HAB u-boot cannot boot

Showing results for 
Search instead for 
Did you mean: 

HAB u-boot cannot boot

Contributor II

Hello, I am having trouble trying to boot with HAB (secure) nand u-boot.

I downloaded the u-boot git from official Toradex repo: git://git.toradex.com/u-boot-toradex.git (branch 2016.11-toradex)

After compiling u-boot-nand.imx succesfully for imx6ullevk, I followed all the steps and my board cannot boot and no output appears at serial debug port, so I cannot even tell what's wrong.

How can I debug u-boot to at least see what's wrong?

Note: If I compile and install without HAB features, works ok.


Colibri iMX6ULL 512MB
Aster V1.1B


(Based on AN4581.pdf and other tutorials)

Download u-boot-toradex from git

  1. $: cd && git clone git://git.toradex.com/u-boot-toradex.git
  2. $: cd u-boot-toradex/
  3. $: git checkout 2016.11-toradex
  4. $: export ARCH=arm
  5. $: export CROSS_COMPILE=arm-linux-gnueabihf-
  6. $: make colibri-imx6ull_defconfig
Add security features to .config file



  1. $: make V=1
Take note of the output
  1. Image Type: Freescale IMX Boot Image
  2. Image Ver: 2 (i.MX53/6/7 compatible)
  3. Mode: DCD
  4. Data Size: 569344 Bytes = 556.00 kB = 0.54 MB
  5. Load Address: 877ff420
  6. Entry Point: 87800000
  7. HAB Blocks: 877ff400 00000000 00088c00
Check that hab_status command is present in the .imx file6
  1. $: strings u-boot-nand.imx |grep hab

  1. hab exit function fail
  2. hab entry function fail
  3. hab fuse not enabled
  4. hab_auth_img
  5. hab_status

Copy the secure u-boot to cst environment

  1. $: cp u-boot-nand.imx ~/cst/release/linux64/bin/

Create CSF file (using HAB blocks info)

  1. $: cd ~/cst/release/linux64/bin/
  2. $: nano csf-uboot

  1. [Header]
  2. Version = 4.2
  3. Hash Algorithm = sha256
  4. Engine = SW
  5. Engine Configuration = 0
  6. Certificate Format = X509
  7. Signature Format = CMS
  8. [Install SRK]
  9. File = "../../crts/SRK_1_2_3_4_table.bin"
  10. # Index of the key location in the SRK table to be installed
  11. Source index = 0
  12. [Install CSFK]
  13. # Key used to authenticate the CSF data
  14. File = "../../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
  15. [Authenticate CSF]
  16. [Install Key]
  17. # Key slot index used to authenticate the key to be installed
  18. Verification index = 0
  19. # Target key slot in HAB key store where key will be installed
  20. Target Index = 2
  21. # Key to install
  22. File= "../../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
  23. [Authenticate Data]
  24. # Key slot index used to authenticate the image data
  25. Verification index = 2
  26. # Address Offset Length Data File Path
  27. Blocks = 0x877ff400 0x000 0x88c00 "u-boot-nand.imx"

  • I saw I had the IVT with an offset of 0x400, I changed that in the CSF file but still didn't worked

Generate the CSF binary signature

  1. $: ./cst --o csf-uboot.bin --i csf-uboot
Attach CSF signature to U-Boot image The CSF binary data needs to be concatenated to the image. • Use the cat command to attach the CSF binary to the end of the image:
  1. $: cat u-boot-nand.imx csf-uboot-padded.bin > u-boot-nand-signed.imx

Note: u-boot-nand-signed.imx has to be 4K multiple

Also, I did this: Pad u-boot-nand-signed.imx to 4KB multiple (4096 bytes)

Thanks Gaston

Labels (1)
0 Kudos
1 Reply

NXP TechSupport
NXP TechSupport

Hi Gaston

seems you are already working on that issue with toradex support:

HAB u-boot cannot boot - Toradex Community 

As additional help one can look on

imx6ULL HAB events 


Best regards
Note: If this post answers your question, please click the Correct Answer button. Thank you!

0 Kudos