- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- i.MX Forums
- :
- i.MX RT Crossover MCUs
- :
- HAB authentication succeeds with WARNING (Unsupported Engine – DCP) on i.MX RT dual image setup1050
HAB authentication succeeds with WARNING (Unsupported Engine – DCP) on i.MX RT dual image setup1050
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
HAB authentication succeeds with WARNING (Unsupported Engine – DCP) on i.MX RT dual image setup1050
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am working on a secure boot implementation for the i.MX RT1050 MCU and would like to achieve dual image authentication — one for the second-stage bootloader and another for the application image, both located in external flash.
Setup Overview
SRK, IMG, and CSF certificates are generated using the NXP Secure Provisioning Tool (SPT).
The second-stage bootloader is signed and authenticated by the ROM using HAB.
The application image is stored after the bootloader in external flash and can be updated independently (e.g., via USB or OTA).
The second state bootloader calls the ROM HAB API to authenticate the application image before execution.
Implementation Details
Both images (bootloader + app) are signed with the same SRK/CSF key set.
Inside the second-stage bootloader, I invoke HAB authentication as follows:load_addr = (uint32_t)hab_authenticate_image_no_dcd(1, ivt_offset, image_start, bytes);
hab_image_entry_f hab_authenticate_image_no_dcd(uint8_t cid, uint32_t ivt_offset, uint32_t start, size_t bytes)
{
return g_habrvtTree->authenticate_image_no_dcd(cid, ivt_offset, (void **)&start, (size_t *)&bytes, NULL);
}
The authentication works — the function returns a valid reset handler address, confirming that the image is successfully verified.Issue: HAB WARNING (Unsupported Engine – DCP)
After successful authentication, I query the HAB status and event log using hab_rvt_report_status() and hab_rvt_report_event().
Although authentication passes, I consistently receive a HAB WARNING instead of HAB_SUCCESS.Example output:
Hab rvt report status = 0x69, config = 0xcc, status = 0x99
Report event #0 -> 0xf0
[HAB EVENT #0] (44 bytes):
DB 00 2C 43 69 0A C0 00 CA 00 24 00 02 C5 1B 00 ...When decoding this event per the HAB4 documentation, it indicates:
0x69 → Warning
0x0A → Unsupported Engine
0xC0 → Event logged in hab_rvt.run_csf()
The sequence 02 C5 1B 00 maps to:
Image key verification index
Protocol: HAB_PCL_CMS
Engine: DCP
Default configuration
From this, I understand that the ROM reports a Warning because it tries to use the DCP engine during CSF execution, but DCP is not properly initialized or available in my second-stage bootloader context.
What I’ve Tried
I’ve manually initialized DCP using the SDK driver:
DCP_Init(DCP, &config);(with all channels enabled and default settings)
However, the warning persists — authentication succeeds, but the event log still reports an Unsupported Engine (DCP).
Questions
How does the ROM initialize and use the DCP during the primary HAB authentication SSB process ?
Is this WARNING expected or benign when calling HAB ROM APIs manually?
- Is it possible to invoke the ROM HAB authentication API from a custom bootloader and achieve HAB_SUCCESS (no warnings), or is this warning expected when using the ROM HAB API outside of the initial boot context?
diego_charles
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for reaching out!
Before diving further, could you manually modify the BD files to have the Header_Engine as any? Then let me know your results
Edit: after you update the bd file, as shown above, build the image again, beware of the SPT auto generating BD files when build image button. To avoid this you can run manually the build_image script from the project workspace. Then write the new image into the processor.
Please let me know if you see any changes.
Diego
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thank you for the suggestion.
I already manually modified the BD files and set the Header_Engine field to any, but the result is still the same. I'm still receiving a HAB warning during authentication.
Below is the relevant part of my code (after hab exit) showing how I read the HAB events:
status = hab_exit();
log_printf("Hab exit status: 0x%x \r\n", status);
#if defined(CONFIG_HAB_CLOSE)
status = hab_rvt_report_status(&config, &state);
log_printf("Hab rvt report status = 0x%x, config = 0x%x, status = 0x%x \r\n", status, config, state);
#endif
__attribute__((section(".ocram_data"))) static uint8_t event_data[128];
log_printf("Event data ocram address: %x\n", &event_data);
size_t evt_bytes = sizeof(event_data);
uint32_t index = 0;
memset(event_data, 0, sizeof(event_data));
hab_status_t evt_status;
do
{
evt_bytes = sizeof(event_data);
evt_status = hab_rvt_report_event(HAB_WARNING, index, event_data, &evt_bytes);
log_printf("Report event #%d -> 0x%x\r\n", index, evt_status);
if (evt_status == HAB_SUCCESS)
{
log_printf("[HAB EVENT #%d] (%d bytes): ", index, evt_bytes);
for (uint32_t i = 0; i < evt_bytes; i++)
{
log_printf("%02X ", event_data[i]);
}
log_printf("\r\n");
index++;
}
} while (evt_status == HAB_SUCCESS);
diego_charles
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for taking a time to look on your side!
On the past , I have removed the HAB API warnings by changing the engine from DCP to ANY on all of my BD files, on the past on the RT1060. So I need to investigate further with you.
Could you share me your BD files, or any other related but over support ticket ? This would help us to protect any information. Please create a new support ticket, by navigating to https://support.nxp.com/s/?language=en_US Please make reference to this case and my name so I can track the ticket.
Diego
diego_charles
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
