FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

i.MX8M Secure Boot (HABv4) does not work with SRK1, SRK2 and SRK3

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.MX8M Secure Boot (HABv4) does not work with SRK1, SRK2 and SRK3

‎01-13-2025 08:49 PM
1,500 Views
jfs17
Contributor II

Hi,

I have iMX8MP board and I have successfully enabled HABv4 feature. I generated 4 keys and provisioned the public keys into the board.

Below commands that I executed.

{cst_dir}/keys/hab4_pki_tree.sh -existing-ca n -kt rsa -kl 4096 -duration 10 -num-srk 4 -srk-ca y
{cst_dir}/linux64/bin/srktool -h 4 -t ../{cst_dir}/crts/SRK_1_2_3_4_table.bin -e ../{cst_dir}/crts/SRK_1_2_3_4_fuse.bin -d sha256 -c ../{cst_dir}/crts/SRK1_sha256_4096_65537_v3_ca_crt.pem,../{cst_dir}/crts/SRK2_sha256_4096_65537_v3_ca_crt.pem,../{cst_dir}/crts/SRK3_sha256_4096_65537_v3_ca_crt.pem,../{cst_dir}/crts/SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1

 

I signed the bootloader and Linux image using SRK0 (first key) and the board runs perfectly. But when I tried to sign the bootloader and Linux using SRK1, SRK2, SRK3, it fails when run the Linux.

Authenticate image from DDR location 0x40400000...

Secure boot enabled

HAB Configuration: 0xcc, HAB State: 0x99

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x14 0x45 0x33 0x0f 0xc0 0x00
        0xbe 0x00 0x0c 0x00 0x03 0x17 0x00 0x00
        0x00 0x00 0x00 0x58

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_INDEX (0x0F)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

Authenticate Image Fail, Please check

 

I appreciate your help to troubleshoot my issues. For reference I attach the CSF files, CSFs SRK0 is one that worked, CSFs SRK1 is one that failed.

Thanks

Jefri

Tags (2)
csf_spl_srk0.txt
Preview file
2 KB
csf_fit_srk1.txt
Preview file
2 KB
csf_fit_srk0.txt
Preview file
2 KB
csf_spl_srk1.txt
Preview file
2 KB
0 Kudos
Reply
4 Replies

‎01-15-2025 12:34 AM
1,404 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi @jfs17 

Please have a reference to the link

 

Regards

Harvey

0 Kudos
Reply

‎01-15-2025 01:00 AM
1,395 Views
jfs17
Contributor II

Hi Harvey,

 

Thanks for the response. I checked the link you provided; the problem was because the TS mistakenly generated the SRK_table.bin. There were spaces after "," when trigger the srktool command.

I put my command to trigger the srktool in my thread, and I think it is correct without additional spaces.

{cst_dir}/linux64/bin/srktool -h 4 -t ../{cst_dir}/crts/SRK_1_2_3_4_table.bin -e ../{cst_dir}/crts/SRK_1_2_3_4_fuse.bin -d sha256 -c ../{cst_dir}/crts/SRK1_sha256_4096_65537_v3_ca_crt.pem,../{cst_dir}/crts/SRK2_sha256_4096_65537_v3_ca_crt.pem,../{cst_dir}/crts/SRK3_sha256_4096_65537_v3_ca_crt.pem,../{cst_dir}/crts/SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1

My command above generates SRK_table.bin with size 2112 bytes.

0 Kudos
Reply

‎01-16-2025 07:30 PM
1,346 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi @jfs17 

Have a try to load the signed flash.bin without loading kernel and dtb.

 

Regards

Harvey

0 Kudos
Reply

‎01-13-2025 08:50 PM
1,499 Views
jfs17
Contributor II

I attached the CSF additional images for signing the Linux using SRK0 and SRK1.

csf_images_srk0.txt
Preview file
1 KB
csf_images_srk1.txt
Preview file
1 KB
0 Kudos
Reply