AnsweredAssumed Answered

HAB in Uboot 2019.07

Question asked by DEVEN SOLANKI on May 20, 2020
Latest reply on May 22, 2020 by Yuri Muhin

Hi Community,


Here are my environment details,  i.MX6Quad 1GB module, Kernel: 4.9, Uboot: 2019.07.

I am trying to get Secure boot. I am following documents like AN4581 and High Assurance Boot (HAB) for dummies .


Here is a procedure which I follow,

A) Compiled Uboot with CONFIG_SECURE_BOOT enable. and make V=1.

B) Run in Code Signing Tool release version 3.1.0.

$ ./


$ ../linux64/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c \

./SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1


$ hexdump -e '/4 "0x"' -e '/4 "%X""\n"' < SRK_1_2_3_4_fuse.bin










C) Generate CSF binaries for SPL and u-boot-ivt.img as below. For CSF file see the attachment.

$ ./cst --o  csf-SPL.bin --i csf-uboot-SPL
CSF Processed successfully and signed data available in csf-SPL.bin

$ ./cst --o csf-uboot-ivt.bin --i csf-uboot-ivt
"CSF Processed successfully and signed data available in csf-uboot-ivt.bin


D) Concat both CSF binaries.

$ cat u-boot-ivt.img csf-uboot-ivt.bin > u-boot-ivt_signed.img

$ cat SPL csf-SPL.bin > SPL_signed


E) Flashed SPL_signed and u-boot-ivt_signed.img in module.


F) Programmed the fuse in Uboot with fuse command.

-> fuse prog -y 3 0 0x94153933 (similar for other banks also with respected values.)


Now I checked hab_status and I got as below,

-> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

No HAB Events Found!



Still, I didn't close the device. Because I have below doubts related to that,

1. Which binary should I sign?

I am getting executables like u-boot-dtb.img , u-boot-ivt.img, SPL . I am confused which to sign.


2. Can I use directly the concatenated image(SPL_signed) as below?

$ ./cst --o csf-SPL.bin --i csf-uboot-SPL

$ cat SPL csf-SPL.bin > SPL_signed


In some documents, to align the image they are filling junk value with objcopy command. Whether it is required here also?


3. How can I confirm whether I did all steps correctly or not?


4. Is it mandatory to use signed Kernel image ? Can I use only signed Uboot alone?


5. How to sign the Uboot for imx_usb_loader?



Thanks in advance