FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

i.MX93 AHAB Secure Boot

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.MX93 AHAB Secure Boot

‎10-26-2025 02:54 AM
2,190 Views
yaen
Contributor II

Hi,

I’m trying to produce a signed bootloader for i.MX93 using both CST
(https://github.com/nxp-imx/uboot-imx/blob/lf_v2025.04/doc/imx/ahab/)
and SPSDK
(https://docs.nxp.com/bundle/AN14785/page/topics/introduction.html),
following the official guides.

Both methods complete, but signature verification reports warnings:

nxpimage bootable-image verify -f mimx9352 -b hsm_flash.bin -m serial_downloader
...
Summary table of verifier results:
+-----------+---------+-------+
| Succeeded | Warning | Error |
+-----------+---------+-------+
| 587 | 5 | 0 |
+-----------+---------+-------+

Overall result: Warning

After programming the SRK hash as advised in
https://community.nxp.com/t5/i-MX-Processors/IMX93-AHAB-Secure-Boot/m-p/2073790and rebooting, I get:

ahab_status
Lifecycle: 0x00000008, OEM Open
0x0287fad6
IPC = MU APD (0x2)
CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)
IND = ELE_BAD_KEY_HASH_FAILURE_IND (0xFA)
STA = ELE_SUCCESS_IND (0xD6)

Could you clarify:

What causes the ELE_BAD_KEY_HASH_FAILURE_IND in this context?

Are the “warnings” from nxpimage verify expected, or do they indicate a signature mismatch?

Which toolchain (CST or SPSDK) is currently recommended for i.MX93 AHAB, and is there a verified example configuration available?

Thanks,
Yaakov

0 Kudos
Reply
5 Replies

‎11-10-2025 06:44 AM
1,919 Views
yaen
Contributor II

$ hexdump -C SRK_1_2_3_4_table.bin |head
00000000 d7 b4 01 42 e1 6c 00 27 00 02 00 80 30 00 30 00 |...B.l.'....0.0.|
00000010 03 41 64 13 d5 b6 e8 1d 4d 08 4a 3b d2 78 2e 9c |.Ad.....M.J;.x..|
00000020 ba db 9b ef 13 6a 0e c6 d4 d4 0c b0 3c 9f 46 8a |.....j......<.F.|
00000030 31 d0 68 63 1f 7c 76 d5 cb 48 a6 6a 63 1f f9 3a |1.hc.|v..H.jc..:|
00000040 d3 d9 34 e2 67 71 0f 17 af 38 0c 11 10 a7 bc 7a |..4.gq...8.....z|
00000050 32 90 e5 c4 50 f8 ce 64 8c b2 61 97 ca 40 ea dc |2...P..d..a..@..|
00000060 9d 7b a5 a1 6d 12 f5 7d 20 46 a9 5e ca 8d 0b 06 |.{..m..} F.^....|
00000070 e1 6c 00 27 00 02 00 80 30 00 30 00 f5 c0 f4 44 |.l.'....0.0....D|
00000080 21 88 8a 53 c7 f8 d6 02 85 d2 8f a3 bc b7 dd e1 |!..S............|
00000090 17 eb 6c 01 4c 3e d8 e0 07 ee 41 6f 64 27 3c 81 |..l.L>....Aod'<.|

 

irmware-ele-imx-2.0.2-89161a8.bin

0 Kudos
Reply

‎11-10-2025 07:14 PM
1,899 Views
Harvey021
NXP TechSupport
NXP TechSupport

The hash algorithm looks fine.

Please try to check if sha256sum of SRK_1_2_3_4_table matches with the SRK_1_2_3_4_fuse.bin and also read the fuse values that already burned on SoC and do match.

 

Regards

Harvey

0 Kudos
Reply

‎10-27-2025 01:25 AM
2,145 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi,

The key hash (in SRK Table) verification does not match that in the OTP fuse may cause.

Please share how you generate key and SRK Table and Hash.

Please note that, for i.MX93, a subordinate SGK key is not supported and In i.MX 8ULP/9x, the expected SRK HASH is of 256 bit.

Please reference - The Guide 

 

Regards

Harvey

0 Kudos
Reply

‎11-02-2025 05:37 AM
2,078 Views
yaen
Contributor II

Hi Harvey,

I generated the SRK Table and key hash with:

srktool -a -d sha256 -s sha384 -t SRK_1_2_3_4_table.bin \
           -e SRK_1_2_3_4_fuse.bin -f 1 -c \
           SRK1_sha384_secp384r1_v3_usr_crt.pem,\
SRK2_sha384_secp384r1_v3_usr_crt.pem,\
SRK3_sha384_secp384r1_v3_usr_crt.pem,\
SRK4_sha384_secp384r1_v3_usr_crt.pem

following the reference that you sent

Is there a preferred procedure to ensure the hash matches the fuse expectations?

Thanks,
Yaakov

0 Kudos
Reply

‎11-04-2025 10:40 PM
2,015 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi @yaen 

Please check your SRK Table hexdump -C SRK_1_2_3_4_table.bin | head and share.

