https://community.nxp.com/t5/i-MX-Processors/imx8qxp-secure-boot-AHAB-BAD-KEY-HASH-IND/m-p/2151569#M240077 <P>The event tells that the key hash verification does not match OTP.</P> <P>There may be problem with your SRK TABLE hash calculation. Have a try to compare SRK TABLE and Fuse hash values.&nbsp;</P> <P>&nbsp;</P> <P>Regards</P> <P>Harvey</P> Wed, 13 Aug 2025 09:49:10 GMT Harvey021 2025-08-13T09:49:10Z https://community.nxp.com/t5/i-MX-Processors/imx8qxp-secure-boot-AHAB-BAD-KEY-HASH-IND/m-p/2149283#M239991 <P>We are signing imx-boot and linux-imx using a HSM, cst_signer, CST 3.4.0.</P><P>Before issuing a ahab_close, verifying SECO events with ahab_status, we see the following in u-boot:</P><BLOCKQUOTE><P><BR />=&gt; ahab_status<BR />Lifecycle: 0x0020, NXP closed</P><P>SECO Event[0] = 0x0087FA00<BR />CMD = AHAB_AUTH_CONTAINER_REQ (0x87)<BR />IND = AHAB_BAD_KEY_HASH_IND (0xFA)</P><P>sc_seco_get_event: idx: 1, res:3</P></BLOCKQUOTE><P>Reading the SRK OTP values from u-boot, using fuse read 0 730 16 results in the values we have in our uuu script.</P><P>We cannot understand where that mismatch is coming from. Any help what we could verify that or guidance in how to debug it would be appreciated.</P><P>If any additional info is required to help us to solve this issue, we can provide it.</P><P>---</P><P>Summary of the commands we are running, our build is yocto-based.</P><P>We export from the HSM 4 certificates, let's call them cert{1,2,3,4}.pem.</P><P>create table.bin and fuse.bin</P><BLOCKQUOTE><P>.../cst-3.4.0/linux64/bin/srktool -a -s sha384 -t table.bin \<BR />-e fuse.bin -f 1 \<BR />-c cert1.pem,cert2.pem,cert3.pem,cert4.pem</P></BLOCKQUOTE><P>linux-imx:</P><BLOCKQUOTE><P>.../cst_signer -d -i flash_os.bin -c csf.cfg --pkcs11<BR />mv signed-flash_os.bin os_cntr_signed.bin</P></BLOCKQUOTE><P>imx-boot:</P><BLOCKQUOTE><P>cst_signer -d -i imx-boot-imx8qxp-d7-sd.bin-flash -c csf.cfg --pkcs11</P></BLOCKQUOTE><P><BR />Note: the --pkcs11 flag on cst_signer is a patch we've added. It just adds the -b pkcs11 to the call to cst.</P><P><BR />csf.cfg looks like this</P><BLOCKQUOTE><P>#Header<BR />header_version=1.0<BR />#Install SRK<BR />srktable_file=SRK_1_2_3_4_table.bin<BR />srk_source=pkcs11:model=YubiHSM;token=YubiHSM;object=./SRK1_sha384_p384_v3_usr;type=cert;pin-value=xxyyxxyyxxyyxxyy<BR />srk_source_index=0<BR />srk_source_set=OEM<BR />srk_revocations=0x0<BR />#Install Certificate<BR />sgk_file=<BR />sgk_permissions=</P></BLOCKQUOTE><P>PKI tree in the HSM params:</P><BLOCKQUOTE><P>Existing CA: N<BR />Use ECC: Y<BR />Key Length: p384<BR />Digest Algorithm: sha384<BR />Duration: 5 years<BR />SRK CA: N</P></BLOCKQUOTE> Fri, 08 Aug 2025 14:47:52 GMT https://community.nxp.com/t5/i-MX-Processors/imx8qxp-secure-boot-AHAB-BAD-KEY-HASH-IND/m-p/2149283#M239991 eduardo3 2025-08-08T14:47:52Z https://community.nxp.com/t5/i-MX-Processors/imx8qxp-secure-boot-AHAB-BAD-KEY-HASH-IND/m-p/2151569#M240077 <P>The event tells that the key hash verification does not match OTP.</P> <P>There may be problem with your SRK TABLE hash calculation. Have a try to compare SRK TABLE and Fuse hash values.&nbsp;</P> <P>&nbsp;</P> <P>Regards</P> <P>Harvey</P> Wed, 13 Aug 2025 09:49:10 GMT https://community.nxp.com/t5/i-MX-Processors/imx8qxp-secure-boot-AHAB-BAD-KEY-HASH-IND/m-p/2151569#M240077 Harvey021 2025-08-13T09:49:10Z