FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

imx8mm HAB Questions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

imx8mm HAB Questions

‎10-07-2024 01:34 AM
115 Views
maxvde
Contributor I
Hi,

 

I have a few questions about how to use the meta-secure-boot layer from the i.MX8M security reference design.

 

  1. How do I prove that the U-Boot SPL is correctly checked by the HAB at boot when loading via uuu?
  2. Is it enough that it starts and that I see the "U-Boot SPL 2024.04+g674440bc73e+p0 (Jun 06 2024 - 10:05:34 +0000)" banner?
    There doesn't seem to be an early printing of the HAB status at that stage, so I have concerns about it having the correct signing information and I would not want to set the device to closed state before knowing for sure that the SPL is correctly signed. The board is currently open, so it starts the SPL regardless of whether the HAB signing data is correct.
  3. Is it possible to load the `signed-imx-boot-imx8mm-ebp001-sd.bin-flash_evk` via uuu while developing or does uuu somehow alter the transmitted data, which then breaks HAB?
  4. Is it possible to load the `signed-Image-imx8mm-ebp001.bin` U-Boot via uuu while developing?
  5. Or, do I need to flash the full `core-image-minimal-secure-boot-imx8mm-ebp001.rootfs.wic.zst` file to eMMC and make sure that my development board is booting directly from eMMC when it powers on?
  6. In other words, is the security reference design targeting a flash boot rather than a USB SDP boot?
I'm using the meta-secure-boot layer with no changes, and the CST and its keys seem to all be recognized and used correctly after I set up the `csf_hab4.cfg` to point to them. The bitbake command completes without error.
 
I seem to be getting HAB Events with our images when loading these signed objects with a uuu script containing roughly the following instructions and the default loading addresses:
 
# Use signed image even on open dev boards
SDP: boot -f "signed-imx-boot-imx8mm-ebp001-sd.bin-flash_evk"

 

SDPV: delay 1000

 

SDPV: write -f "signed-imx-boot-imx8mm-ebp001-sd.bin-flash_evk" -skipspl
SDPV: jump

 

# -----------------------------------------------
# Boot to eMMC
# -----------------------------------------------

 

# Kernel location, plain kernel, no initramfs
# loadaddr=0x40400000

 

FB: delay 1000

 

FB: ucmd setenv fastboot_buffer ${loadaddr}
FB: download -f signed-Image-imx8mm-ebp001.bin

 

# Device Tree location
# fdt_addr=0x43000000

 

FB: ucmd setenv fastboot_buffer ${fdt_addr}
FB: download -f imx8mm-ebp001.dtb

 

# Booting from eMMC:
# Set root= to correct mmcblk0 partition
FB: ucmd setenv bootargs console=ttymxc1,115200 root=/dev/mmcblk2p2 debug ignore_loglevel
FB: acmd booti ${loadaddr} - ${fdt_addr}

 

I see the following HAB Event:

 

HAB Configuration: 0xf0, HAB State: 0x66

 

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x08 0x43 0x33 0x05 0x0a 0x00

 

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_IVT (0x05)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)
0 Kudos
Reply
1 Reply

‎10-09-2024 08:20 PM
78 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi,

The main features supported by the HABv4 are:
• Authentication of software loaded from any boot device supported, including the Serial Download Protocol (SDP).
• Authenticated USB download fail-over on any security failure.

Regards

Harvey

0 Kudos
Reply