Is CONFIG_IMX_HAB option in U-Boot unbootable from NAND without burning fuses in i.MX6?

JohnKlug · ‎04-30-2021

We are trying to go as far as we can with HAB without burning fuses, as we have very few boards working so far in our project.

If I add CONFIG_IMX_HAB to U-Boot without blowing fuses, U-Boot boots from USB, but not from NAND flash (no console messages). If I burn without CONFIG_IMX_HAB, with the same uuu.auto, everything works great.

Are there fuse requirements to boot CONFIG_IMX_HAB enabled U-Boot?

I am using identical uuu.auto files except for the U-Boot image in both the working and non-working cases. Something must have been written to flash, because when I boot, the Freescale USB device does not show up on my PC.

I used the U-Boot menuconfig program to add HAB to U-Boot. The following lines were added to U-Boot (not shown in context):

CONFIG_IMX_HAB=y
# CONFIG_FSL_MFGPROT is not set
CONFIG_SYS_FSL_HAS_SEC=y
CONFIG_SYS_FSL_SEC_COMPAT=4

JohnKlug · ‎06-02-2021

Here is the solution to the problem I was having. Word 0x24 of the U-Boot image gives the length of the U-Boot image after signing:

$ od -j 0x24 -N4 -An -X u-boot.imx
 000a4060
objcopy -I binary -O binary --pad-to 0xa4060 --gap-fill=0xff u-boot-nand-signed.imx  u-boot-nand-signed-pad.imx

Without the padding, the boot fails.

View solution in original post

JohnKlug · ‎06-02-2021

Here is the solution to the problem I was having. Word 0x24 of the U-Boot image gives the length of the U-Boot image after signing:

$ od -j 0x24 -N4 -An -X u-boot.imx
 000a4060
objcopy -I binary -O binary --pad-to 0xa4060 --gap-fill=0xff u-boot-nand-signed.imx  u-boot-nand-signed-pad.imx

Without the padding, the boot fails.

BenSu · ‎09-25-2021

That's great, JohnKlug.

I pad the image and it boots up.

Why NXP does not list the option out?

Thanks

BR

Ben

JohnKlug · ‎04-30-2021

Related to how to test things without burning fuses, I see the following in U-Boot help:

hab_failsafe- run BootROM failsafe routine

So is it possible to set the fuse shadow registers, execute the hab_failsafe command, and get a secure boot to be simulated without burning fuses? Is this documented anywhere?

joanxie · ‎05-07-2021

refer to the uboot source code, you can set sec_boot=y in the uboot via define the CONFIG_AHAB_BOOT to enable AHAB

#ifdef CONFIG_AHAB_BOOT

#define AHAB_ENV "sec_boot=yes\0"

#else

#define AHAB_ENV "sec_boot=no\0"

#endif

"https://source.codeaurora.org/external/imx/uboot-imx/tree/include/configs/imx8qxp_mek.h?h=imx_v2020...."

JohnKlug · ‎05-11-2021

CONFIG_AHAB_BOOT is an i.MX8 AHAB feature according to U-Boot. i.MX6 is not mentioned.

It would be nice if there was an up to date document on how to build U-Boot and sign it for the i.MX6ULL processor.

joanxie · ‎05-12-2021

for imx6, one can use CONFIG_SECURE_BOOT in the board.h file to enable the security boot in uboot

BenSu · ‎09-25-2021

"Steps must be taken to remove support in customer application software if the end product is not using HAB API at all.
For instance, U-Boot users must ensure CONFIG_SECURE_BOOT is not being selected in their build environment."

That's in point 3 in section 5 Security considerations in AN12263.pdf.

Can we enable CONFIG_SECURE_BOOT?

BR

Ben