T-FA build. STM32MP Signing Tool v2.14.0 crash with a Segmentation Fault. Here is the console error:

| -------------------------------------------------------------------
| STM32MP Signing Tool v2.14.0
| -------------------------------------------------------------------
| 
| Prime256v1 curve is selected.
| Segmentation fault (core dumped)
| WARNING: exit code 139 from a shell command.
ERROR: Task (/home/julien/new/layers/meta-st/meta-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.8.bb:do_compile) failed with exit code '1'

Could it be an issue with keys path ?

I also tried to use the Signing Tool with an already compiled firmware, but same results: the Signing Tool crash when I give the key path.

Any hints ?

 

Thanks for your help,

Regards

This topic has been closed for replies.

4 replies

Erwan SZYMANSKI
Erwan SZYMANSKI
Technical Moderator
November 17, 2023

Hello @jdebaud ,
Are you still stuck with this issue ? We did not notice a such status in our internal test.

Kind regards,
Erwan.

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
J
jdebaudAuthor
Associate II
November 17, 2023

Hello @Erwan SZYMANSKI 

Yes, I am still having the issue. After some tests, it seems to be caused by the privateKey password. The one I use is 30 characters long. But I tryed with a 5 long with a new key pair and this one works.

Regards

    Erwan SZYMANSKI
    Erwan SZYMANSKI
    Technical Moderator
    November 17, 2023

    Thank you for your precious feedback, we will check it internally as a segmentation fault is a not wanted status.

    Kind regards,
    Erwan.

    In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
    J
    jdebaudAuthor
    Associate II
    November 17, 2023

    I am mostly unable to use the Signing Tool. Even in standalone mode, it's having also a segmentation fault.

    I used gdb to have a better vison of what is happening, here's the log:

    Starting program: /home/viveris/julien/STM32CubeProgrammer-2.14.0/bin/STM32MP_SigningTool_CLI 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
 -------------------------------------------------------------------
 STM32MP Signing Tool v2.14.0 
 -------------------------------------------------------------------
 STM32AP Signing Tool [Version v2.14.0 ] <'-?' for help>
Copyright (c) 2022 STMicroelectronics. All rights reserved.

Please enter the binary image file Path
/home/viveris/julien/tf-a-stm32mp157f-ev1-sdcard.stm32

Please select decrypting algorithm 1. prime256v1 2. brainpoolP256t1 (1/2)?
1

Please enter the public key file Path
/home/viveris/julien/keys/stm32mp15/publicKey.pem

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff73417f4 in QString::append(QString const&) () from /home/viveris/julien/STM32CubeProgrammer-2.14.0/bin/../lib/libQt5Core.so.5

    I do not think the 2 Segmentation Fault are related because this one happen using the publicKey, whereas with bitbake it tends to occur using a too long password for the private key.

     

    Regards.

    Erwan SZYMANSKI
    Erwan SZYMANSKI
    Technical Moderator
    November 17, 2023

    @jdebaud ,
    Thank you for taking time to help to understand this issue. 

    I took the same version of cubeProgrammer as you have and made the following commands :

    - STM32MP_KeyGen_CLI -abs ./ -pwd azertyuiopsdfghjkmlkjfhdgsfdhfnzeivnzrgnpzergbvepzbpzengvpzqbnpzbrg -n 1

    - STM32MP_SigningTool_CLI -pubk ./publicKey00.pem -prvk ./privateKey00.pem -pwd azertyuiopsdfghjkmlkjfhdgsfdhfnzeivnzrgnpzergbvepzbpzengvpzqbnpzbrg -t fsbl -bin <my_tfa_path>/tf-a-stm32mp157f-dk-sdcard.stm32 -o ./tf-a-sdcard_Signed.stm32

    I do not face any issue ... Did you try to reinstall your CubeProgrammer tool ? I would like to let you with something working.

    Kind regards,
    Erwan.

    In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
    J
    jdebaudAuthor
    Associate II
    November 17, 2023

    I've just tryied to uninstall and reinstall the CubeProgrammer tools but I have the exact same result in standalone mode.

    To add some context, here is the content of my /etc/os-release file:

    NAME="Linux Mint"
VERSION="21.2 (Victoria)"
ID=linuxmint

     

    I have more to tell about the error. I tried to used it passing the args in the command line just as you wrote it in your last post :

    ./STM32MP_SigningTool_CLI -pubk path/publicKey.pem -prvk path/privateKey.pem -pwd password -t fsbl -bin path/tf-a-stm32mp157f-ev1-sdcard.stm32 -o path/tf-a-stm32mp157f-ev1-sdcard-SIGNED.stm32

    With gdb I have the following:

     -------------------------------------------------------------------
 STM32MP Signing Tool v2.14.0 
 -------------------------------------------------------------------

 Prime256v1 curve is selected. 
 Error: extracting public key fails
 Error: extracting public key fails
 Error: extracting public key fails

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b27e62 in EVP_PKEY_cmp () from /home/viveris/julien/STM32CubeProgrammer-2.14.0/bin/../lib/libcrypto.so.1.0.0

     

    Erwan SZYMANSKI
    Erwan SZYMANSKI
    Technical Moderator
    November 17, 2023

    @jdebaud ,
    I asked some colleagues to do the same test with me on Ubuntu 20.04 and 22.04, and with openssl v3.x (libcrypto3) and openssl v1 (libcrypto1) but we did not notice a such error. Unfortunately I do not have a Linux Mint distribution PC somewhere here, and I will not be able to test with the exact same conditions, but as Mint is based on Ubuntu, it seems weird to see a such delta in the final status.

    Regards,
    Erwan.

    In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
    J
    jdebaudAuthor
    Associate II
    November 17, 2023

    I've just tested out the SigningTool on my Ubuntu 22.04 Virtual machine and it worked correctly. Thus apparently it might be due to the Mint used on the compilation machine I am using with bitbake.

    I'm testing the libraries dependencies, if I can find the issue.

    Erwan SZYMANSKI
    Erwan SZYMANSKI
    Technical Moderator
    November 17, 2023

    Thanks for your additional test on VM, please let me know if you find something more.

    Kind regards,
    Erwan.

    In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
    J
    jdebaudAuthor
    Associate II
    November 28, 2023

    Hello, sorry for the delay.

     

    I've tested the signing tool on a clean Linux Mint VM. I can confirm that there are issues on both sides:

    - Using the CLI without specifying the argument first ends in a SIGSEGV. It is still giving the same issue: a libQt5core crash.

    Program received signal SIGSEGV, Segmentation fault.
0x00007ffff73417f4 in QString::append(QString const&) () from /media/sf_VM_Shared/STM32MPU-Tools/bin/../lib/libQt5Core.so.5

    - Using the CLI with all the required arguments ends in a signed binary.

     Prime256v1 curve is selected. 
 Header version 1 preparation ... 
 Reading Private Key File... 
 ECDSA signature generated.
 Signature verification: SUCCESS 
 The Signed image file generated successfully: .../tf-a-stm32mp157f-ev1-sdcard-SIGNED.stm32

     

    I will try to sign the fsbl with bitbake and come back to you later.

    Regards

      Terms & ConditionsAccessibility statement