I'm working on a secure boot for an i.MX6q platform. My u-boot is splitted into SPL and u-boot.img.
SPL is signed and I have 0 HAB event pending at this point. I added a call to the authenticate function in the SPL, to try to check a signed u-boot.img but I get a "hab fuse not enabled" message. In the code I see that authenticate_image only call the HAB if the fuse is burnt.
I removed this test and the SPL tries but fails to check u-boot.img (it fails in hab_rvt_authenticate_image).
1) why is the authenticate_image only designed to work if the fuse is burnt ? can't we try to check the signature of a second stage boot without burning the fuse ?
2) any idea with the hab_rvt_authenticate_image, called from the SPL, might not return ?