We are trying to go as far as we can with HAB without burning fuses, as we have very few boards working so far in our project.
If I add CONFIG_IMX_HAB to U-Boot without blowing fuses, U-Boot boots from USB, but not from NAND flash (no console messages). If I burn without CONFIG_IMX_HAB, with the same uuu.auto, everything works great.
Are there fuse requirements to boot CONFIG_IMX_HAB enabled U-Boot?
I am using identical uuu.auto files except for the U-Boot image in both the working and non-working cases. Something must have been written to flash, because when I boot, the Freescale USB device does not show up on my PC.
I used the U-Boot menuconfig program to add HAB to U-Boot. The following lines were added to U-Boot (not shown in context):
CONFIG_IMX_HAB=y
# CONFIG_FSL_MFGPROT is not set
CONFIG_SYS_FSL_HAS_SEC=y
CONFIG_SYS_FSL_SEC_COMPAT=4
Solved! Go to Solution.
Here is the solution to the problem I was having. Word 0x24 of the U-Boot image gives the length of the U-Boot image after signing:
$ od -j 0x24 -N4 -An -X u-boot.imx
000a4060
objcopy -I binary -O binary --pad-to 0xa4060 --gap-fill=0xff u-boot-nand-signed.imx u-boot-nand-signed-pad.imx
Without the padding, the boot fails.
Here is the solution to the problem I was having. Word 0x24 of the U-Boot image gives the length of the U-Boot image after signing:
$ od -j 0x24 -N4 -An -X u-boot.imx
000a4060
objcopy -I binary -O binary --pad-to 0xa4060 --gap-fill=0xff u-boot-nand-signed.imx u-boot-nand-signed-pad.imx
Without the padding, the boot fails.
That's great, JohnKlug.
I pad the image and it boots up.
Why NXP does not list the option out?
Thanks
BR
Ben
Related to how to test things without burning fuses, I see the following in U-Boot help:
hab_failsafe- run BootROM failsafe routine
So is it possible to set the fuse shadow registers, execute the hab_failsafe command, and get a secure boot to be simulated without burning fuses? Is this documented anywhere?
refer to the uboot source code, you can set sec_boot=y in the uboot via define the CONFIG_AHAB_BOOT to enable AHAB
#ifdef CONFIG_AHAB_BOOT
#define AHAB_ENV "sec_boot=yes\0"
#else
#define AHAB_ENV "sec_boot=no\0"
#endif
CONFIG_AHAB_BOOT is an i.MX8 AHAB feature according to U-Boot. i.MX6 is not mentioned.
It would be nice if there was an up to date document on how to build U-Boot and sign it for the i.MX6ULL processor.
for imx6, one can use CONFIG_SECURE_BOOT in the board.h file to enable the security boot in uboot
"Steps must be taken to remove support in customer application software if the end product is not using HAB API at all.
For instance, U-Boot users must ensure CONFIG_SECURE_BOOT is not being selected in their build environment."
That's in point 3 in section 5 Security considerations in AN12263.pdf.
Can we enable CONFIG_SECURE_BOOT?
BR
Ben