FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

i.Mx8MP Fast Auth HAB errors

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

i.Mx8MP Fast Auth HAB errors

Jump to solution
‎03-24-2025 03:06 AM
2,404 Views
jd-bootlin
Contributor I

Hello,

I'm trying to implement secure boot on an i.MX8MP-based custom platform. The board design is very similar to the i.MX8MP devkit.

I want to use the Fast Authentication feature. So far, I've burnt the key hash into the SoC and I got the following HAB errors:

u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x1d 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x10 0xe8

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_KEY (0x1D)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x1d 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x10 0xe8

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_KEY (0x1D)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x1d 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x10 0xd0

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_KEY (0x1D)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x1d 0xc0 0x00
0xca 0x00 0x0c 0x00 0x01 0xc5 0x1d 0x00
0x00 0x00 0x10 0xd0

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_KEY (0x1D)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0xff 0xc0
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 6 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0xff 0xe0
0x00 0x00 0x00 0x0c

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 7 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x92 0x00 0x00
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 8 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xbd 0xc0
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 9 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xad 0xc0
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)

 

It looks like my key is invalid. I double checked that I fused the correct keys and it looks good to me.

Here is my full procedure, if you see something wrong:

PKI tree generation:

$ ./keys/hab4_pki_tree.sh 
Do you want to use an existing CA key (y/n)?: n

Key type options (confirm targeted device supports desired key type):
Select the key type (possible values: rsa, rsa-pss, ecc)?: rsa-pss
Enter key length in bits for PKI tree: 4096
Enter PKI tree duration (years): 5
How many Super Root Keys should be generated? 4
Do you want the SRK certificates to have the CA flag set? (y/n)?: n

 

 SRK table/fuse generation:

$ ./linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c crts/SRK1_sha256_4096_65537_v3_usr_crt.pem,crts/SRK2_sha256_4096_65537_v3_usr_crt.pem,crts/SRK3_sha256_4096_65537_v3_usr_crt.pem,crts/SRK4_sha256_4096_65537_v3_usr_crt.pem
Number of certificates    = 4
SRK table binary filename = SRK_1_2_3_4_table.bin
SRK Fuse binary filename  = SRK_1_2_3_4_fuse.bin
SRK Fuse binary dump:
SRKH[0] = 0xCC68B1A5
SRKH[1] = 0xFC739529
SRKH[2] = 0xC2A266D4
SRKH[3] = 0x565ED742
SRKH[4] = 0xD85265D5
SRKH[5] = 0x2E4D871A
SRKH[6] = 0x6AAF0D93
SRKH[7] = 0x21C75F71

 

Hexdump output:

$ hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin
0xCC68B1A5
0xFC739529
0xC2A266D4
0x565ED742
0xD85265D5
0x2E4D871A
0x6AAF0D93
0x21C75F71

 

Fuse reads on target after being burnt:

u-boot=> fuse read 6 0 4
Reading bank 6:

Word 0x00000000: cc68b1a5 fc739529 c2a266d4 565ed742
u-boot=> fuse read 7 0 4
Reading bank 7:

Word 0x00000000: d85265d5 2e4d871a 6aaf0d93 21c75f71

 

For the signing procedure, you'll find attached my CSF templates and imx-mkimage build logs.

I'm using CST version 4.0.0.


And for the CSF binaries generation and injection:

 

$ ./linux64/bin/cst -i cst_spl.txt -o cst_spl.bin
CSF Processed successfully and signed data available in cst_spl.bin

$ ./linux64/bin/cst -i cst_fit.txt -o cst_fit.bin
CSF Processed successfully and signed data available in cst_fit.bin

$ cp flash.bin signed_flash.bin

$ dd if=cst_spl.bin of=signed_flash.bin seek=$((0x36c00)) bs=1 conv=notrunc

$ dd if=cst_fit.bin of=signed_flash.bin seek=$((0x59020)) bs=1 conv=notrunc

$ sudo dd if=signed_flash.bin of=/dev/sdb bs=1K seek=32 && sync

 

Labels (1)
cst_spl.txt
cst_fit.txt
mkimage-logs.txt
print-hab-logs.txt
Reply
1 Solution

Jump to solution
‎03-25-2025 05:43 AM
2,296 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hello @jd-bootlin 


The i.MX8MP doesn't support RSA-PSS key for HAB. Suggest to Key Type - RSA.

