AHAB: status information and user space tools

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AHAB: status information and user space tools

Jump to solution
1,979 Views
OlegHahm
Contributor I

Hi!

I'm currently developing a secure boot solution for one of our customers. Following some tutorials (including the ones provided by U-Boot itself), I've managed to get a signed version of U-Boot to execute on my iMX.8 Quad Plus.

Since I haven't programmed the fuses yet, I get a message like

Lifecycle: 0x0020, NXP closed

SECO Event[0] = 0x0087FA00
        CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
        IND = AHAB_BAD_KEY_HASH_IND (0xFA)

SECO Event[1] = 0x0087FA00
        CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
        IND = AHAB_BAD_KEY_HASH_IND (0xFA)

sc_seco_get_event: idx: 2, res:3

when calling ahab_status from the U-Boot CLI.

Now I wonder if there's any documentation on this output and if there are any Linux user space tools to read the SECO information.

 

Tags (1)
0 Kudos
Reply
1 Solution
1,965 Views
Yuri
NXP Employee
NXP Employee

@OlegHahm 
Hello,

  According to the following

https://www.digi.com/resources/documentation/digidocs/embedded/dey/2.6/cc8x/yocto-trustfence_t_secur...

"For the command field (CMD), the expected value at this step is 0x87 (ID for AHAB_AUTH_CONTAINER_REQ). The indicator field (IND) shows the code AHAB_BAD_KEY_HASH_IND (0xFA) because the key hash verification does not match the current OTPs. Once the OTP SRK hash fuses are programmed on the target OTPs, the AHAB events will no longer have errors.

See the NXP secure boot application notes for more information on event decoding."

 

 Please use section 4.3 (Verifying/Decoding SECO events) of AN12312 (Secure Boot
on i.MX 8 and i.MX 8X Families using AHAB).

https://www.nxp.com/webapp/Download?colCode=AN12312

 

Regards,
Yuri.

View solution in original post

3 Replies
1,966 Views
Yuri
NXP Employee
NXP Employee

@OlegHahm 
Hello,

  According to the following

https://www.digi.com/resources/documentation/digidocs/embedded/dey/2.6/cc8x/yocto-trustfence_t_secur...

"For the command field (CMD), the expected value at this step is 0x87 (ID for AHAB_AUTH_CONTAINER_REQ). The indicator field (IND) shows the code AHAB_BAD_KEY_HASH_IND (0xFA) because the key hash verification does not match the current OTPs. Once the OTP SRK hash fuses are programmed on the target OTPs, the AHAB events will no longer have errors.

See the NXP secure boot application notes for more information on event decoding."

 

 Please use section 4.3 (Verifying/Decoding SECO events) of AN12312 (Secure Boot
on i.MX 8 and i.MX 8X Families using AHAB).

https://www.nxp.com/webapp/Download?colCode=AN12312

 

Regards,
Yuri.

1,958 Views
OlegHahm
Contributor I

Thanks for the pointer, this is helpful indeed. However, I'm still wondering if there is a way to retrieve the AHAB status information from within Linux (not U-Boot). Do you have any idea?

0 Kudos
Reply
1,956 Views
Yuri
NXP Employee
NXP Employee

@OlegHahm 
Hello,

  we do not have such utility for Linux user space

Regards,
Yuri.