帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Is CONFIG_IMX_HAB option in U-Boot unbootable from NAND without burning fuses in i.MX6?

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决
跳至解决方案

Is CONFIG_IMX_HAB option in U-Boot unbootable from NAND without burning fuses in i.MX6?

跳至解决方案
‎04-30-2021 08:17 AM
4,733 次查看
JohnKlug
Senior Contributor I

We are trying to go as far as we can with HAB without burning fuses, as we have very few boards working so far in our project.

If I add CONFIG_IMX_HAB to U-Boot without blowing fuses, U-Boot boots from USB, but not from NAND flash (no console messages).  If I burn without CONFIG_IMX_HAB, with the same uuu.auto, everything works great.

Are there fuse requirements to boot CONFIG_IMX_HAB enabled U-Boot?

I am using identical uuu.auto files except for the U-Boot image in both the working and non-working cases.  Something must have been written to flash, because when I boot, the Freescale USB device does not show up on my PC.

I used the U-Boot menuconfig program to add HAB to U-Boot.  The following lines were added to U-Boot (not shown in context):

CONFIG_IMX_HAB=y
# CONFIG_FSL_MFGPROT is not set
CONFIG_SYS_FSL_HAS_SEC=y
CONFIG_SYS_FSL_SEC_COMPAT=4

 

0 项奖励
回复
1 解答

跳至解决方案
‎06-02-2021 10:40 AM
4,644 次查看
JohnKlug
Senior Contributor I

Here is the solution to the problem I was having.  Word 0x24 of the U-Boot image gives the length of the U-Boot image after signing:

$ od -j 0x24 -N4 -An -X u-boot.imx
 000a4060
objcopy -I binary -O binary --pad-to 0xa4060 --gap-fill=0xff u-boot-nand-signed.imx  u-boot-nand-signed-pad.imx

Without the padding, the boot fails.

在原帖中查看解决方案

回复
7 回复数

跳至解决方案
‎06-02-2021 10:40 AM
4,645 次查看
JohnKlug
Senior Contributor I

Here is the solution to the problem I was having.  Word 0x24 of the U-Boot image gives the length of the U-Boot image after signing:

$ od -j 0x24 -N4 -An -X u-boot.imx
 000a4060
objcopy -I binary -O binary --pad-to 0xa4060 --gap-fill=0xff u-boot-nand-signed.imx  u-boot-nand-signed-pad.imx

Without the padding, the boot fails.

回复

跳至解决方案
‎09-25-2021 07:54 PM
4,526 次查看
BenSu
Contributor III

That's great, JohnKlug.

I pad the image and it boots up.

Why NXP does not list the option out?

Thanks

BR

Ben

0 项奖励
回复

跳至解决方案
‎04-30-2021 08:33 AM
4,728 次查看
JohnKlug
Senior Contributor I

Related to how to test things without burning fuses, I see the following in U-Boot help:

hab_failsafe- run BootROM failsafe routine

 

So is it possible to set the fuse shadow registers, execute the hab_failsafe command, and get a secure boot to be simulated without burning fuses?  Is this documented anywhere?

0 项奖励
回复

跳至解决方案
‎05-07-2021 02:45 AM
4,711 次查看
joanxie
NXP TechSupport
NXP TechSupport

refer to the uboot source code, you can set sec_boot=y in the uboot via define the CONFIG_AHAB_BOOT to enable AHAB

#ifdef CONFIG_AHAB_BOOT

#define AHAB_ENV "sec_boot=yes\0"

#else

#define AHAB_ENV "sec_boot=no\0"

#endif

 

"https://source.codeaurora.org/external/imx/uboot-imx/tree/include/configs/imx8qxp_mek.h?h=imx_v2020...."

 

0 项奖励
回复

跳至解决方案
‎05-11-2021 03:38 PM
4,702 次查看
JohnKlug
Senior Contributor I

CONFIG_AHAB_BOOT is an i.MX8 AHAB feature according to U-Boot.  i.MX6 is not mentioned.

It would be nice if there was an up to date document on how to build U-Boot and sign it for the i.MX6ULL processor.

0 项奖励
回复

跳至解决方案
‎05-12-2021 09:16 PM
4,693 次查看
joanxie
NXP TechSupport
NXP TechSupport

for imx6, one can use CONFIG_SECURE_BOOT in the board.h file to enable the security boot in uboot

0 项奖励
回复

跳至解决方案
‎09-25-2021 07:58 PM
4,525 次查看
BenSu
Contributor III

"Steps must be taken to remove support in customer application software if the end product is not using HAB API at all.
For instance, U-Boot users must ensure CONFIG_SECURE_BOOT is not being selected in their build environment."

That's in point 3 in section 5 Security considerations in AN12263.pdf.

Can we enable CONFIG_SECURE_BOOT?

BR

Ben

0 项奖励
回复