 

Regards

Harvey

View solution in original post

Reply
4 Replies

Jump to solution
‎03-25-2025 05:43 AM
2,297 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hello @jd-bootlin 


The i.MX8MP doesn't support RSA-PSS key for HAB. Suggest to Key Type - RSA.

 

Regards

Harvey

Reply

Jump to solution
‎03-25-2025 06:00 AM
2,292 Views
jd-bootlin
Contributor I
Hello @Harvey021, thanks for your feedback!
Do you know if it is written somewhere? I read multiple times the official CST doc and I did not find this information.
0 Kudos
Reply

Jump to solution
‎03-25-2025 08:48 PM
2,257 Views
Harvey021
NXP TechSupport
NXP TechSupport

For its detailed information, recommend to have a reference to the section <HAB Feature summary> of SRM. 

 

Regards

Harvey

0 Kudos
Reply

Jump to solution
‎03-25-2025 04:16 AM
2,307 Views
jd-bootlin
Contributor I

After decoding the first HAB event using the HABv4 API document, it looks like the reason is "specified key is identified as a CA key." I double checked my keys and they don't have the CA flag set, I'm a little bit more confused now.

0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2067164%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3Ei.Mx8MP%20Fast%20Auth%20HAB%20errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2067164%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI'm%20trying%20to%20implement%20secure%20boot%20on%20an%20i.MX8MP-based%20custom%20platform.%20The%20board%20design%20is%20very%20similar%20to%20the%20i.MX8MP%20devkit.%3C%2FP%3E%3CP%3EI%20want%20to%20use%20the%20Fast%20Authentication%20feature.%20So%20far%2C%20I've%20burnt%20the%20key%20hash%20into%20the%20SoC%20and%20I%20got%20the%20following%20HAB%20errors%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-c%22%3E%3CCODE%3Eu-boot%3D%26gt%3B%20hab_status%0A%0ASecure%20boot%20disabled%0A%0AHAB%20Configuration%3A%200xf0%2C%20HAB%20State%3A%200x66%0A%0A---------%20HAB%20Event%201%20-----------------%0Aevent%20data%3A%0A0xdb%200x00%200x14%200x45%200x33%200x1d%200xc0%200x00%0A0xca%200x00%200x0c%200x00%200x01%200xc5%200x1d%200x00%0A0x00%200x00%200x10%200xe8%0A%0ASTS%20%3D%20HAB_FAILURE%20(0x33)%0ARSN%20%3D%20HAB_INV_KEY%20(0x1D)%0ACTX%20%3D%20HAB_CTX_COMMAND%20(0xC0)%0AENG%20%3D%20HAB_ENG_ANY%20(0x00)%0A%0A%0A---------%20HAB%20Event%202%20-----------------%0Aevent%20data%3A%0A0xdb%200x00%200x14%200x45%200x33%200x1d%200xc0%200x00%0A0xca%200x00%200x0c%200x00%200x01%200xc5%200x1d%200x00%0A0x00%200x00%200x10%200xe8%0A%0ASTS%20%3D%20HAB_FAILURE%20(0x33)%0ARSN%20%3D%20HAB_INV_KEY%20(0x1D)%0ACTX%20%3D%20HAB_CTX_COMMAND%20(0xC0)%0AENG%20%3D%20HAB_ENG_ANY%20(0x00)%0A%0A%0A---------%20HAB%20Event%203%20-----------------%0Aevent%20data%3A%0A0xdb%200x00%200x14%200x45%200x33%200x1d%200xc0%200x00%0A0xca%200x00%200x0c%200x00%200x01%200xc5%200x1d%200x00%0A0x00%200x00%200x10%200xd0%0A%0ASTS%20%3D%20HAB_FAILURE%20(0x33)%0ARSN%20%3D%20HAB_INV_KEY%