Hab imx6. I followed document provided by freescale (AN4581.
Hab imx6. I've followed the steps mentioned in the docs .
- Hab imx6 sh (n,2048,10,n) cd . MX6Q processor. 20e000c access in userspace and target in supervisor. for imx6, one can use CONFIG_SECURE_BOOT in the board. MX6 to validate uImages. The complication I have is that my SOM vendor has their own branch of U-Boot source, and they have their own assembler source and linker script which creates the IVT and CSF data in the binary image - they don't use the 'imximage' generation of U-Boot's mkimage tool. According to security manual of IMX6 and also according to all documentation it seems this is possible. The longer this period the more likely it is that RNG4 will generate entropy that will pass its internal statistical tests. Does NXP has burned keys in to the IMX. 0 (or lower), the HAB code locks the job ring I programmed the SPI flash on the board, and it boots U-Boot properly, but the hab_status command results in. Now i fused HW_OCOTP_SRK(0-7) with fuse bianary values. This didn't make a lot of sense because I used the the 'HAB Blocks' values from u-boot. I am using 4096 whereas the documentation takes 2048. 07. For that, it is necessary to generate a pair of keys (public and private), sign the bootloader with the private key and store the public key inside the SoC. For this function I use the HAB function hab_status_t(* hab_rvt::run_csf)(const uint8_t *csf, uint8_t cid). /hab4_pki_tree. Product Forums 24. Then it is renamed as `u-boot_prod. 0 with Yocto. log for the authenticate data Hi Wee Do, Looking at the log, it seems that the problem is an invalid key. However we can't read SFRs: > mdw 0x20e000c. For more information, Hi, I'm currently trying tu use HAB on a board specific using iMX6DL with u-boot 2014. The OEM can utilize it to make their product reject any system image which is HAB is an optional feature in the i. Contributor I Mark as New; Bookmark; Subscribe; Mute; Subscribe to RSS Feed; Permalink; Print; Report Inappropriate Content; Hi freescale team, Thanks for your support. 1. Dear community, I am working on enabling secure boot or HAB on IMX6 version silicium 1. MX 6 series chips provide the High Assurance Boot (HAB) feature that meets this requirement. I assume the authentication will be successful only when HAB first verifies the SRK table. 5 Generate Public Key Infrastructure (PKI) tree; 3. As it is not a good idea to store the key in plain, we use the DCP or CAAM for crypting the raw key and get a key blob we can store in the SPI NOR. imx_hab_authenticate_image() calls get_hab_status(), which prints all HAB events (including previous), which can only be cleared by restarting the board. I’m using the Toradex Embedded Linux BSP 3. Table 4. So I installed CST, read the docs and started generating keys but I am not sure whether I need/can use fast authentication or not. CSF: Command Sequence File; CST: Code-Signing Tool; DCD: Device Configuration Data; DEK: Data Encryption Key; HAB: High Assurance Boot; IVT: Image Vector Table; SRK: Super Root Key; The HAB library is a sub-component of the boot ROM on i. /update. report_event 0x20 hab_rvt. ?. For simplicity and clarity, this guide and examples have been made on i. authenticate_image is used by U-Uoot to authenticate zImage. In u-boot, run hab_status command. 05 VM. For simplicity and clarity, this guide and examples have been made on The hab_status U-Boot command call the hab_report_event() and hab_status() HAB API functions to verify the processor security configuration and status. Enabling HAB is as easy as checking a box in our BSP catalog. I'm using U-Boot 2019. *Verification index = 2Blocks = 0x00910000 0x2C 0x13A "U-Boot-pad. Hi Everyone, I’m trying to set up an Secure Boot with HAB V4 on the Colibri iMX6S 256MB IT. I have a board with an imx6 processor set in closed configuration (for secure boot). Now my *hab_status *command not giving HAB events . The guide above is out of date, and missing information. MX processors with HAB version 4. 3. NOTE For devices with HAB 4. The answer is HAB (High Assurance Boot). device if the module is in recovery mode. I then programmed the SRK hash values to efuses. bin"* In many freescale community threads i have observ 1. MX applications processors that support High Assurance Boot version 4 (HABv4). MX processors. Indeed, the i. But there are some conflicting thread responses -> Tamper function in i Hi all, I am working on HAB feature of imx6. SRK Hash is programmed in the SoC SRK_HASH[255:0] fuses. How to prepare new SD card for iMX6 sabre lite board for running linux. MX 6Dual, 6Quad, 6Solo, and 6DualLite Families of Applications Processors, Rev. MX fuses can be burned only once. MX6Q Nitrogen6x so it applies This application note explains how to perform a secure boot on i. The reason for the fuses is HAB (in the Closed configuration only) instantiates the RNG by default and needs some external indication on how to progran the RNG4 in CAAM to ensure the internal HW statistical tests will pass. precisely i want to sign barebox with CST tool and enable HAB so it authenticates it I have some questions regarding the process : - If i close the device to avtivate the HAB is it Hi @ciaran_lequeux,. Hi, I