IMX8MP NAND SECURE BOOT

AlfTeleco · ‎11-23-2021

Hello everyone,

I am trying to achieve secure boot, booting from a NAND memory. I'd been able to do it from an SD, so usual steps as signing, creating the PKI and CSF files are well formed and are familiar to me.

As far as I could see, there is a problem conforming the final binary with the addresses according to this thread:

https://lists.denx.de/pipermail/u-boot/2019-December/394629.html

The only existing solution to finally perform a secure boot from NAND is to disable CONFIG_IMX_HAB, and by doing so we loose the ability to check HAB events and the power of the HAB commands.

Is there any news in this topic? Any uboot patch that I have not been able to find?

Thank in advance

igorpadykov · ‎11-24-2021

Hi Alvaro

nand secure boot is supported, there are no additional patches for that.

However there is below implication for latest kernels

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b5094b7f135be

Best regards
igor

AlfTeleco · ‎11-24-2021

Okay, thank you Igor.

I have achieved NAND secure boot indeed, BUT without the uboot commands available to manage the HAB, this is, disabling the CONFIG_IMX_HAB. Is there any path that let me use the CONFIG_IMX_HAB define while implementing the secure boot from a NAND.

Thanks in advance!

igorpadykov · ‎11-24-2021

what uboot used in the case, one can try nxp from https://source.codeaurora.org/external/imx/uboot-imx repository

https://source.codeaurora.org/external/imx/uboot-imx/tree/?h=lf_v2021.04

follow documentation :

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/guides/mx8m_secure_boot.txt?...

Best regards
igor