20(0x1D)%0ACTX%20%3D%20HAB_CTX_COMMAND%20(0xC0)%0AENG%20%3D%20HAB_ENG_ANY%20(0x00)%0A%0A%0A---------%20HAB%20Event%204%20-----------------%0Aevent%20data%3A%0A0xdb%200x00%200x14%200x45%200x33%200x1d%200xc0%200x00%0A0xca%200x00%200x0c%200x00%200x01%200xc5%200x1d%200x00%0A0x00%200x00%200x10%200xd0%0A%0ASTS%20%3D%20HAB_FAILURE%20(0x33)%0ARSN%20%3D%20HAB_INV_KEY%20(0x1D)%0ACTX%20%3D%20HAB_CTX_COMMAND%20(0xC0)%0AENG%20%3D%20HAB_ENG_ANY%20(0x00)%0A%0A%0A---------%20HAB%20Event%205%20-----------------%0Aevent%20data%3A%0A0xdb%200x00%200x14%200x45%200x33%200x0c%200xa0%200x00%0A0x00%200x00%200x00%200x00%200x00%200x91%200xff%200xc0%0A0x00%200x00%200x00%200x20%0A%0ASTS%20%3D%20HAB_FAILURE%20(0x33)%0ARSN%20%3D%20HAB_INV_ASSERTION%20(0x0C)%0ACTX%20%3D%20HAB_CTX_ASSERT%20(0xA0)%0AENG%20%3D%20HAB_ENG_ANY%20(0x00)%0A%0A%0A---------%20HAB%20Event%206%20-----------------%0Aevent%20data%3A%0A0xdb%200x00%200x14%200x45%200x33%200x0c%200xa0%200x00%0A0x00%200x00%200x00%200x00%200x00%200x91%200xff%200xe0%0A0x00%200x00%200x00%200x0c%0A%0ASTS%20%3D%20HAB_FAILURE%20(0x33)%0ARSN%20%3D%20HAB_INV_ASSERTION%20(0x0C)%0ACTX%20%3D%20HAB_CTX_ASSERT%20(0xA0)%0AENG%20%3D%20HAB_ENG_ANY%20(0x00)%0A%0A%0A---------%20HAB%20Event%207%20-----------------%0Aevent%20data%3A%0A0xdb%200x00%200x14%200x45%200x33%200x0c%200xa0%200x00%0A0x00%200x00%200x00%200x00%200x00%200x92%200x00%200x00%0A0x00%200x00%200x00%200x04%0A%0ASTS%20%3D%20HAB_FAILURE%20(0x33)%0ARSN%20%3D%20HAB_INV_ASSERTION%20(0x0C)%0ACTX%20%3D%20HAB_CTX_ASSERT%20(0xA0)%0AENG%20%3D%20HAB_ENG_ANY%20(0x00)%0A%0A%0A---------%20HAB%20Event%208%20-----------------%0Aevent%20data%3A%0A0xdb%200x00%200x14%200x45%200x33%200x0c%200xa0%200x00%0A0x00%200x00%200x00%200x00%200x40%200x1f%200xbd%200xc0%0A0x00%200x00%200x00%200x20%0A%0ASTS%20%3D%20HAB_FAILURE%20(0x33)%0ARSN%20%3D%20HAB_INV_ASSERTION%20(0x0C)%0ACTX%20%3D%20HAB_CTX_ASSERT%20(0xA0)%0AENG%20%3D%20HAB_ENG_ANY%20(0x00)%0A%0A%0A---------%20HAB%20Event%209%20-----------------%0Aevent%20data%3A%0A0xdb%200x00%200x14%200x45%200x33%200x0c%200xa0%200x00%0A0x00%200x00%200x00%200x00%200x40%200x1f%200xad%200xc0%0A0x00%200x00%200x00%200x04%0A%0ASTS%20%3D%20HAB_FAILURE%20(0x33)%0ARSN%20%3D%20HAB_INV_ASSERTION%20(0x0C)%0ACTX%20%3D%20HAB_CTX_ASSERT%20(0xA0)%0AENG%20%3D%20HAB_ENG_ANY%20(0x00)%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3EIt%20looks%20like%20my%20key%20is%20invalid.%20I%20double%20checked%20that%20I%20fused%20the%20correct%20keys%20and%20it%20looks%20good%20to%20me.%3C%2FP%3E%3CP%3EHere%20is%20my%20full%20procedure%2C%20if%20you%20see%20something%20wrong%3A%3C%2FP%3E%3CP%3EPKI%20tree%20generation%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-c%22%3E%3CCODE%3E%24%20.