- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- i.Mx8MP Fast Auth HAB errors
i.Mx8MP Fast Auth HAB errors
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
SOLVED
03-24-2025
03:06 AM
1,471 Views
jd-bootlin
Contributor I
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm trying to implement secure boot on an i.MX8MP-based custom platform. The board design is very similar to the i.MX8MP devkit.
I want to use the Fast Authentication feature. So far, I've burnt the key hash into the SoC and I got the following HAB errors:
u-boot=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x1d 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x10 0xe8
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_KEY (0x1D)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x1d 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x10 0xe8
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_KEY (0x1D)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x1d 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x10 0xd0
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_KEY (0x1D)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x1d 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x10 0xd0
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_KEY (0x1D)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0xff 0xc0
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 6 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0xff 0xe0
0x00 0x00 0x00 0x0c
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 7 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x92 0x00 0x00
0x00 0x00 0x00 0x04
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 8 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xbd 0xc0
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 9 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xad 0xc0
0x00 0x00 0x00 0x04
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
It looks like my key is invalid. I double checked that I fused the correct keys and it looks good to me.
Here is my full procedure, if you see something wrong:
PKI tree generation:
$ ./keys/hab4_pki_tree.sh
Do you want to use an existing CA key (y/n)?: n
Key type options (confirm targeted device supports desired key type):
Select the key type (possible values: rsa, rsa-pss, ecc)?: rsa-pss
Enter key length in bits for PKI tree: 4096
Enter PKI tree duration (years): 5
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: n
SRK table/fuse generation:
$ ./linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c crts/SRK1_sha256_4096_65537_v3_usr_crt.pem,crts/SRK2_sha256_4096_65537_v3_usr_crt.pem,crts/SRK3_sha256_4096_65537_v3_usr_crt.pem,crts/SRK4_sha256_4096_65537_v3_usr_crt.pem
Number of certificates = 4
SRK table binary filename = SRK_1_2_3_4_table.bin
SRK Fuse binary filename = SRK_1_2_3_4_fuse.bin
SRK Fuse binary dump:
SRKH[0] = 0xCC68B1A5
SRKH[1] = 0xFC739529
SRKH[2] = 0xC2A266D4
SRKH[3] = 0x565ED742
SRKH[4] = 0xD85265D5
SRKH[5] = 0x2E4D871A
SRKH[6] = 0x6AAF0D93
SRKH[7] = 0x21C75F71
Hexdump output:
$ hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin
0xCC68B1A5
0xFC739529
0xC2A266D4
0x565ED742
0xD85265D5
0x2E4D871A
0x6AAF0D93
0x21C75F71
Fuse reads on target after being burnt:
u-boot=> fuse read 6 0 4
Reading bank 6:
Word 0x00000000: cc68b1a5 fc739529 c2a266d4 565ed742
u-boot=> fuse read 7 0 4
Reading bank 7:
Word 0x00000000: d85265d5 2e4d871a 6aaf0d93 21c75f71
For the signing procedure, you'll find attached my CSF templates and imx-mkimage build logs.
I'm using CST version 4.0.0.
And for the CSF binaries generation and injection:
$ ./linux64/bin/cst -i cst_spl.txt -o cst_spl.bin
CSF Processed successfully and signed data available in cst_spl.bin
$ ./linux64/bin/cst -i cst_fit.txt -o cst_fit.bin
CSF Processed successfully and signed data available in cst_fit.bin
$ cp flash.bin signed_flash.bin
$ dd if=cst_spl.bin of=signed_flash.bin seek=$((0x36c00)) bs=1 conv=notrunc
$ dd if=cst_fit.bin of=signed_flash.bin seek=$((0x59020)) bs=1 conv=notrunc
$ sudo dd if=signed_flash.bin of=/dev/sdb bs=1K seek=32 && sync
Solved! Go to Solution.
Reply
1 Solution
03-25-2025
05:43 AM
1,363 Views
Harvey021
NXP TechSupport
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @jd-bootlin
The i.MX8MP doesn't support RSA-PSS key for HAB. Suggest to Key Type - RSA.
Regards
Harvey
Reply
4 Replies
03-25-2025
05:43 AM
1,364 Views
Harvey021
NXP TechSupport
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @jd-bootlin
The i.MX8MP doesn't support RSA-PSS key for HAB. Suggest to Key Type - RSA.
Regards
Harvey
Reply
03-25-2025
06:00 AM
1,359 Views
jd-bootlin
Contributor I
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Harvey021, thanks for your feedback!
Do you know if it is written somewhere? I read multiple times the official CST doc and I did not find this information.
Do you know if it is written somewhere? I read multiple times the official CST doc and I did not find this information.
03-25-2025
08:48 PM
1,324 Views
Harvey021
NXP TechSupport
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For its detailed information, recommend to have a reference to the section <HAB Feature summary> of SRM.
Regards
Harvey
03-25-2025
04:16 AM
1,374 Views
jd-bootlin
Contributor I
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After decoding the first HAB event using the HABv4 API document, it looks like the reason is "specified key is identified as a CA key." I double checked my keys and they don't have the CA flag set, I'm a little bit more confused now.
