https://community.nxp.com/t5/i-MX-Processors/imx8mm-secure-boot-enable/m-p/1211668#M167751 <P>Now I have added to the SD card the full rootfs and kernel image but still u-boot hangs at that point.</P><P>I am using U-Boot SPL 2019.04-imx_v2019.04_4.19.35_1.0.0+g85bdcc7 and I have also OPTEE in the signed_flash.bin so I am missing patch for 1.1.0 at the moment.</P><P>I see the address that is trying to authenticate image from is&nbsp;<SPAN>0x401fcdc0, this corresponds to sld_hab_block&nbsp; in my build log and I have added it as required to the csf_fit.txt&nbsp;</SPAN></P> Thu, 14 Jan 2021 09:30:03 GMT antonio_santagi 2021-01-14T09:30:03Z https://community.nxp.com/t5/i-MX-Processors/imx8mm-secure-boot-enable/m-p/1211051#M167693 <P>Hello,</P><P>I have followed document at&nbsp;</P><P><A href="https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx8m_mx8mm_secure_boot.txt?h=imx_v2019.04_4.19.35_1.1.0" target="_blank" rel="noopener">https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx8m_mx8mm_secure_boot.txt?h=imx_v2019.04_4.19.35_1.1.0</A></P><P>I have programmed SRK hash table fuses and verified after programming the values were correct.</P><P>I have tried with an unsigned image on SD card and verified that u-boot hab_status command was reporting errors in hab status.</P><P>I have then put an SD card with signed image and verified that u-boot hab_status was reporting :&nbsp;</P><P>u-boot=&gt; hab_status<BR /><BR />Secure boot disabled<BR /><BR />HAB Configuration: 0xf0, HAB State: 0x66<BR />No HAB Events Found!</P><P>Then I have proceeded with next step in the document : 1.9 Closing the device :</P><PRE>=&gt; fuse prog 1 3 0x2000000</PRE><P>&nbsp;after this now I can't boot the device anymore from the same SD card that was reported with hab no events found and HAB state 0x66.</P><P>the board gets stuck at boot with this message :&nbsp;</P><P>U-Boot SPL 2019.04-imx_v2019.04_4.19.35_1.0.0+g85bdcc7 (Jan 04 2021 - 11:15:40 )<BR />power_bd71837_init<BR />DDRINFO: start DRAM init<BR />DDRINFO:ddrphy calibration done<BR />DDRINFO: ddrmix config done<BR />Normal Boot<BR />Trying to boot from MMC1<BR /><BR />Authenticate image from DDR location 0x401fcdc0..<BR /><BR /></P><P>so HAB looks is working correctly as it launches what is signed correctly.&nbsp;</P><P>But u-boot for some reason gets stuck.&nbsp;</P><P>The same image, if processor is not locked to run only in secure mode, works.</P><P>what could be wrong or missing ?</P><P>thank you</P> Wed, 13 Jan 2021 10:59:10 GMT https://community.nxp.com/t5/i-MX-Processors/imx8mm-secure-boot-enable/m-p/1211051#M167693 antonio_santagi 2021-01-13T10:59:10Z https://community.nxp.com/t5/i-MX-Processors/imx8mm-secure-boot-enable/m-p/1211071#M167697 <P>could it be now some memory addresses are not suitable because used by something else ?</P><P>I have not added HAB verification of Kernel image, I have not added a Kernel image to the SD card at all.</P><P>However the message "<SPAN>Authenticate image from DDR location 0x401fcdc0.." sounds like HAB is trying checking the Kernel image automatically, is this possible ?</SPAN></P><P><SPAN>I have not called the hab_auth_img API from u-boot.</SPAN></P><P>&nbsp;</P> Wed, 13 Jan 2021 16:39:59 GMT https://community.nxp.com/t5/i-MX-Processors/imx8mm-secure-boot-enable/m-p/1211071#M167697 antonio_santagi 2021-01-13T16:39:59Z https://community.nxp.com/t5/i-MX-Processors/imx8mm-secure-boot-enable/m-p/1211515#M167728 <P><a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/120713">@antonio_santagi</a>&nbsp;<BR />Hello,<BR /><BR /></P> <P>&nbsp; yes, HAB is trying checking the Kernel image automatically - please try to add it.