Hi everyone,
I was trying to develop secure boot on i.MX6UltraLite custom board with NAND boot device.
Prior to enabling secure boot support in i.MX6UltraLite custom board, I have performed a secure boot on the i.MX6UL EVK using HABv4.
i.MX6UL EVK can boot up from SD card and get no HAB events found using hab_status command.
The signed Linux Kernel image is also successfully executed without generating any HAB events.
I perform the same steps on i.MX6UltraLite custom board.
However, it's failed to boot up from NAND after I burn signed U-Boot image into NAND using UUU.
I am also unable to verify HAB events with hab_status command.
I try to run UUU using "uuu.exe -v ./uuu_nand.auto" command again.
UUU appears to hang with "Wait for Known Device Appear..." message.
i.MX6UltraLite custom board is connected to the computer with micro USB cable.
But it can't detect the device and always hang with "Wait for Known Device Appear..." message.
After that, I can't burn any U-Boot into NAND using UUU anymore.
Is there any way to flash U-Boot image again?
BootROM should boot U-Boot image even if it has no valid signature before the device is closed as mentioned in documents related to secure boot.
I didn't blow fuse to close the device.
Both of EVK and custom board are in open state.
Whether I burn a signed U-Boot image with a correct signature or a wrong signature into i.MX6UL EVK, BootROM always allows U-Boot to boot up from SD card.
But i.MX6UltraLite custom board can't boot up once I enable secure boot features.
Why i.MX6UltraLite custom board and i.MX6UL EVK have different result?
Does i.MX6UltraLite custom board booting from NAND require some additional configuration?
I have followed the below steps to enable the secure boot features of the i.MX6UltraLite custom board.
- Followed CST user guide to generate PKIs tree, SRK tables using cst-3.3.1.
- Add "CONFIG_SECURE_BOOT=y" in mx6ul_14x14_evk_nand_defconfig and build it.
- Create the CSF description file and generate the CSF binary file using CST tool.
- Append CSF signature to the end of U-Boot image.
- program SRK Hash fuse values in the SRK_HASH[255:0] fuses using U-Boot fuse tool.
- Flash signed U-Boot image into NAND flash using UUU.
The difference between i.MX6UltraLite custom board and i.MX6UL EVK are as follows.
| | i.MX6UltraLite custom board | i.MX6UL EVK |
| Boot Device | NAND | SD |
| Build Environment | build U-Boot in Yocto Project | build U-Boot in standalone environment |
| The file where CONFIG_SECURE_BOOT is added | mx6ul_14x14_evk_nand_defconfig | mx6ul_14x14_evk_defconfig |
Value of OTP Bank0 Word6 (OCOTP_CFG5) | 0x00080040 | 0x00000000 |
Please check the attachments for details.
What I missed in the above procedure?
It's appreciated if you could give me some suggestions to resolve this issue.
