imx8m secure boot

Showing results for 
Search instead for 
Did you mean: 

imx8m secure boot

Contributor II


I'm trying to get secure boot working on an imx8m board but the HAB reports a warning event. I'm _not_ using the multi stage configuration with uboot spl + uboot but only loading a first stage loader into the TCM ram.

SoC: IMX8M quad-lite, 1.0

CST: 3.3.0

imx-mkimage: rel_imx_4.14.98_2.3.0

CSF file:

Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS

[Install SRK]
# This selects which key is used for signing: index = IMG(n-1)
File = ""pki/imx6ul_hab_testkeys/SRK_1_2_3_4_table.bin""
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = ""pki/imx6ul_hab_testkeys/CSF1_1_sha256_4096_65537_v3_usr_crt.pem""

[Authenticate CSF]
# Whole line comment

# Leave Job Ring and DECO master ID registers Unlocked
Engine = CAAM
Features = MID

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Key to install
Target index = 2
# Key to install
File = ""pki/imx6ul_hab_testkeys/IMG1_1_sha256_4096_65537_v3_usr_crt.pem""

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x7E0FC0 0x1a000 0x22000 "build-pico8ml/pb_pad.imx"

HAB event:

I hab_has_no_errors: configuration: 0xf0, state: 0x66
I hab_has_no_errors: result = 105
W hab_has_no_errors: 1, event data:
0xdb 0x0 0x24 0x43 0x69 0x30 0xe1 0x1d 0x0 0x8 0x0 0x2 0x40 0x0 0x4 0xcc 0x55 0x55 0x0 0x3f 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x5

From what I understand this decodes to:

0xdb 0x0 0x24 0x43
Event         HAB Version: 4.3

0x69 0x30 0xe1 0x1d

0x00 0x08 0x00 0x02
0x40 0x00 0x04 0xcc
0x55 0x55 0x00 0x3f
0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x05 
What I'm seeing seems very close to something that is reported in this thread:
But no good explanation was provided beyond the suggestion that it might be related to the CAAM RNG.
I've made the following observations:
1) When loading a signed image with 'uuu' it takes approximately six seconds before the core starts executing the code, indicating that it's stuck in the boot rom for that amount of time. Loading the same code but unsigned boots in less then one second.
2) Corrupting the signature or changing the key index to not match the key results in a few HAB errors; which to me indicates that the signature verification might be working because with the proper signature, key and index I'm only seeing the hab warning.  
1) Can someone from NXP shed some light on what's going on with the HAB event I'm seeing
I've studied and followed the relevant documentation found here:
The CST manual
Labels (1)
0 Kudos
3 Replies

NXP TechSupport
NXP TechSupport
0 Kudos

Contributor II

Did you even read the post/question?

You're linking to a document thats in the original post, how is that supposed to be helpful?


0 Kudos

NXP TechSupport
NXP TechSupport

Hi Jonas,

Sorry about the last reply. For i.MX8M secure boot materials are not public, so we can not share you more. If you need you have to sign the NDA with NXP firstly.

Have a nice day

Best Regards


0 Kudos