https://community.nxp.com/t5/i-MX-Processors/i-Mx8MP-Fast-Auth-HAB-errors/m-p/2067674#M235463 <P>After decoding the first HAB event using the HABv4 API document, it looks like the reason is "specified key is identified as a CA key." I double checked my keys and they don't have the CA flag set, I'm a little bit more confused now.</P> Tue, 25 Mar 2025 11:16:01 GMT jd-bootlin 2025-03-25T11:16:01Z https://community.nxp.com/t5/i-MX-Processors/i-Mx8MP-Fast-Auth-HAB-errors/m-p/2067164#M235427 <P>Hello,</P><P>I'm trying to implement secure boot on an i.MX8MP-based custom platform. The board design is very similar to the i.MX8MP devkit.</P><P>I want to use the Fast Authentication feature. So far, I've burnt the key hash into the SoC and I got the following HAB errors:</P><LI-CODE lang="c">u-boot=&gt; hab_status Secure boot disabled HAB Configuration: 0xf0, HAB State: 0x66 --------- HAB Event 1 ----------------- event data: 0xdb 0x00 0x14 0x45 0x33 0x1d 0xc0 0x00 0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00 0x00 0x00 0x10 0xe8 STS = HAB_FAILURE (0x33) RSN = HAB_INV_KEY (0x1D) CTX = HAB_CTX_COMMAND (0xC0) ENG = HAB_ENG_ANY (0x00) --------- HAB Event 2 ----------------- event data: 0xdb 0x00 0x14 0x45 0x33 0x1d 0xc0 0x00 0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00 0x00 0x00 0x10 0xe8 STS = HAB_FAILURE (0x33) RSN = HAB_INV_KEY (0x1D) CTX = HAB_CTX_COMMAND (0xC0) ENG = HAB_ENG_ANY (0x00) --------- HAB Event 3 ----------------- event data: 0xdb 0x00 0x14 0x45 0x33 0x1d 0xc0 0x00 0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00 0x00 0x00 0x10 0xd0 STS = HAB_FAILURE (0x33) RSN = HAB_INV_KEY (0x1D) CTX = HAB_CTX_COMMAND (0xC0) ENG = HAB_ENG_ANY (0x00) --------- HAB Event 4 ----------------- event data: 0xdb 0x00 0x14 0x45 0x33 0x1d 0xc0 0x00 0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00 0x00 0x00 0x10 0xd0 STS = HAB_FAILURE (0x33) RSN = HAB_INV_KEY (0x1D) CTX = HAB_CTX_COMMAND (0xC0) ENG = HAB_ENG_ANY (0x00) --------- HAB Event 5 ----------------- event data: 0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00 0x00 0x00 0x00 0x00 0x00 0x91 0xff 0xc0 0x00 0x00 0x00 0x20 STS = HAB_FAILURE (0x33) RSN = HAB_INV_ASSERTION (0x0C) CTX = HAB_CTX_ASSERT (0xA0) ENG = HAB_ENG_ANY (0x00) --------- HAB Event 6 ----------------- event data: 0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00 0x00 0x00 0x00 0x00 0x00 0x91 0xff 0xe0 0x00 0x00 0x00 0x0c STS = HAB_FAILURE (0x33) RSN = HAB_INV_ASSERTION (0x0C) CTX = HAB_CTX_ASSERT (0xA0) ENG = HAB_ENG_ANY (0x00) --------- HAB Event 7 ----------------- event data: 0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00 0x00 0x00 0x00 0x00 0x00 0x92 0x00 0x00 0x00 0x00 0x00 0x04 STS = HAB_FAILURE (0x33) RSN = HAB_INV_ASSERTION (0x0C) CTX = HAB_CTX_ASSERT (0xA0) ENG = HAB_ENG_ANY (0x00) --------- HAB Event 8 ----------------- event data: 0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00 0x00 0x00 0x00 0x00 0x40 0x1f 0xbd 0xc0 0x00 0x00 0x00 0x20 STS = HAB_FAILURE (0x33) RSN = HAB_INV_ASSERTION (0x0C) CTX = HAB_CTX_ASSERT (0xA0) ENG = HAB_ENG_ANY (0x00) --------- HAB Event 9 ----------------- event data: 0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00 0x00 0x00 0x00 0x00 0x40 0x1f 0xad 0xc0 0x00 0x00 0x00 0x04 STS = HAB_FAILURE (0x33) RSN = HAB_INV_ASSERTION (0x0C) CTX = HAB_CTX_ASSERT (0xA0) ENG = HAB_ENG_ANY (0x00)</LI-CODE><P>&nbsp;</P><P>It looks like my key is invalid. I double checked that I fused the correct keys and it looks good to me.</P><P>Here is my full procedure, if you see something wrong:</P><P>PKI tree generation:</P><LI-CODE lang="c">$ ./keys/hab4_pki_tree.sh Do you want to use an existing CA key (y/n)?: n Key type options (confirm targeted device supports desired key type): Select the key type (possible values: rsa, rsa-pss, ecc)?: rsa-pss Enter key length in bits for PKI tree: 4096 Enter PKI tree duration (years): 5 How many Super Root Keys should be generated? 