</P> <P>Regards,<BR />Yuri.</P> <P>&nbsp;</P> Thu, 14 Jan 2021 06:18:19 GMT https://community.nxp.com/t5/i-MX-Processors/imx8mm-secure-boot-enable/m-p/1211515#M167728 Yuri 2021-01-14T06:18:19Z https://community.nxp.com/t5/i-MX-Processors/imx8mm-secure-boot-enable/m-p/1211629#M167745 <P>Hello,</P><P>this is very interesting.&nbsp;</P><P>is this mentioned somewhere in the docs ? I thought I should have manually extend the u-boot to achieve this Kernel checking.</P><P>I have now another SD card with different u-boot version ( the one <SPAN>v2019.04_4.19.35_1.1.0 ) and HAB does not do this automatic checking of the Kernel image. I can reach the u-boot prompt.</SPAN></P><P><SPAN>What does the HAB's choice of Kernel image checking or not checking depend upon ? Does it depend on the env variables ? Or the content of the Filesystem ?</SPAN></P><P><SPAN>thank you</SPAN></P> Thu, 14 Jan 2021 08:53:51 GMT https://community.nxp.com/t5/i-MX-Processors/imx8mm-secure-boot-enable/m-p/1211629#M167745 antonio_santagi 2021-01-14T08:53:51Z https://community.nxp.com/t5/i-MX-Processors/imx8mm-secure-boot-enable/m-p/1211668#M167751 <P>Now I have added to the SD card the full rootfs and kernel image but still u-boot hangs at that point.</P><P>I am using U-Boot SPL 2019.04-imx_v2019.04_4.19.35_1.0.0+g85bdcc7 and I have also OPTEE in the signed_flash.bin so I am missing patch for 1.1.0 at the moment.</P><P>I see the address that is trying to authenticate image from is&nbsp;<SPAN>0x401fcdc0, this corresponds to sld_hab_block&nbsp; in my build log and I have added it as required to the csf_fit.txt&nbsp;</SPAN></P> Thu, 14 Jan 2021 09:30:03 GMT https://community.nxp.com/t5/i-MX-Processors/imx8mm-secure-boot-enable/m-p/1211668#M167751 antonio_santagi 2021-01-14T09:30:03Z https://community.nxp.com/t5/i-MX-Processors/imx8mm-secure-boot-enable/m-p/1211693#M167754 <P>Hello&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/1941">@Yuri</a>&nbsp;</P><P>apparently my problem of u-boot stuck when locked secure boot mode is enabled is solved now that I added further command to unlock the CAAM module, as per your guide this should be added and I had not added because I did not know in our particular ( non standard )&nbsp; condition that was to be applied.</P><P>With the CAAM unlock additional command I can get to a working u-boot console .Now the u-boot is not stuck and instead it stops on console prompt because Kernel image is not signed. So you were correct in saying the HAB automatically tries to check the Kernel image.&nbsp; Is this a quite recent feature ? I could not see the Kernel Image automatic verification happening when the processor was not in locked secure mode.</P><P>&nbsp;</P> Thu, 14 Jan 2021 13:51:11 GMT https://community.nxp.com/t5/i-MX-Processors/imx8mm-secure-boot-enable/m-p/1211693#M167754 antonio_santagi 2021-01-14T13:51:11Z https://community.nxp.com/t5/i-MX-Processors/imx8mm-secure-boot-enable/m-p/1212306#M167809 <P><a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/120713">@antonio_santagi</a>&nbsp;<BR />Hello,</P> <P>&nbsp;&nbsp; check Your U-Boot bootcmd - it can include hab_auth_img</P> <P>Regards,<BR />Yuri.</P> Fri, 15 Jan 2021 09:49:52 GMT https://community.nxp.com/t5/i-MX-Processors/imx8mm-secure-boot-enable/m-p/1212306#M167809 Yuri 2021-01-15T09:49:52Z