%2Fkeys%2Fhab4_pki_tree.sh%20%0ADo%20you%20want%20to%20use%20an%20existing%20CA%20key%20(y%2Fn)%3F%3A%20n%0A%0AKey%20type%20options%20(confirm%20targeted%20device%20supports%20desired%20key%20type)%3A%0ASelect%20the%20key%20type%20(possible%20values%3A%20rsa%2C%20rsa-pss%2C%20ecc)%3F%3A%20rsa-pss%0AEnter%20key%20length%20in%20bits%20for%20PKI%20tree%3A%204096%0AEnter%20PKI%20tree%20duration%20(years)%3A%205%0AHow%20many%20Super%20Root%20Keys%20should%20be%20generated%3F%204%0ADo%20you%20want%20the%20SRK%20certificates%20to%20have%20the%20CA%20flag%20set%3F%20(y%2Fn)%3F%3A%20n%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3E%26nbsp%3BSRK%20table%2Ffuse%20generation%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-c%22%3E%3CCODE%3E%24%20.%2Flinux64%2Fbin%2Fsrktool%20-h%204%20-t%20SRK_1_2_3_4_table.bin%20-e%20SRK_1_2_3_4_fuse.bin%20-d%20sha256%20-c%20crts%2FSRK1_sha256_4096_65537_v3_usr_crt.pem%2Ccrts%2FSRK2_sha256_4096_65537_v3_usr_crt.pem%2Ccrts%2FSRK3_sha256_4096_65537_v3_usr_crt.pem%2Ccrts%2FSRK4_sha256_4096_65537_v3_usr_crt.pem%0ANumber%20of%20certificates%20%20%20%20%3D%204%0ASRK%20table%20binary%20filename%20%3D%20SRK_1_2_3_4_table.bin%0ASRK%20Fuse%20binary%20filename%20%20%3D%20SRK_1_2_3_4_fuse.bin%0ASRK%20Fuse%20binary%20dump%3A%0ASRKH%5B0%5D%20%3D%200xCC68B1A5%0ASRKH%5B1%5D%20%3D%200xFC739529%0ASRKH%5B2%5D%20%3D%200xC2A266D4%0ASRKH%5B3%5D%20%3D%200x565ED742%0ASRKH%5B4%5D%20%3D%200xD85265D5%0ASRKH%5B5%5D%20%3D%200x2E4D871A%0ASRKH%5B6%5D%20%3D%200x6AAF0D93%0ASRKH%5B7%5D%20%3D%200x21C75F71%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3EHexdump%20output%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-c%22%3E%3CCODE%3E%24%20hexdump%20-e%20'%2F4%20%220x%22'%20-e%20'%2F4%20%22%25X%22%22%5Cn%22'%20SRK_1_2_3_4_fuse.bin%0A0xCC68B1A5%0A0xFC739529%0A0xC2A266D4%0A0x565ED742%0A0xD85265D5%0A0x2E4D871A%0A0x6AAF0D93%0A0x21C75F71%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3EFuse%20reads%20on%20target%20after%20being%20burnt%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-c%22%3E%3CCODE%3Eu-boot%3D%26gt%3B%20fuse%20read%206%200%204%0AReading%20bank%206%3A%0A%0AWord%200x00000000%3A%20cc68b1a5%20fc739529%20c2a266d4%20565ed742%0Au-boot%3D%26gt%3B%20fuse%20read%207%200%204%0AReading%20bank%207%3A%0A%0AWord%200x00000000%3A%20d85265d5%202e4d871a%206aaf0d93%2021c75f71%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3CP%3EFor%20the%20signing%20procedure%2C%20you'll%20find%20attached%20my%20CSF%20templates%20and%20imx-mkimage%20build%20logs.%3C%2FP%3E%3CP%3EI'm%20using%20CST%20version%204.0.0.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EAnd%20for%20the%20CSF%20binaries%20generation%20and%20injection%3A%3C%2FP%3E%3CBR%20%2F%3E%3CPRE%20class%3D%22lia-code-sample%20language-c%22%3E%3CCODE%3E%24%20.%2Flinux64%2Fbin%2Fcst%20-i%20cst_spl.txt%20-o%20cst_spl.bin%0ACSF%20Processed%20successfully%20and%20signed%20data%20available%20in%20cst_spl.bin%0A%0A%24%20.