[i.MX8ULP] Disable secure boot after it's been enabled

martinetd · ‎07-28-2025

Hello,

We're looking at shipping our product with secure boot enabled by default, and checking legal obligations.

In particular, the GPL requires user to be able to modify the software, so we're thinking of doing like android: allow disabling secure boot (and wipe all storage when we do so). Ideally we'd like to allow re-enabling as well later but this is not mandatory.

But looking at the documentations I don't see anything that'd permit such disabling.

(I've seen ahab_return_lifecycle, but nothing mentions this command in the security reference manual (or normal manual), nor uboot docs, but it requires a signed message and I'm not even sure it's appropriate in this context)

Is there a way to toggle this?

Or would we have to provide the user with a uboot that doesn't check kernel signatures or something like that?

Thanks

Harvey021 · ‎07-30-2025

secure boot which is fused can't be disabled. images after SPL can be configured to not be verified.

Regards

Harvey

在原帖中查看解决方案

martinetd · ‎07-28-2025

Correcting myself on the license requirements (not a lawyer, so apparently), GPLv2 does require to provide installation scripts but it does not require to provide the ability to install it (e.g. secure boot keys) unlike GPLv3 that would have required these, so we apparently don't strictly need to provide the ability to disable secure boot.

Nevertheless, I'm still interested to provide this functionality for advanced users, so if there is any way I'm all ears.

Thank you

Harvey021 · ‎07-30-2025

secure boot which is fused can't be disabled. images after SPL can be configured to not be verified.

Regards

Harvey

martinetd · ‎07-30-2025

Thank you, this (providing a SPL that can safely toggle between verifying or not) corresponds to what I was fearing as it's not something that sounds easy to do.

I think that's what android does, so I'll check how they do it if required.