AnsweredAssumed Answered

MCU Boot Utility, iMXRT1021, BEE Encryption - boot issue

Question asked by Tony Thurgood on Mar 4, 2020
Latest reply on Apr 1, 2020 by Kerry Zhou

Kerry Zhou

I am using the (MBU) MCU Boot Utility v2.2.0 with an iMXRT1021 target and the following selections...

  • Serial Port UART
  • BEE Encrypted Image Boot
  • Boot Device Configuration - Quad mode = "Set StausReg1[6]"  (enable write)
  • Fixed Otpmk(SNVS) Key
  • Advanced Key Settings - User Defined region - 0x60002000, 0x3f6000


Using the "All-in-one Action", I re-use SRKs etc, generate the signed bootable image, download and blow fuses.

Disconnect serial port and power cycle, at this point the target should boot up, which it fails to do.


I tried many things to resolve this issue and found the problem is with the HAB secured boot. To prove this, I used the SRK keys and generated image from the the MBU and mimicked the download commands using the BLhost application. I sent every command with the exception of not blowing SEC_CONFIG_1 fuse i.e. HAB security=open.


Now the target boots up and runs normally with BEE encrypted code, so my questions are...

1. Why does the secure HAB reject the image+csf generated by the Utility tool?

2. Why does the MBU force the HAB to be closed?  (this action is part of the image download).


The documented advice from NXP is to leave the HAB open during development, so the tool should reflect this and allow for some end user control.

I have run the demo app on the 1020EVK and it boots ok with encryption, so why the problem with my target?