Also share the version of your ELE FW.

 

Regards

Harvey

0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2192945%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3Ei.MX93%20AHAB%20Secure%20Boot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2192945%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%E2%80%99m%20trying%20to%20produce%20a%20signed%20bootloader%20for%20i.MX93%20using%20both%20CST%3CBR%20%2F%3E(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fnxp-imx%2Fuboot-imx%2Fblob%2Flf_v2025.04%2Fdoc%2Fimx%2Fahab%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fnxp-imx%2Fuboot-imx%2Fblob%2Flf_v2025.04%2Fdoc%2Fimx%2Fahab%2F%3C%2FA%3E)%3CBR%20%2F%3Eand%20SPSDK%3CBR%20%2F%3E(%3CA%20href%3D%22https%3A%2F%2Fdocs.nxp.com%2Fbundle%2FAN14785%2Fpage%2Ftopics%2Fintroduction.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.nxp.com%2Fbundle%2FAN14785%2Fpage%2Ftopics%2Fintroduction.html%3C%2FA%3E)%2C%3CBR%20%2F%3Efollowing%20the%20official%20guides.%3C%2FP%3E%3CP%3EBoth%20methods%20complete%2C%20but%20signature%20verification%20reports%20warnings%3A%3C%2FP%3E%3CP%3Enxpimage%20bootable-image%20verify%20-f%20mimx9352%20-b%20hsm_flash.bin%20-m%20serial_downloader%3CBR%20%2F%3E...%3CBR%20%2F%3ESummary%20table%20of%20verifier%20results%3A%3CBR%20%2F%3E%2B-----------%2B---------%2B-------%2B%3CBR%20%2F%3E%7C%20Succeeded%20%7C%20Warning%20%7C%20Error%20%7C%3CBR%20%2F%3E%2B-----------%2B---------%2B-------%2B%3CBR%20%2F%3E%7C%20587%20%7C%205%20%7C%200%20%7C%3CBR%20%2F%3E%2B-----------%2B---------%2B-------%2B%3C%2FP%3E%3CP%3EOverall%20result%3A%20Warning%3C%2FP%3E%3CP%3EAfter%20programming%20the%20SRK%20hash%20as%20advised%20in%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fi-MX-Processors%2FIMX93-AHAB-Secure-Boot%2Fm-p%2F2073790and%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fi-MX-Processors%2FIMX93-AHAB-Secure-Boot%2Fm-p%2F2073790and%3C%2FA%3E%20rebooting%2C%20I%20get%3A%3C%2FP%3E%3CP%3Eahab_status%3CBR%20%2F%3ELifecycle%3A%200x00000008%2C%20OEM%20Open%3CBR%20%2F%3E0x0287fad6%3CBR%20%2F%3EIPC%20%3D%20MU%20APD%20(0x2)%3CBR%20%2F%3ECMD%20%3D%20ELE_OEM_CNTN_AUTH_REQ%20(0x87)%3CBR%20%2F%3EIND%20%3D%20ELE_BAD_KEY_HASH_FAILURE_IND%20(0xFA)%3CBR%20%2F%3ESTA%20%3D%20ELE_SUCCESS_IND%20(0xD6)%3C%2FP%3E%3CP%3ECould%20you%20clarify%3A%3C%2FP%3E%3CP%3EWhat%20causes%20the%20ELE_BAD_KEY_HASH_FAILURE_IND%20in%20this%20context%3F%3C%2FP%3E%3CP%3EAre%20the%20%E2%80%9Cwarnings%E2%80%9D%20from%20nxpimage%20verify%20expected%2C%20or%20do%20they%20indicate%20a%20signature%20mismatch%3F%3C%2FP%3E%3CP%3EWhich%20toolchain%20(CST%20or%20SPSDK)%20is%20currently%20recommended%20for%20i.MX93%20AHAB%2C%20and%20is%20there%20a%20verified%20example%20configuration%20available%3F%3C%2FP%3E%3CP%3EThanks%2C%3CBR%20%2F%3EYaakov%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2202244%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20i.MX93%20AHAB%20Secure%20Boot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2202244%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EThe%20hash%20algorithm%20looks%20fine.%3C%2FP%3E%0A%3CP%3EPlease%20try%20to%20check%20if%26nbsp%3Bsha256sum%20of%20SRK_1_2_3_4_table%20matches%20with%20the%20SRK_1_2_3_4_fuse.bin%20and%20also%20read%20the%20fuse%20values%20that%20already%20burned%20on%20SoC%20and%20do%20match.%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3EHarvey%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2201907%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20i.MX93%20AHAB%20Secure%20Boot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2201907%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3E%24%20hexdump%20-C%20SRK_1_2_3_4_table.bin%20%7Chead%3CBR%20%2F%3E00000000%20d7%20b4%2001%2042%20e1%206c%2000%2027%2000%2002%2000%2080%2030%2000%2030%2000%20%7C...B.l.'....0.0.