I am currently working on performing secure boot on imx6ul using habv4. In my system the firmware is separated in to two parts other than boot loader. One is with kernel+rootfs (Part A) and the other part contains some critical application services (Part B) provided by another party (it’s mounted as a separate partition to the OS). The idea is to bug fix or change one part and flash it to the system without touching or bothering about the other.
I followed the steps provided by nxp and successfully signed and verified the boot loader and the complete firmware part (Part A + Part B) without any HAB events.
But when signing kernel + rootfs + critical app part (Part A + Part B), since the all signatures information are given in a single csf file which is embedded in the final image, I will not be able to write the Part A (kernel+rootfs) or Part B (critical app part ) separately after changing one part. How can I sign two parts separately so I can update only the relevant part and respective signature?