%2Flinux64%2Fbin%2Fcst%20-i%20cst_fit.txt%20-o%20cst_fit.bin%0ACSF%20Processed%20successfully%20and%20signed%20data%20available%20in%20cst_fit.bin%0A%0A%24%20cp%20flash.bin%20signed_flash.bin%0A%0A%24%20dd%20if%3Dcst_spl.bin%20of%3Dsigned_flash.bin%20seek%3D%24((0x36c00))%20bs%3D1%20conv%3Dnotrunc%0A%0A%24%20dd%20if%3Dcst_fit.bin%20of%3Dsigned_flash.bin%20seek%3D%24((0x59020))%20bs%3D1%20conv%3Dnotrunc%0A%0A%24%20sudo%20dd%20if%3Dsigned_flash.bin%20of%3D%2Fdev%2Fsdb%20bs%3D1K%20seek%3D32%20%26amp%3B%26amp%3B%20sync%3C%2FCODE%3E%3C%2FPRE%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2067164%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CLINGO-LABEL%3Ei.MX%208M%20%7C%20i.MX%208M%20Mini%20%7C%20i.MX%208M%20Nano%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2068287%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ERe%3A%20i.Mx8MP%20Fast%20Auth%20HAB%20errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2068287%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EFor%20its%20detailed%20information%2C%20recommend%20to%20have%20a%20reference%20to%20the%20section%20%3CHAB%20feature%3D%22%22%20summary%3D%22%22%3E%20of%20SRM.%26nbsp%3B%3C%2FHAB%3E%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3EHarvey%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2067740%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ERe%3A%20i.Mx8MP%20Fast%20Auth%20HAB%20errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2067740%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3EHello%20%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F192970%22%20target%3D%22_blank%22%3E%40Harvey021%3C%2FA%3E%2C%20thanks%20for%20your%20feedback!%3CBR%20%2F%3EDo%20you%20know%20if%20it%20is%20written%20somewhere%3F%20I%20read%20multiple%20times%20the%20official%20CST%20doc%20and%20I%20did%20not%20find%20this%20information.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2067712%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ERe%3A%20i.Mx8MP%20Fast%20Auth%20HAB%20errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2067712%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%20%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F248421%22%20target%3D%22_blank%22%3E%40jd-bootlin%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EThe%20i.MX8MP%20doesn't%20support%20RSA-PSS%20key%20for%20HAB.%20Suggest%20to%20Key%20Type%20-%20RSA.%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3EHarvey%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2067674%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ERe%3A%20i.Mx8MP%20Fast%20Auth%20HAB%20errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2067674%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EAfter%20decoding%20the%20first%20HAB%20event%20using%20the%20HABv4%20API%20document%2C%20it%20looks%20like%20the%20reason%20is%20%22specified%20key%20is%20identified%20as%20a%20CA%20key.%22%20I%20double%20checked%20my%20keys%20and%20they%20don't%20have%20the%20CA%20flag%20set%2C%20I'm%20a%20little%20bit%20more%20confused%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E