FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

How can I boot the Linux kernel with U-Boot when HAB is enabled?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

How can I boot the Linux kernel with U-Boot when HAB is enabled?

Jump to solution
‎03-31-2025 02:00 AM
1,070 Views
spthx
Contributor II

I am using the i.MX8M Nano.
I have read the uboot-imx documentation and other related materials, and I am now able to boot U-Boot with secure boot and encrypted boot enabled.

Now, I am trying to manually load a pre-built kernel and DTB and boot using the booti command. However, I encountered the following error:

I suspect that the error is due to the kernel image not being signed.

u-boot=> fatload mmc 2:1 ${loadaddr} Image
28013056 bytes read in 144 ms (185.5 MiB/s)
u-boot=> fatload mmc 2:1 ${fdt_addr} imx8mn-ddr3l-evk.dtb
40155 bytes read in 9 ms (4.3 MiB/s)
u-boot=> booti ${loadaddr} - ${fdt_addr}

Authenticate image from DDR location 0x40400000...
bad magic magic=0xff length=0xffff version=0xff
bad length magic=0xff length=0xffff version=0xff
Bad version magic=0xff length=0xffff version=0xff
Error: Invalid IVT structure
Authenticate Image Fail, Please check


How can I boot the Linux kernel with U-Boot when HAB is enabled?
If signing is required, how should I sign the kernel?

Additionally, the method described in the earlier guide seems to assume a standalone environment.
How can I generate an HAB-compatible image within Yocto?

Best regards.

0 Kudos
Reply
1 Solution

Jump to solution
‎03-31-2025 07:57 PM
1,040 Views
Harvey021
NXP TechSupport
NXP TechSupport

Please have a reference to the <3. Authenticating additional boot images> of mx8m_secure_boot.txt for kernel signing.

About How can I generate an HAB-compatible image within Yocto?

-> Please have a reference to <10.9 Security reference design> of IMX_LINUX_USERS_GUIDE.pdf 

 

Regards

Harvey

 

View solution in original post

0 Kudos
Reply
3 Replies

Jump to solution
‎03-31-2025 07:57 PM
1,041 Views
Harvey021
NXP TechSupport
NXP TechSupport

Please have a reference to the <3. Authenticating additional boot images> of mx8m_secure_boot.txt for kernel signing.

About How can I generate an HAB-compatible image within Yocto?

-> Please have a reference to <10.9 Security reference design> of IMX_LINUX_USERS_GUIDE.pdf 

 

Regards

Harvey

 

0 Kudos
Reply

Jump to solution
‎04-01-2025 12:53 AM
1,018 Views
spthx
Contributor II

Hi @Harvey021,

Thanks for your help.
HAB authentication passes now, but I get a kernel panic.
Do you know what might be causing this?

