I'm working on HAB (Secure Boot) and have managed to get it working successfully (so far) with the "regular" booting of the i.MX 6 from eMMC and the signed u-boot on eMMC.
However, our own manufacturing tool uses the Serial Download Protocol (SDP) of the i.MX 6 for initial programming (we don't use the Freescale mfgtool) and I'm running into problems with HAB and signing our manufacturing u-boot image.
Bootstrapping the i.MX 6 for our manufacturing is done quite similarly to the imx_usb Linux tool on this site. It uses libusb to use SDP commands (mostly WRITE_REGISTER, WRITE_FILE, and JUMP_ADDRESS commands) to manually push the DCD settings from u-boot, load the Linux kernel and initramfs and then load u-boot and jump to the entry.
I think part of my problems with HAB are the processing of the DCD locally and using write_register to write out the required DCD values to the addresses.
I look at the mfgtool code and see that it uses the SDP DCD_WRITE to transfer the entire DCD table to OCRAM (0x00910000) and then have the ROM process it from there.
In the CSF examples I've seen for u-boot with mfgtool there needs to be a 0x00910000 block defined in the CSF.
What I'm trying to understand is what SDP commands cause something HAB related to run in the ROM and what that is.
In other words, what SDP commands cause the ROM to begin HAB processing? JUMP_ADDRESS? WRITE_FILE? When using the SDP commands, how does the HAB ROM code find the IVT?
I haven't found this information in the HABv4 API manual or the i.MX 6 Reference Manual. It looks like HAB can reject the address of a WRITE_FILE since the i.MX 6 Reference Manual text regarding the WRITE_FILE SDP command indicates the host sends an ERROR_STATUS command to query if HAB has rejected the address.
When using SDP, how does HAB find the IVT and when does it process the CSF?