FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

AHAB: status information and user space tools

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

AHAB: status information and user space tools

Jump to solution
‎08-24-2021 10:32 AM
1,645 Views
OlegHahm
Contributor I

Hi!

I'm currently developing a secure boot solution for one of our customers. Following some tutorials (including the ones provided by U-Boot itself), I've managed to get a signed version of U-Boot to execute on my iMX.8 Quad Plus.

Since I haven't programmed the fuses yet, I get a message like

Lifecycle: 0x0020, NXP closed

SECO Event[0] = 0x0087FA00
        CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
        IND = AHAB_BAD_KEY_HASH_IND (0xFA)

SECO Event[1] = 0x0087FA00
        CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
        IND = AHAB_BAD_KEY_HASH_IND (0xFA)

sc_seco_get_event: idx: 2, res:3

when calling ahab_status from the U-Boot CLI.

Now I wonder if there's any documentation on this output and if there are any Linux user space tools to read the SECO information.

 

Tags (1)
0 Kudos
Reply
1 Solution

Jump to solution
‎08-29-2021 10:00 PM
1,631 Views
Yuri
NXP Employee
NXP Employee

@OlegHahm 
Hello,

  According to the following

https://www.digi.com/resources/documentation/digidocs/embedded/dey/2.6/cc8x/yocto-trustfence_t_secur...

"For the command field (CMD), the expected value at this step is 0x87 (ID for AHAB_AUTH_CONTAINER_REQ). The indicator field (IND) shows the code AHAB_BAD_KEY_HASH_IND (0xFA) because the key hash verification does not match the current OTPs. Once the OTP SRK hash fuses are programmed on the target OTPs, the AHAB events will no longer have errors.

See the NXP secure boot application notes for more information on event decoding."

 

 Please use section 4.3 (Verifying/Decoding SECO events) of AN12312 (Secure Boot
on i.MX 8 and i.MX 8X Families using AHAB).

https://www.nxp.com/webapp/Download?colCode=AN12312

 

Regards,
Yuri.

View solution in original post

Reply
3 Replies

Jump to solution
‎08-29-2021 10:00 PM
1,632 Views
Yuri
NXP Employee
NXP Employee

@OlegHahm 
Hello,

  According to the following

https://www.digi.com/resources/documentation/digidocs/embedded/dey/2.6/cc8x/yocto-trustfence_t_secur...

"For the command field (CMD), the expected value at this step is 0x87 (ID for AHAB_AUTH_CONTAINER_REQ). The indicator field (IND) shows the code AHAB_BAD_KEY_HASH_IND (0xFA) because the key hash verification does not match the current OTPs. Once the OTP SRK hash fuses are programmed on the target OTPs, the AHAB events will no longer have errors.

See the NXP secure boot application notes for more information on event decoding."

 

 Please use section 4.3 (Verifying/Decoding SECO events) of AN12312 (Secure Boot
on i.MX 8 and i.MX 8X Families using AHAB).

https://www.nxp.com/webapp/Download?colCode=AN12312

 

Regards,
Yuri.

Reply

Jump to solution
‎09-01-2021 04:00 AM
1,624 Views
OlegHahm
Contributor I

Thanks for the pointer, this is helpful indeed. However, I'm still wondering if there is a way to retrieve the AHAB status information from within Linux (not U-Boot). Do you have any idea?

0 Kudos
Reply

Jump to solution
‎09-01-2021 04:07 AM
1,622 Views
Yuri
NXP Employee
NXP Employee

@OlegHahm 
Hello,

  we do not have such utility for Linux user space

Regards,
Yuri.

Reply