IMX93 - AHAB - Secure Boot

il_ciancio · ‎04-03-2025

Hello NXP Experts,

I have followed this guide uboot-imx/doc/imx/ahab/guides/mx8ulp_9x_secure_boot.txt at lf_v2023.04 · nxp-imx/uboot-imx in order to generate a PKI Tree and SRK_Table compatible with my target: IMX9332.

I have followed also the "i.MX Linux User's Guide" chapter "10.9.1 Automated image signing for secure boot", in order to generate a signed image with Yocto.

Looking at the generated binaries, I have found the SRK_Table generated, so I'm confident that bitbake works correctly.

I have also flashed my EVK with UUU.

In u-boot, I runned ahab_status and below there is the result:

.

Looking on other ticket in this wonderfull community, It seems that the problem is that I have not flashed the eFuse (and I did not).

What can I do If I want to test the signature on the SWs over the public keys in the SRK Table flashed? In other terms, Can I flash an OS without signature and during the boot I will have an error on the signature?

Please help me!

Regards,

Alessandro.

Harvey021 · ‎04-09-2025

The way with SRK Hash fusing is our recommended and verified procedure.

You may try tool, OPENSSL, for help to images verification. However, we don't provide support for that.

Regards

Harvey

View solution in original post

Harvey021 · ‎04-06-2025

Hello @il_ciancio

For official verification and container integrity checks, using the ahab_status is recommended.

The signed images will trigger events if any error on both open and closed device.

and images not signed or signing incorrectly won't boot on a closed device.

Regards

Harvey

il_ciancio · ‎04-07-2025

Hello @Harvey021 ,

thanks for your reply.

I have putted the ahab_status from my board and looking at the error (see the table below)

it seems that the only problem is that I have not flashed the e-fuse.

What do you think?

Harvey021 · ‎04-07-2025

Yes, the SRK Hash not fused will raise the issue of the key hash not matched

Regards

Harvey

il_ciancio · ‎04-07-2025

Thanks,
so the certificates generated by CST tool and the image generated and signed by Yocto are well configured, otherwise will I get other error?

Harvey021 · ‎04-09-2025

SRK Hash acts as a role to establish root of trust. As stated from guide introduction_ahab.txt

"On the target device during the authentication process the AHAB code verify the
SRK Table against the SoC SRK_HASH fuses, in case the verification is successful
the root of trust is established and the AHAB code can progress with the image
authentication."

Regards

Harvey

il_ciancio · ‎04-09-2025

So without fusing I can't verify (in order to test on the board the signature) if the image/certs/SRK table are properly generated?

Harvey021 · ‎04-09-2025

The way with SRK Hash fusing is our recommended and verified procedure.

You may try tool, OPENSSL, for help to images verification. However, we don't provide support for that.

Regards

Harvey