How to activate HAB on imx8dxl ?

pigbrian · ‎09-14-2025

Dear Guys,

I already enabled HAB in imx8mp, but imx8dxl doesn't have enough information about HAB.

1. imx-mkimage doesn't support the print_fit_hab option for imx8dxl.

2. I can't find a way to fuse the register map for imx8dxl online.

Could you please explain how to activate HAB?

Thank you.

Harvey021 · ‎09-14-2025

Hi @pigbrian

The i.MX8DXL is with AHAB-enabled devices, and the boot images consist of containers.

That is different from i.MX8MP. The mx8_mx8x_secure_boot.txt and AN12312 can help for you.

About fuse and fusemap, the SRM can be found from https://www.nxp.com/products/iMX8XLite

Send you guide how to apply for that.

Regards

Harvey

元の投稿で解決策を見る

pigbrian · ‎09-15-2025

Hi, Harvey

I was found a option as below.
setenv force_prog_ecc y

When I search websites, IMX8MP using HAB4.

Can IMX8MP use AHAB ?

Harvey021 · ‎09-16-2025

Hi @pigbrian

The AHAB not applied to i.MX8MP so can't use AHAB.

The AHAB events (IND = AHAB_BAD_SIGNATURE_IND (0xF0)) means that bad signature during the signature generation.

You can use the "FB: ucmd fuse prog -y 0 730 0x311D12F2" in your uuu script.

Regards

Harvey

pigbrian · ‎09-16-2025

Dear Harvey,
you are right.
The AHAB events (IND = AHAB_BAD_SIGNATURE_IND (0xF0)) means that bad signature during the signature generation.

I wrote some incorrect keys.

Can I fix a fused key?

pigbrian · ‎09-16-2025

Dear Harvey,

When I compared keys "od -t x4 ettifos_cits_fuse.bin" with "fuse read 0 730 16", all of keys are same.
Why happened "IND = AHAB_BAD_SIGNATURE_IND (0xF0)" ?

Harvey021 · ‎09-16-2025

Hi

The IND = AHAB_BAD_SIGNATURE_IND (0xF0) tells Bad signature not the key hash error.

The AN12312 provides help.

Please check again the signature procedure.

Regards

Harvey

pigbrian · ‎09-16-2025

Dear harvey,

Now, I trying kernel signing.

According to sign_os_cntr.txt,

Note: OS image can also be authenticated by running a U-Boot command:

=> auth_cntr <Container address>

How to check <Container address> ?

I made a singed.Image with guide document and copy to {board}/boot/Image.

but, I met a problem as follow.

Bad Linux ARM64 Image magic!
=> ahab_status
Lifecycle: 0x0080, OEM closed

sc_seco_get_event: idx: 0, res:3
No SECO Events Found!

What should I check?

BR,

pigbrian · ‎09-16-2025

Dear Harvey.

Now, I trying kernel signing.

1. auth_cntr <Container address>
solved.

=> ext2load mmc 0:2 0x98000000 /boot/Image_signed
28539904 bytes read in 149 ms (182.7 MiB/s)

=> auth_cntr 0x98000000
Authenticate OS container at 0x98000000

=> ext2load mmc 0:2 0x80700000 /boot/imx8dxl-v2x.dtb
54417 bytes read in 5 ms (10.4 MiB/s)

created some env parameters

fdtcontroladdr=87a540d0
fileaddr=80280000
filesize=1b28200

=> booti 0x80280000 - 0x80700000
Bad Linux ARM64 Image magic!

What should I check?

BR,

Harvey021 · ‎09-18-2025

Hi,

Please check again the relevant envi configuration in uboot.

and have you loaded them?

pri bsp_bootcmd
bsp_bootcmd=echo Running BSP bootcmd ...; mmc dev ${mmcdev}; if mmc rescan; then if run loadbootscript; then run bootscript; else if test ${sec_boot} = yes; then if run loadcntr; then run mmcboot; else run netboot; fi; else if run loadimage; then run mmcboot; else run netboot; fi; fi; fi; fi;

Regards

Harvey

pigbrian · ‎09-18-2025

Dear Harvey,

I completed secure boot of IMX8DXL and IMX8MP.

