- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: Is CONFIG_IMX_HAB option in U-Boot unbootable from NAND without burning fuses in i.MX6?
Is CONFIG_IMX_HAB option in U-Boot unbootable from NAND without burning fuses in i.MX6?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are trying to go as far as we can with HAB without burning fuses, as we have very few boards working so far in our project.
If I add CONFIG_IMX_HAB to U-Boot without blowing fuses, U-Boot boots from USB, but not from NAND flash (no console messages). If I burn without CONFIG_IMX_HAB, with the same uuu.auto, everything works great.
Are there fuse requirements to boot CONFIG_IMX_HAB enabled U-Boot?
I am using identical uuu.auto files except for the U-Boot image in both the working and non-working cases. Something must have been written to flash, because when I boot, the Freescale USB device does not show up on my PC.
I used the U-Boot menuconfig program to add HAB to U-Boot. The following lines were added to U-Boot (not shown in context):
CONFIG_IMX_HAB=y
# CONFIG_FSL_MFGPROT is not set
CONFIG_SYS_FSL_HAS_SEC=y
CONFIG_SYS_FSL_SEC_COMPAT=4
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the solution to the problem I was having. Word 0x24 of the U-Boot image gives the length of the U-Boot image after signing:
$ od -j 0x24 -N4 -An -X u-boot.imx
000a4060
objcopy -I binary -O binary --pad-to 0xa4060 --gap-fill=0xff u-boot-nand-signed.imx u-boot-nand-signed-pad.imxWithout the padding, the boot fails.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the solution to the problem I was having. Word 0x24 of the U-Boot image gives the length of the U-Boot image after signing:
$ od -j 0x24 -N4 -An -X u-boot.imx
000a4060
objcopy -I binary -O binary --pad-to 0xa4060 --gap-fill=0xff u-boot-nand-signed.imx u-boot-nand-signed-pad.imxWithout the padding, the boot fails.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's great, JohnKlug.
I pad the image and it boots up.
Why NXP does not list the option out?
Thanks
BR
Ben
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Related to how to test things without burning fuses, I see the following in U-Boot help:
hab_failsafe- run BootROM failsafe routine
So is it possible to set the fuse shadow registers, execute the hab_failsafe command, and get a secure boot to be simulated without burning fuses? Is this documented anywhere?
joanxie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
refer to the uboot source code, you can set sec_boot=y in the uboot via define the CONFIG_AHAB_BOOT to enable AHAB
#ifdef CONFIG_AHAB_BOOT
#define AHAB_ENV "sec_boot=yes\0"
#else
#define AHAB_ENV "sec_boot=no\0"
#endif
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CONFIG_AHAB_BOOT is an i.MX8 AHAB feature according to U-Boot. i.MX6 is not mentioned.
It would be nice if there was an up to date document on how to build U-Boot and sign it for the i.MX6ULL processor.
joanxie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for imx6, one can use CONFIG_SECURE_BOOT in the board.h file to enable the security boot in uboot
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Steps must be taken to remove support in customer application software if the end product is not using HAB API at all.
For instance, U-Boot users must ensure CONFIG_SECURE_BOOT is not being selected in their build environment."
That's in point 3 in section 5 Security considerations in AN12263.pdf.
Can we enable CONFIG_SECURE_BOOT?
BR
Ben