4 Do you want the SRK certificates to have the CA flag set? (y/n)?: n</LI-CODE><P>&nbsp;</P><P>&nbsp;SRK table/fuse generation:</P><LI-CODE lang="c">$ ./linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c crts/SRK1_sha256_4096_65537_v3_usr_crt.pem,crts/SRK2_sha256_4096_65537_v3_usr_crt.pem,crts/SRK3_sha256_4096_65537_v3_usr_crt.pem,crts/SRK4_sha256_4096_65537_v3_usr_crt.pem Number of certificates = 4 SRK table binary filename = SRK_1_2_3_4_table.bin SRK Fuse binary filename = SRK_1_2_3_4_fuse.bin SRK Fuse binary dump: SRKH[0] = 0xCC68B1A5 SRKH[1] = 0xFC739529 SRKH[2] = 0xC2A266D4 SRKH[3] = 0x565ED742 SRKH[4] = 0xD85265D5 SRKH[5] = 0x2E4D871A SRKH[6] = 0x6AAF0D93 SRKH[7] = 0x21C75F71</LI-CODE><P>&nbsp;</P><P>Hexdump output:</P><LI-CODE lang="c">$ hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin 0xCC68B1A5 0xFC739529 0xC2A266D4 0x565ED742 0xD85265D5 0x2E4D871A 0x6AAF0D93 0x21C75F71</LI-CODE><P>&nbsp;</P><P>Fuse reads on target after being burnt:</P><LI-CODE lang="c">u-boot=&gt; fuse read 6 0 4 Reading bank 6: Word 0x00000000: cc68b1a5 fc739529 c2a266d4 565ed742 u-boot=&gt; fuse read 7 0 4 Reading bank 7: Word 0x00000000: d85265d5 2e4d871a 6aaf0d93 21c75f71</LI-CODE><P>&nbsp;</P><P>For the signing procedure, you'll find attached my CSF templates and imx-mkimage build logs.</P><P>I'm using CST version 4.0.0.</P><P><BR />And for the CSF binaries generation and injection:</P><P>&nbsp;</P><LI-CODE lang="c">$ ./linux64/bin/cst -i cst_spl.txt -o cst_spl.bin CSF Processed successfully and signed data available in cst_spl.bin $ ./linux64/bin/cst -i cst_fit.txt -o cst_fit.bin CSF Processed successfully and signed data available in cst_fit.bin $ cp flash.bin signed_flash.bin $ dd if=cst_spl.bin of=signed_flash.bin seek=$((0x36c00)) bs=1 conv=notrunc $ dd if=cst_fit.bin of=signed_flash.bin seek=$((0x59020)) bs=1 conv=notrunc $ sudo dd if=signed_flash.bin of=/dev/sdb bs=1K seek=32 &amp;&amp; sync</LI-CODE><P>&nbsp;</P> Mon, 24 Mar 2025 10:06:44 GMT https://community.nxp.com/t5/i-MX-Processors/i-Mx8MP-Fast-Auth-HAB-errors/m-p/2067164#M235427 jd-bootlin 2025-03-24T10:06:44Z https://community.nxp.com/t5/i-MX-Processors/i-Mx8MP-Fast-Auth-HAB-errors/m-p/2067674#M235463 <P>After decoding the first HAB event using the HABv4 API document, it looks like the reason is "specified key is identified as a CA key." I double checked my keys and they don't have the CA flag set, I'm a little bit more confused now.</P> Tue, 25 Mar 2025 11:16:01 GMT https://community.nxp.com/t5/i-MX-Processors/i-Mx8MP-Fast-Auth-HAB-errors/m-p/2067674#M235463 jd-bootlin 2025-03-25T11:16:01Z https://community.nxp.com/t5/i-MX-Processors/i-Mx8MP-Fast-Auth-HAB-errors/m-p/2067712#M235464 <P>Hello <a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/248421">@jd-bootlin</a>&nbsp;</P> <P><BR />The i.MX8MP doesn't support RSA-PSS key for HAB. Suggest to Key Type - RSA.</P> <P>&nbsp;</P> <P>Regards</P> <P>Harvey</P> Tue, 25 Mar 2025 12:43:42 GMT https://community.nxp.com/t5/i-MX-Processors/i-Mx8MP-Fast-Auth-HAB-errors/m-p/2067712#M235464 Harvey021 2025-03-25T12:43:42Z https://community.nxp.com/t5/i-MX-Processors/i-Mx8MP-Fast-Auth-HAB-errors/m-p/2067740#M235466 Hello <a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/192970">@Harvey021</a>, thanks for your feedback!<BR />Do you know if it is written somewhere? I read multiple times the official CST doc and I did not find this information. Tue, 25 Mar 2025 13:00:10 GMT https://community.nxp.com/t5/i-MX-Processors/i-Mx8MP-Fast-Auth-HAB-errors/m-p/2067740#M235466 jd-bootlin 2025-03-25T13:00:10Z https://community.nxp.com/t5/i-MX-Processors/i-Mx8MP-Fast-Auth-HAB-errors/m-p/2068287#M235494 <P>For its detailed information, recommend to have a reference to the section &lt;HAB Feature summary&gt; of SRM.&nbsp;</P> <P>&nbsp;</P> <P>Regards</P> <P>Harvey</P> Wed, 26 Mar 2025 03:48:05 GMT https://community.nxp.com/t5/i-MX-Processors/i-Mx8MP-Fast-Auth-HAB-errors/m-p/2068287#M235494 Harvey021 2025-03-26T03:48:05Z