I am using the (MBU) MCU Boot Utility v2.2.0 with an iMXRT1021 target and the following selections...
- Serial Port UART
- BEE Encrypted Image Boot
- Boot Device Configuration - Quad mode = "Set StausReg1" (enable write)
- Fixed Otpmk(SNVS) Key
- Advanced Key Settings - User Defined region - 0x60002000, 0x3f6000
Using the "All-in-one Action", I re-use SRKs etc, generate the signed bootable image, download and blow fuses.
Disconnect serial port and power cycle, at this point the target should boot up, which it fails to do.
I tried many things to resolve this issue and found the problem is with the HAB secured boot. To prove this, I used the SRK keys and generated image from the the MBU and mimicked the download commands using the BLhost application. I sent every command with the exception of not blowing SEC_CONFIG_1 fuse i.e. HAB security=open.
Now the target boots up and runs normally with BEE encrypted code, so my questions are...
1. Why does the secure HAB reject the image+csf generated by the Utility tool?
2. Why does the MBU force the HAB to be closed? (this action is part of the image download).
The documented advice from NXP is to leave the HAB open during development, so the tool should reflect this and allow for some end user control.
I have run the demo app on the 1020EVK and it boots ok with encryption, so why the problem with my target?