%7C%3CBR%20%2F%3E00000010%2003%2041%2064%2013%20d5%20b6%20e8%201d%204d%2008%204a%203b%20d2%2078%202e%209c%20%7C.Ad.....M.J%3B.x..%7C%3CBR%20%2F%3E00000020%20ba%20db%209b%20ef%2013%206a%200e%20c6%20d4%20d4%200c%20b0%203c%209f%2046%208a%20%7C.....j......%26lt%3B.F.%7C%3CBR%20%2F%3E00000030%2031%20d0%2068%2063%201f%207c%2076%20d5%20cb%2048%20a6%206a%2063%201f%20f9%203a%20%7C1.hc.%7Cv..H.jc..%3A%7C%3CBR%20%2F%3E00000040%20d3%20d9%2034%20e2%2067%2071%200f%2017%20af%2038%200c%2011%2010%20a7%20bc%207a%20%7C..4.gq...8.....z%7C%3CBR%20%2F%3E00000050%2032%2090%20e5%20c4%2050%20f8%20ce%2064%208c%20b2%2061%2097%20ca%2040%20ea%20dc%20%7C2...P..d..a..%40..%7C%3CBR%20%2F%3E00000060%209d%207b%20a5%20a1%206d%2012%20f5%207d%2020%2046%20a9%205e%20ca%208d%200b%2006%20%7C.%7B..m..%7D%20F.%5E....%7C%3CBR%20%2F%3E00000070%20e1%206c%2000%2027%2000%2002%2000%2080%2030%2000%2030%2000%20f5%20c0%20f4%2044%20%7C.l.'....0.0....D%7C%3CBR%20%2F%3E00000080%2021%2088%208a%2053%20c7%20f8%20d6%2002%2085%20d2%208f%20a3%20bc%20b7%20dd%20e1%20%7C!..S............%7C%3CBR%20%2F%3E00000090%2017%20eb%206c%2001%204c%203e%20d8%20e0%2007%20ee%2041%206f%2064%2027%203c%2081%20%7C..l.L%26gt%3B....Aod'%26lt%3B.%7C%3C%2FP%3E%3CBR%20%2F%3E%3CP%3Eirmware-ele-imx-2.0.2-89161a8.bin%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2198735%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20i.MX93%20AHAB%20Secure%20Boot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2198735%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F228938%22%20target%3D%22_blank%22%3E%40yaen%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20check%20your%20SRK%20Table%26nbsp%3Bhexdump%20-C%20SRK_1_2_3_4_table.bin%20%7C%20head%20and%20share.%3C%2FP%3E%0A%3CP%3EAlso%20share%20the%20version%20of%20your%20ELE%20FW.%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3EHarvey%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2197058%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20i.MX93%20AHAB%20Secure%20Boot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2197058%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%20Harvey%2C%3C%2FP%3E%3CP%3EI%20generated%20the%20SRK%20Table%20and%20key%20hash%20with%3A%3C%2FP%3E%3CPRE%3Esrktool%20-a%20-d%20sha256%20-s%20sha384%20-t%20SRK_1_2_3_4_table.bin%20%5C%0A%20%20%20%20%20%20%20%20%20%20%20-e%20SRK_1_2_3_4_fuse.bin%20-f%201%20-c%20%5C%0A%20%20%20%20%20%20%20%20%20%20%20SRK1_sha384_secp384r1_v3_usr_crt.pem%2C%5C%0ASRK2_sha384_secp384r1_v3_usr_crt.pem%2C%5C%0ASRK3_sha384_secp384r1_v3_usr_crt.pem%2C%5C%0ASRK4_sha384_secp384r1_v3_usr_crt.pem%3C%2FPRE%3E%3CP%3Efollowing%20the%20reference%20that%20you%20sent%3C%2FP%3E%3CP%3EIs%20there%20a%20preferred%20procedure%20to%20ensure%20the%20hash%20matches%20the%20fuse%20expectations%3F%3C%2FP%3E%3CP%3EThanks%2C%3CBR%20%2F%3EYaakov%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2193324%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20i.MX93%20AHAB%20Secure%20Boot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2193324%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3EThe%20key%20hash%20(in%20SRK%20Table)%20verification%20does%20not%20match%20that%20in%20the%20OTP%20fuse%20may%20cause.%3C%2FP%3E%0A%3CP%3EPlease%20share%20how%20you%20generate%20key%20and%20SRK%20Table%20and%20Hash.%3C%2FP%3E%0A%3CP%3EPlease%20note%20that%2C%20for%20i.MX93%2C%20a%20subordinate%20SGK%20key%20is%20not%20supported%20and%26nbsp%3BIn%20i.MX%208ULP%2F9x%2C%20the%20expected%20SRK%20HASH%20is%20of%20256%20bit.%3C%2FP%3E%0A%3CP%3EPlease%20reference%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fnxp-imx%2Fuboot-imx%2Fblob%2Flf_v2025.04%2Fdoc%2Fimx%2Fahab%2Fintroduction_ahab.txt%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EThe%20Guide%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3EHarvey%3C%2FP%3E%3C%2FLINGO-BODY%3E