Best Regards,

uboot.log
0 Kudos
Reply

Jump to solution
‎04-01-2025 05:46 PM
992 Views
spthx
Contributor II
Resolved.
The reason was that bootargs was not configured.
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2070990%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3EHow%20can%20I%20boot%20the%20Linux%20kernel%20with%20U-Boot%20when%20HAB%20is%20enabled%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2070990%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EI%20am%20using%20the%20i.MX8M%20Nano.%3CBR%20%2F%3EI%20have%20read%20the%20uboot-imx%20documentation%20and%20other%20related%20materials%2C%20and%20I%20am%20now%20able%20to%20boot%20U-Boot%20with%20secure%20boot%20and%20encrypted%20boot%20enabled.%3C%2FP%3E%3CP%3ENow%2C%20I%20am%20trying%20to%20manually%20load%20a%20pre-built%20kernel%20and%20DTB%20and%20boot%20using%20the%20booti%20command.%20However%2C%20I%20encountered%20the%20following%20error%3A%3C%2FP%3E%3CP%3EI%20suspect%20that%20the%20error%20is%20due%20to%20the%20kernel%20image%20not%20being%20signed.%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Eu-boot%3D%26gt%3B%20fatload%20mmc%202%3A1%20%24%7Bloadaddr%7D%20Image%0A28013056%20bytes%20read%20in%20144%20ms%20(185.5%20MiB%2Fs)%0Au-boot%3D%26gt%3B%20fatload%20mmc%202%3A1%20%24%7Bfdt_addr%7D%20imx8mn-ddr3l-evk.dtb%0A40155%20bytes%20read%20in%209%20ms%20(4.3%20MiB%2Fs)%0Au-boot%3D%26gt%3B%20booti%20%24%7Bloadaddr%7D%20-%20%24%7Bfdt_addr%7D%0A%0AAuthenticate%20image%20from%20DDR%20location%200x40400000...%0Abad%20magic%20magic%3D0xff%20length%3D0xffff%20version%3D0xff%0Abad%20length%20magic%3D0xff%20length%3D0xffff%20version%3D0xff%0ABad%20version%20magic%3D0xff%20length%3D0xffff%20version%3D0xff%0AError%3A%20Invalid%20IVT%20structure%0AAuthenticate%20Image%20Fail%2C%20Please%20check%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%3CBR%20%2F%3EHow%20can%20I%20boot%20the%20Linux%20kernel%20with%20U-Boot%20when%20HAB%20is%20enabled%3F%3CBR%20%2F%3EIf%20signing%20is%20required%2C%20how%20should%20I%20sign%20the%20kernel%3F%3C%2FP%3E%3CP%3EAdditionally%2C%20the%20method%20described%20in%20the%20earlier%20guide%20seems%20to%20assume%20a%20standalone%20environment.%3CBR%20%2F%3EHow%20can%20I%20generate%20an%20HAB-compatible%20image%20within%20Yocto%3F%3C%2FP%3E%3CP%3EBest%20regards.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2072414%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ERe%3A%20How%20can%20I%20boot%20the%20Linux%20kernel%20with%20U-Boot%20when%20HAB%20is%20enabled%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2072414%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3EResolved.%3CBR%20%2F%3EThe%20reason%20was%20that%20bootargs%20was%20not%20configured.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2071811%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ERe%3A%20How%20can%20I%20boot%20the%20Linux%20kernel%20with%20U-Boot%20when%20HAB%20is%20enabled%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2071811%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F192970%22%20target%3D%22_blank%22%3E%40Harvey021%3C%2FA%3E%2C%3C%2FP%3E%3CP%3EThanks%20for%20your%20help.%3CBR%20%2F%3EHAB%20authentication%20passes%20now%2C%20but%20I%20get%20a%20kernel%20panic.%3CBR%20%2F%3EDo%20you%20know%20what%20might%20be%20causing%20this%3F%3C%2FP%3E%3CP%3EBest%20Regards%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2071582%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ERe%3A%20How%20can%20I%20boot%20the%20Linux%20kernel%20with%20U-Boot%20when%20HAB%20is%20enabled%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2071582%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EPlease%20have%20a%20reference%20to%20the%20%26lt%3B3.%20Authenticating%20additional%20boot%20images%26gt%3B%20of%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fnxp-imx%2Fuboot-imx%2Fblob%2Flf_v2024.04%2Fdoc%2Fimx%2Fhabv4%2Fguides%2Fmx8m_secure_boot.txt%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Emx8m_secure_boot.txt%3C%2FA%3E%26nbsp%3Bfor%20kernel%20signing.%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAbout%20How%20can%20I%20generate%20an%20HAB-compatible%20image%20within%20Yocto%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E-%26gt%3B%20Please%20have%20a%20reference%20to%20%26lt%3B10.9%20Security%20reference%20design%26gt%3B%20of%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.nxp.com%2Fdocs%2Fen%2Fuser-guide%2FIMX_LINUX_USERS_GUIDE.pdf%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EIMX_LINUX_USERS_GUIDE.pdf%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3E%3CSPAN%3ERegards%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EHarvey%3C%2FSPAN%3E%3C%2FP%3E%0A%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E