FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

ahab_status error from imx93 secure boot

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

ahab_status error from imx93 secure boot

Jump to solution
‎04-26-2024 02:25 AM
436 Views
Jacky-Cheng
Contributor II

Hi, professionals ! 

I'm doing the secure boot on imx93. I use Yocto with meta-nxp-security-reference-design/meta-secure-boot meta layer, which supports i.MX boot image signing automation to compile the signed uboot and kernel container.

First time, i referred to the ahab document and generated the ecc sha384 keys, and got the signed uboot and kernel container. I flash it to first board and run ahab_status, it succeed

JackyCheng_0-1714123124062.png

Second time, i generated the rsa-2048 sha256 keys, and every steps else is the same with the first time. I flash the signed uboot and kernel to second board and run ahab_status, it failed, shows 

0x0287f7d6
IPC = MU APD (0x2)
CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)
IND = ELE_BAD_CONTAINER_FAILURE_IND (0xF7)
STA = ELE_SUCCESS_IND (0xD6)

JackyCheng_1-1714123245917.png

I'm really confused why it can't work with the rsa keys, and what does the failure indication mean? I think the imx93 and ahab support both ECC and RSA, and i really follow the same step, just key type are different.

I am very eager to get your support and help! Thanks in advance!

 

 

Labels (1)
Labels
Tags (2)
0 Kudos
Reply
1 Solution

Jump to solution
‎05-05-2024 08:20 PM
308 Views
Jacky-Cheng
Contributor II

This issue has been resolved. As the IMX93 Reference Manual say, it support rsa-pss and ecc key, but not rsa key, so it is clear that imx93 doesn't support rsa type keys.

View solution in original post

Reply
5 Replies

Jump to solution
‎05-05-2024 08:20 PM
309 Views
Jacky-Cheng
Contributor II

This issue has been resolved. As the IMX93 Reference Manual say, it support rsa-pss and ecc key, but not rsa key, so it is clear that imx93 doesn't support rsa type keys.

Reply

Jump to solution
‎05-07-2024 06:43 AM
281 Views
Harvey021
NXP TechSupport
NXP TechSupport

That is correct, no RSA with ele device.

 

 

0 Kudos
Reply

Jump to solution
‎04-28-2024 01:40 AM
405 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi, 

Probably a cause as like " By default, the NXP CST Signer Tool uses standard keys of type ECC P256-SHA256 for i.MX 8/8x/8ULP/9 Family" as stated from <10.9.2 Prerequisites for preparing a signed image

 

Regards

Harvey

0 Kudos
Reply

Jump to solution
‎04-28-2024 02:01 AM
395 Views
Jacky-Cheng
Contributor II
Hi Harvey, thanks for your reply first! But, it just said by default, not explicitly stated that other key types can't be used. So i wonder can RSA key type works? And if not, what's the reason? Thanks again!
0 Kudos
Reply

Jump to solution
‎04-28-2024 03:17 AM
380 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi

As AHAB should support RSA key. With checking the whole statement from the section " 10.9.2 Prerequisites for preparing a signed image". my understanding is that the Signer Tool, by default, will use ECC type of keys for i.MX93 device for signing. Sorry, it is not available for me to have a test for now. 

Can you side have a test while using RSA keys? as stated here “Note: (Optional) Create and populate csf_hab4.cfg and/or csf_ahab.cfg with the preferred key type at the CST location to use your preferred PKI tree. The default configuration files are located at the CST Signer work directory in Yocto build.

 

Regards

Harvey

0 Kudos
Reply