Create a second stage HAB authenticated application image (bootloader + app)

rd24 · ‎05-04-2026

Hi,

I am trying to create a two stage secure boot work flow on i.MXRT1040. I have a custom bootloader and an application. I want the ROM code HAB to authenticate the bootloader and the bootloader to use HAB API to authenticate the application.

I am using MCUXpresso Secure Provisioning Tool v25.12 for signing the images. Both bootloader and application images are XIP Flash images.

Below is my Flash layout:

Custom bootloader at address 0x60000000, authenticated by ROM HAB Code
Application at address 0x600C0000, to be authenticated by bootloader using HAB API

  /* Bootloader flash memory */
  m_flash_cfg_bl        (RX)  : ORIGIN = 0x60000000, LENGTH = 0x00001000
  m_ivt_bl              (RX)  : ORIGIN = 0x60001000, LENGTH = 0x00001000
  m_intrs_flash_bl      (RX)  : ORIGIN = 0x60002000, LENGTH = 0x00000400
  m_text_bl             (RX)  : ORIGIN = 0x60002400, LENGTH = 0x0007DC00

  /* Application flash memory */
  m_flash_cfg_app       (RX)  : ORIGIN = 0x600C0000, LENGTH = 0x00001000
  m_ivt_app             (RX)  : ORIGIN = 0x600C1000, LENGTH = 0x00001000
  m_intrs_flash_app     (RX)  : ORIGIN = 0x600C2000, LENGTH = 0x00000400
  m_text_app            (RX)  : ORIGIN = 0x600C2400, LENGTH = 0x000FDBA0

I have achieved the 1st stage where the ROM code authenticates the bootloader and I don't get any HAB events.

For the application, I am currently using the blinky example from the RT1040 SDK and compiled bin file is about 13 KB. When I sign this bin using the SEC GUI tool, the signed binary becomes 788 KB. I am using start address parameter as 0x600C0000. This is not the case for the bootloader signed bin as the start address is 0x60000000.

I inspected the application's bin file and found at offset 0 the Image Vector Table (IVT) exists and the program code starts offset 0x000BF000, in between everything is zeros. I expect the program code to start 0x1000 bytes after the IVT as per the linker script provided above (which is the case for the bootloader signed bin). If I flash this application binary at Flash location 0x600C0000, then my bootloader will not be able to start the application as there will be zeros at the jump address.

So, my questions are:

Is this bootloader + app HAB workflow possible and supported by the SEC tool?
If yes, how can I create the correct signed binary for my application using this tool?
Are there any other tools I should use for this scenario?

Thanks

Kan_Li · ‎05-07-2026

Hi @rd24 ,

We provide an example for your case, please kindly refer to https://github.com/nxp-mcuxpresso/mcuxsdk-examples/tree/release/25.12.00/ota_examples/mcuboot_openso... for details. The tools mentioned are tested with mcuboot so far, we haven't checked with any custom bootloader , so maybe you need some adaption here. To create a bootable app image by a secondary boot loader, you have to remove its IVT header as well as adjusting the starting address. Did you do these on the blinky example from the RT1040 SDK? Please kindly clarify.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

rd24

Hi Kan,

Sorry for the late reply.

I did some changes and now am able to build a smaller image with correct offset. Here is what I did:

1. First I generate the build script with this command:

securep -w /wksp/rt1040SecAppWksp1/ --device MIMXRT1040 --boot-device Winbond_W25Q64JW --boot-type authenticated_hab --life-cycle open_develop --script-only build --source-image iled_blinky.bin --start-address 0x600c1000 --img-cert crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem --save-settings

2. Then I modified the following configurations in `configs/imx_application_gen.yaml`

startAddress: 0x600c0000
ivtOffset: 0x0
initialLoadSize: 0x1000

3. Then I call the script `./build_image_lnx.sh` to build the signed image.

Now I am trying to authenticate the blinky signed binary from my bootloader, but getting HAB authentication failure when my bootloader is calling `hab_rvt::authenticate_image_no_dcd`. The audit log I get from the `hab_rvt::report_event` says HAB_INV_ADDRESS

DB 00 08 43 33 22 0A 00                           |  ...C3"..

This is the linker I modified for the blinky example:

MEMORY
{
  m_ivt                 (RX)  : ORIGIN = 0x600C0000, LENGTH = 0x00001000
  m_interrupts          (RX)  : ORIGIN = 0x600C1000, LENGTH = 0x00000400
  m_text                (RX)  : ORIGIN = 0x600C1400, LENGTH = 0x007FDC00
  m_qacode              (RX)  : ORIGIN = 0x00000000, LENGTH = 0x00020000
  m_data                (RW)  : ORIGIN = 0x20000000, LENGTH = 0x00020000
  m_data2               (RW)  : ORIGIN = 0x20200000, LENGTH = 0x00040000
}

As for your questions, I adjusted the startAddress to 0x600c0000. Could you please explain what you mean by "you have to remove its IVT header"? Please note the bootloader I am using to verify the blinky signed binary is not signed as of now.

Thanks,

Rohan