I have a weird issue that I don't understand. I could successfully sign my images and activate HAB authentication last year. I signed the bootloader and additional images.
Recently, I have updated uboot-imx to the latest version and since then I am getting a HAB event. There are a few differences. The old bootloader was built with the Android toolchain and the new one with the Yocto toolchain. There are also differences in the defconfigs, but CONFIG_SECURE_BOOT=y is enabled in both, so it should be fine.
I just manually verified this behavior with the hab_auth_img command. There also is a HAB event when authenticating the bootloader, but the system still boots. Seems like this is a faulty HAB event, that doesnt have any consequences. Since I am checking the additional images in my bootscripts, I can now no longer process the hab_auth_img return value.
Old version: 2018.03
New version: 2021.04
HAB event from additional image
AB Configuration: 0xcc, HAB State: 0x99 --------- HAB Event 1 ----------------- event data: 0xdb 0x00 0x24 0x43 0x33 0x30 0xee 0x1d 0x00 0x08 0x00 0x02 0x00 0x00 0x00 0x00 0x55 0x55 0x00 0x02 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x02 0x06 STS = HAB_FAILURE (0x33) RSN = HAB_ENG_FAIL (0x30) CTX = HAB_CTX_EXIT (0xEE) ENG = HAB_ENG_CAAM (0x1D)
Firstly, recommend hanging in uboot's start.s and then use debugger to read HAB memory. It might need to be analyzed in stages, to find where the issue is triggered.
Yes, CONFIG_IMX_HAB=y is used for the new bootloader. My initial post was incorrect. The HAB event occurs nonetheless.
To enable secure boot support in U-boot with HAB feature in New version: 2021.04, the configuration in Defconfig is CONFIG_IMX_HAB=y, instead of CONFIG_SECURE_BOOT=y.