FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

imx8m nano - secure boot - hab issues

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

imx8m nano - secure boot - hab issues

‎02-14-2024 03:26 PM
711 Views
kippowens
Contributor IV

Hi,

I'm trying to get secure boot up and running on our custom imx8m nano board (that is VERY similar to the imx8m nano ddr4 evk). I believe I've followed all the appropriate steps, but continue to see HAB issues.

Environment is matched very closely to the following nxp-imx repos / branches:

  • u-boot: lf_v2023.04
  • mkimage: lf-6.1.55_2.2.0
  • atf: lf_v2.8

I've attached files for the mkimage logs, csf_fit.txt, csf_spl.txt. csf_fit_fdt.txt, my u-boot output.  Here are the issues I'm seeing:

u-boot=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xbd 0xc0
0x00 0x00 0x00 0x20

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x14 0x45 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x40 0x1f 0xad 0xc0
0x00 0x00 0x00 0x04

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)


--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x34 0x45 0x33 0x18 0xc0 0x00
0xca 0x00 0x2c 0x00 0x02 0xc5 0x1d 0x00
0x00 0x00 0x0b 0x50 0x40 0x1f 0xad 0xc0
0x00 0x00 0x10 0x20 0x40 0x20 0x00 0x00
0x00 0x0c 0xa1 0xe0 0x40 0x2c 0xa1 0xe0
0x00 0x00 0x97 0x90 0x00 0x96 0x00 0x00
0x00 0x00 0xa8 0xc0

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_SIGNATURE (0x18)
CTX = HAB_CTX_COMMAND (0xC0)
ENG = HAB_ENG_ANY (0x00)

Perhaps of note, I'm booting from spi-nor, so I have an fspi_header in the mix.  I've fused the keys, but have not closed the device.

Any idea of where I could have gone wrong here?  It seems to imply I'm not signing the IVT and entry word (but each should be included in the blocks provided)?  And then all of my entries are failing the signature test?

#habv4 #hab #secure_boot #imx8mn #imx8m

boot.log
mkimage.log
2 KB
2 KB
1 KB
0 Kudos
Reply
2 Replies

‎02-20-2024 07:57 PM
628 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi 

Suggest to check whether the entry point IVT load address in IVT is within the verification range, and note that the qspi must have an offset of 0x1000, When signing, the address set must also be set according to this offset.

 

Regards

Harvey

0 Kudos
Reply

‎02-26-2024 08:22 AM
612 Views
kippowens
Contributor IV
Hi Harvey - thank you for the reply! Unfortunately I've lost my part due to some other bring-up activities, but will be jumping back into this today. The QSPI/FSPI header offset was looking good and everything was booting correctly - it appeared to just be having HAB issues. Can you elaborate on the verification range? Is that documented somewhere and I missed it? Apologies if so. I'll get more data out to you in the next couple days. Thank you again for your reply!
0 Kudos
Reply