i.MX6ULL Secure Boot – MFGTool Fails to Flash Signed u-boot.imx

LoongX · ‎05-25-2025

Hi,

I'm enabling Secure Boot on the i.MX6ULL platform. Below are the steps I’ve followed:

Secure Boot Configuration:
- I used NXP's CST tool to generate the key pair.
- I programmed the relevant OTP fuses:
  - OCOTP bank 0 word 6
  - bank 3
Signing the u-boot image:
- The image I’m using is: firmware/u-boot-imx6ull-14x14-nand.imx.I renamed the file to u-boot.imx, replacing the original.
- The original size of this image is 0x6B400 bytes. I padded it to 0x6C000 to meet the alignment requirement for the Authenticate Data block.
- My csf_uboot.txt file contains the following:
  
  [Authenticate Data] Blocks = 0x877ff420 0x0 0x6C000 "u-boot.imx"
MFGTool Configuration:
- I modified the ucl2.xml file with the following entry:
  
  <LIST name="NAND Flash" desc="Choose NAND as media"> <CMD state="BootStrap" type="boot" body="BootStrap" file="firmware/u-boot-imx6ull-14x14-nand.imx" address="0x877FF400" ifdev="MX6ULL">Loading U-boot</CMD>

Problem:

When I try to flash the image using MFGTool, I get the following error:

"Boot" body="BootStrap" error, file="C:\mfgtool\Profiles\linux\OS Firmware\firmware\u-boot-imx6ull-14x14

Harvey021 · ‎05-25-2025

Hi,

Recommend to UUU tool instead of the old MFGTool.

The UUU flashing tool - uuu_1.5.201 where you will the flashing tool and uuu guide.

And better to use newer BSP.

Regards

Harvey

LoongX · ‎06-12-2025

Hi,
I used UUU to upload uboot to an unfused bank 0 Word 6 board, which can load normally. However, uploading to a fused board can burn normally, but there is no information displayed on the serial port, and it cannot start normally
The command I used:
./uuu.exe -b sd ./u-boot-imx6ull-14x14-nand-signed.imx
Regards
LoongX

Harvey021 · ‎06-13-2025

Hi,

Have you verified the HAB events? by hab_status in U-Boot command line.

Don't close the device before verifying HAB events.

Do you have other device to do events test?

Regards

Harvey

LoongX · ‎06-13-2025

hi，
Yes, when I burned the fuse prog 0 6 0x2, the restart display was as follows:
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x05 0x0a 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_IVT (0x05)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)

Authenticate zImage Fail, Please check

I have a board that has not been fused at all and a board that has been fused (band3 and band 0 6), and the same uboot-signed.imx. I can run normally on the board that has not been fused, but I cannot run normally on the board that has been fused, and no information is printed on the serial port.

Regards
Loongx

Harvey021 · ‎06-15-2025

Hi,

"Authenticate zImage Fail" this tells you have not signed the image kernel.

Please have a reference to the section <3. Extending the root of trust> this guide

The kernel signing can be disabled if it is not necessary for you.

diff --git a/cmd/booti.c b/cmd/booti.c

index a132949091..b66dfbff0e 100644

--- a/cmd/booti.c

+++ b/cmd/booti.c

@@ -42,7 +42,7 @@ static int booti_start(cmd_tbl_t *cmdtp, int flag, int argc,

if (ret != 0)

return 1;

-#if defined(CONFIG_IMX_HAB) && !defined(CONFIG_AVB_SUPPORT)

+#if 0

extern int authenticate_image(

uint32_t ddr_start, uint32_t raw_image_size);

if (authenticate_image(ld, image_size) != 0) {

Regards

Harvey