- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- i.MX8MP HAB errors
i.MX8MP HAB errors
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
SOLVED
04-15-2025
02:42 AM
750 Views
se_cguerr
Contributor II
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello NXP,
On a i.MX8M Plus based board, i'm trying to enable secure boot.
I got the following HAB Errors:
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x18 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x10 0xc0
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x18 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x10 0xc0
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x18 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x10 0xc0
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x18 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x10 0xc0
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0xff 0xc0
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 6 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0xff 0xe0
0x00 0x00 0x00 0x0c
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 7 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x92 0x00 0x00
0x00 0x00 0x00 0x04
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 8 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x44 0x0b 0xd0 0x00
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 9 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x44 0x0b 0xd0 0x00
0x00 0x00 0x00 0x04
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
Here is an overview of my procedure:
PKI tree generation:
Key type options (confirm targeted device supports desired key type):
Select the key type (possible values: rsa, rsa-pss, ecc) : rsa
Enter key length in bits for PKI tree (possible values: 2048, 3072, 4096) : 4096
Enter PKI tree duration (years): 30
How many Super Root Keys should be generated ? : 4
Do you want the SRK certificates to have the CA flag set? (y/n) : n
SRK table/fuse generation:
Using SRKTOOL
Number of certificates = 4
SRK table binary filename = SRK_1_2_3_4_table.bin
SRK Fuse binary filename = SRK_1_2_3_4_fuse.bin
SRK Fuse binary dump:
SRKH[0] = 0x2C9B8D0B
SRKH[1] = 0xB86FEE22
SRKH[2] = 0xBCF1B62E
SRKH[3] = 0xA9FFBFE0
SRKH[4] = 0x751E51F1
SRKH[5] = 0x20F8C54F
SRKH[6] = 0xD4515446
SRKH[7] = 0x356AB77D
FUSE Verification:
u-boot=> fuse read 6 0
Reading bank 6:
Word 0x00000000: 2c9b8d0b
u-boot=> fuse read 6 1
Reading bank 6:
Word 0x00000001: b86fee22
u-boot=> fuse read 6 2
Reading bank 6:
Word 0x00000002: bcf1b62e
u-boot=> fuse read 6 3
Reading bank 6:
Word 0x00000003: a9ffbfe0
u-boot=> fuse read 7 0
Reading bank 7:
Word 0x00000000: 751e51f1
u-boot=> fuse read 7 1
Reading bank 7:
Word 0x00000001: 20f8c54f
u-boot=> fuse read 7 2
Reading bank 7:
Word 0x00000002: d4515446
u-boot=> fuse read 7 3
Reading bank 7:
Word 0x00000003: 356ab77d
Extra informations:
- Fast authentication
- MODE HSM (tried without MODE HSM by giving also the private key, doesn't work more)
- sha256 used as hash algorithms for the binaries
- x.509 Certificates
See attached:
- spl_csf.txt = The CSF for the SPL part
- fit_csf.txt = The CSF for the FIT part
Solved! Go to Solution.
1 Solution
05-15-2025
12:19 AM
453 Views
se_cguerr
Contributor II
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the problem.
I was hashing the binary twice. So the Hab was verifying the signature of the hash of the hash of the binary.
3 Replies
05-15-2025
12:19 AM
454 Views
se_cguerr
Contributor II
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the problem.
I was hashing the binary twice. So the Hab was verifying the signature of the hash of the hash of the binary.
04-24-2025
01:46 AM
584 Views
se_cguerr
Contributor II
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Still blocked in this subject.
Got an e-mail if I got satified of the first reply, but the first reply is made by me to give more hint.
04-15-2025
04:44 AM
723 Views
se_cguerr
Contributor II
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When trying to decode the event data, i get:
0xdb 0x00 0x14 0x45
| | | |
| | | +-- HAB Verison
| +----+-- Event data length in bytes
+-- Tag: 0xdb = Even
0x33 0x18 0xc0 0x00
| | | |
| | | +-- ENG = HAB_ENG_ANY
| | +-- CTX = HAB_CTX_COMMAND
| +-- RSN = HAB_INV_SIGNATURE
+-- STS = HAB_FAILURE
0xca 0x00 0x0c 0x00
| | | |
| | | +-- Event flags
| +----+-- Engine = HAB_ENG_CAAM
+-- HAB_CMD_AUT_DAT = Authenticate data command
0x01 0xc5 0x1d 0x00
| | | |
| | | +-- Configuration = default
| | +-- Engine = HAB_ENG_CAAM
| +-- Protocol = HAB_PCL_CMS
+-- Verification key index = 1
I don't know why it states that the Verification key index is 1 while in the CSF file is 0.