Thank you for your help.

pigbrian · ‎09-15-2025

Dear Harvey,

This is my step.

ahab_status
Lifecycle: 0x0020, NXP closed

SECO Event[0] = 0x0087F000
CMD = AHAB_AUTH_CONTAINER_REQ (0x87)
IND = AHAB_BAD_SIGNATURE_IND (0xF0)

sc_seco_get_event: idx: 1, res:3

The fuse command need to "y" prompt as follow.

=> fuse prog 0 730 0x311d12f2
Programming bank 0 word 0x000002da to 0x311d12f2...
Warning: Programming fuses is an irreversible operation!
This may brick your system.
Use this command only if you are sure of what you are doing!

Really perform this fuse programming? <y/N>
y
Warning: Words in this index range have ECC protection
and can only be programmed once per word. Individual bit
operations will be rejected after the first one.

Really program this word? <y/N>

And I used "-y" option. but it's need one "y" prompt

=> fuse prog -y 0 731 0x7c530a0d
Programming bank 0 word 0x000002db to 0x7c530a0d...
Warning: Words in this index range have ECC protection
and can only be programmed once per word. Individual bit
operations will be rejected after the first one.

Really program this word? <y/N>

I made a uuu script as below.

FB: ucmd fuse prog -y 0 730 0x311D12F2

It's failed.

1:242 1/17 [Bulk(R):LIBUSB_ERROR_TIMEOUT ] FB: ucmd fuse prog -y 0 730 0x311D12F2

What method should we use when we mass produce?

BR,

pigbrian · ‎09-15-2025

Dear Harvey,

Now, I was modified CSF offset and Signature Block offset on csf_ahab.txt

It was successfully.

cst-3.1.0/release/linux64/bin$ ./cst -o boot_ahab.bin -i cits_ahab.txt
CSF Processed successfully and signed image available in boot_ahab.bin

If I meet a problem, I write a reply.

Thank you.

Harvey021 · ‎09-15-2025

Hi @pigbrian

Please let me know if further support needed.

Regards

Harvey

pigbrian · ‎09-14-2025

Hi, Harvey

Thank you for your reply.

I tried with your comment.

$ cd <work>/imx-mkimage
$ make SOC=iMX8DXL REV=A0 flash

mkimage_imx8 -soc DXL -rev A0 -append mx8dxlb0-ahab-container.img -c -scfw scfw_tcm.bin -ap u-boot-atf.bin a35 0x80000000 -dummy 0x87fc0000 -out flash.bin
~~~
cst-3.1.0/release/linux64/bin$ ./cst -o boot_ahab.bin -i cits_ahab.txt

[ERROR] CST: Offsets are not consistent with the input binary to be signed
__________

$ make SOC=iMX8DXL REV=B0 flash_spl
SPL_CMD="-ap u-boot-spl.bin_split_a a35 0x00100000 -data u-boot-spl.bin_split_b a35 0x110000"; \
./../mkimage_imx8 -soc DXL -rev A0 -dcd skip -append mx8dxlb0-ahab-container.img -c -scfw scfw_tcm.bin $SPL_CMD -dummy 0x110000 -out flash.bin
~~~
cst-3.1.0/release/linux64/bin$ ./cst -o boot_ahab.bin -i cits_ahab.txt
[ERROR] CST: Offsets are not consistent with the input binary to be signed

How do I create a signed image with mkimage?

BR,

pigbrian

pigbrian · ‎09-14-2025

Hi, Harvey

Thank you for your reply.

I tried with your comment.

$ cd <work>/imx-mkimage
$ make SOC=iMX8DXL REV=A0 flash

mkimage_imx8 -soc DXL -rev A0 -append mx8dxlb0-ahab-container.img -c -scfw scfw_tcm.bin -ap u-boot-atf.bin a35 0x80000000 -dummy 0x87fc0000 -out flash.bin

~~~

cst-3.1.0/release/linux64/bin$ ./cst -o boot_ahab.bin -i cits_ahab.txt

[ERROR] CST: Offsets are not consistent with the input binary to be signed

How do I create a signed image with mkimage?

BR,

pigbrian

Harvey021 · ‎09-14-2025

Hi @pigbrian

The i.MX8DXL is with AHAB-enabled devices, and the boot images consist of containers.

That is different from i.MX8MP. The mx8_mx8x_secure_boot.txt and AN12312 can help for you.

About fuse and fusemap, the SRM can be found from https://www.nxp.com/products/iMX8XLite

Send you guide how to apply for that.

Regards

Harvey