am reading the document i. 1 (or higher) that use the CAAM cryptographic accelerator engine. Some notes: I am using a signed and encrypted U-Boot. Also, HAB persistent memory can be read and parsed to get these events (in case hab_status command is not available) md. At reset the HW will populate the sbmr register from the appropriate source depending on the value of GPIO_FUSE_SEL. Showing results for Show only | Search instead In order to check Events generated by HAB there are various methods that can be used: 1. I have some questions regarding the process : - If i close the device to avtivate the HAB is it possible to reopen it( to desactivate HAB) ? And indeed the fuse_read() function seems to be only defined for iMX8, even if the doc says this should be supported from iMX6 to 8. Apalis iMX6 # Result: HAB_WARNING (0x69), "No HAB Events found!" message missing. HAB is part of Freescale security HAB is an optional feature in the i. We have spend several days trying to understand HAB and how we would bet it to work with Eboot. We got same 64 bit vale on two diffrent boards , how it is same value? Hi Yuri, Thanks for your reply, I followed all the steps mentioned in that thread. 0, 01/2013 which mentions how to use the HAB on the i. csf file and signed my own u-boot image using it (lets call it IMAGE 2 ). This is a capability built into on-chip ROM responsible for loading the initial program image, usually the first stage bootloader, from the boot medium. 3 Download and unpack the Freescale Code Signing Tool (CST); 3. dtb and initrd. y for the Apalis imx6 som. I won't cover the purpose of secure boot or the This post intends to provide all the information you need to understand and use the HAB (High Assurance Boot) on your Ezurio (formerly Boundary Devices) Nitrogen8 platform. bin compiled in our build. bin file with what image we can append this csf. MX6 product in a single bootloader and it ended up by enabling SPL with pre-existing HAB feature for it. ". I read CST_UG. The rootfs is crypted with dm-crypt with AES-128-GCM. L3. 0 How to configure when compiling Uboot? 0 Hello, Currently i am working on HAB support in imx6 for u-boot and my u-boot version is 2014. The class crypt-fs. ? After performing all the steps I have described below, I typed hab_status in the U-boot command prompt. csf [Header] Version = 4. From searching the forums it seems that some people have successfully done this but no details were provided. MX7 series the U-Boot provides extra functions for HAB, such as the HAB status logs retrievement through the hab_status command and support to extend the root of trust. Therefore, when I follow the In the HAB architecture, the SRK Table is included in the CSF binary and the. Forums 5. We can read DRAM registers (we're using Philip's config): > mdw 0x80000000. /crts By answering 'n' to the last question, the PKI HAB generates events when processing +the commands if it encounters issues. I've followed the steps mentioned in the docs # Key slot index used to authenticate the key to be installed Verification index = 0 # Target key slot in HAB key store where key will be installed Target Index = 2 # Key to install File= ". pdf) . HAB Report Status: 0x69 (MX6DQP: 0, MX6DQ, 1, SOC_REV: 0x16, HAB_RVT_BASE: 0x00000098) HAB Configuration: 0xf0, HAB State: 0x66. How can I extend this secure booting feature for kernel Image?For kernel image authentication also ,can i follow the same steps used for signing the u-boot using CST tools . And looking at your procedure, I believe the problem is here: cd keys . Hi, I'm trying to boot a i. get_hab_status is used to dump information of authentication result. The i. c. run . 0x80000000: d067b2ad. This mechanism permits only that authentic/original software is executed. U-Boot > hab_status. If I add. MX 6 Series in Open configuration, the HAB always skips the verification of the SRK table, regardless of whether the SRK fuse field has been provisioned or not. Hi Jocelyn, For #2. OK In: serial@2020000 Out: serial@2020000 Err: serial@2020000 Model: Toradex 0035 Apalis iMX6D 1GB IT V1. 大家好, 请问一下各位,有用过DDR3-1866在IMX6Q上的吗?我最近在imx6q板子上使用DDR3-1866的时候,使用压力测试工具V2. The Host is an Ubuntu 18. HAB on iMX doesn't verify the certificate period, so a signed image will continue to boot on closed (locked) independent of certificate period set with CST tool. +This command displays any events that were generated during the process. For security hardware to work, CAAM related clocks (CG0[4~6]) must be open. MX SOC family, which allows you to make sure only software images signed by you can be executed on the SOC. lds to insert the CSF or hab_data, I cannot find any info about __hab_data in my u-boot sources, nor changes in lds script. Based on parsed output from csf_parser I've created a . bin`. MX 6 SoC, phyboard-mira-imx6-5 machine with activated Secure Boot: Barebox: barebox-s. 1 Toolchain installation for out of Yocto builds; 3. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. Secure boot disabled. MX6: DCD and plugin. xlsx进行配置,根据DDR3 calibration for MT41K256M16TW-107 帖子上Artur Petukhov 说的“For Data Rate options of 1600 and faster use the 1600 value. precisely i want to sign barebox with CST tool and enable HAB so it authenticates it I have some questions regarding the process : - If i close the device to avtivate the HAB is it possible Apalis iMX6 with the Ixora Carrier Board. In the original U-Boot, these clocks are closed by default. I'm trying to implement secure boot on a custom imx6 solo board. xml from branch kirkstone-6. My device is closed and signing works perfect but when i try to I am trying to boot u-boot securely by implementing HAB . You said it is not recommended to close it. In Imx6 series processors,in order to make HAB to authenticate boot image (for eg: u-boot),we need to call HAB APIs from u-boot directly?. 3,594 Views *PATCH v3 01/10] nvmem: ocotp: add support to get/set srk_revoke sticky bit 2025-01-23 14:56 [PATCH v3 00/10] i. MX requires the u-boot image to be created in a specific layout as shown in figure 1. This command displays any events that were generated during the process. Here adding a configuration in apalis_imx6_defconfig of u-boot-toradex CONFIG_SECURE_BOOT=y Mean while, we tried for reading OCOTP_CFG0, OCOTP_CFG1 register values in two imx6 DL boards. MX 8MQ, i. 2,196 Views omar_aberkan. ROM/HAB allocates certain memory regions in Internal RAM (OCRAM) for HAB logs. 2 Build U-Boot with secure boot support; 3. I have some documentation on the process. it Fri Nov 21 01:47:08 PST 2014. The DCD (Device Configuration Data) is a configuration information In a lot of doc there is change to be made to either flash_header. bbclass performs the needed steps to crypt the FS image. I just want to know, how the ROM will know, if HAB is enabled or not? Will ROM check for HW_OCOTP_CFG5 fuse or SRK fuses to check if HAB is enabled or not? While testing, I have not fused both the above things (and by default, HAB is in open c The ROM code inside the iMX6 SoC, using the HAB component, will check the signature of the bootloader. Here is my CSF file [Header] Version = 4. MX 6 Linux High Assurance Boot (HAB) User's Guide, Rev. Showing results for Show only | Search instead *PATCH v3 01/10] nvmem: ocotp: add support to get/set srk_revoke sticky bit 2025-01-23 14:56 [PATCH v3 00/10] i. ”进行配置 Hi Freescale Support Team, In Imx6 series processors, I know that the CAAM (in software) is a kernel driver, I want to use it in userspace with Hi All, I have some queries below on imx6 security feature : 1. HAB uses public key cryptography, specifically RSA keys, to authenticate the image executed at boot time. The first step is to generate an U-Boot image supporting the HAB features, similar to i. MX 8M About using public and private keys with HAB IMX6; About using public and private keys with HAB IMX6. 0 and generated the HAB4 keys and certificates. In your previous reply you told that make *SEC_CONFIG *to closed only after check Sounds valid, but CONFIG_USE_IMXIMG_PLUGIN is not set in our u-boot config Also there is no plugin. 4. With decades of engineering expertise, Ezurio provides solutions that reduce development costs and time to market. Connect JTAG and dump the HAB HAB on iMX6 02-10-2015 09:51 PM. Since then, HAB support has been added to mainline U-Boot and encryption is now possible on top of binary signature. It incorporates boot ROM level security which cannot be altered after Freescale i. The following list shows all additionally generated files for the i. Our global reach and unmatched support are backed by a resilient global I am using the toradex manifest default. HAB Configuration: 0xf0 HAB State: 0x66----- HAB Event 1 ----- event data: 0xdb 0x00 0x08 0x41 0x33 0x05 Hands-on iMX6 High Assurance Boot a. Now i want to know what happens exactly if make *SEC_CONFIG *fuse to closed. MX6 and i. Now I want to encrypt an image. I have enabled HAB by defining CONFIG_SECURE_BOOT in my u-boot configuration file. Two modes of progam image There’re two modes in a program image supported by i. So with t imx6 secure boot instruction and images for nitrogen6q and saberlite - nicknoonan/imx6-secure-boot. /crts/IMG1_1_sha256_2048_65537 So HAB verification seems to pass smoothly here with IMAGE 1. On the target device during the authentication process the HAB code verify the. Just soved the issue with call HAB ROM to check for its status and events so now I am ready to proceed for the next stage. So, the fuses are recommended to be burned after / with system images transfer, using UUU (MFG tool). So I am not going to authenticate anythyng else with iMX6, just EBOOT and I really want For the message HAB_INV_ASSERTION: the HAB checks that all of the following data have been authenticated (using their final locations): - IVT ; - DCD (if provided); - Boot Data (initial byte if provided); - Entry point (initial word). Solved! Go to Solution. I have tested th I am working on enabling secure boot or HAB on IMX6 version silicium 1. 04 . imx. k. Then reverted back to good U-boot (checked no HAB events), before closing the We would like to use tamper detection of IMX6 for to understand that the casing of our product is opened. MX6 with a signed u-boot and I'm getting HAB events. I got below status using the hab_status command, I have tried differnt way to fix it out but not able to fix it. Hi freescale team, Thanks for your fast reply. txt but created this csf. 0xbe 0x00 0x0c 0x00 0x09 0x17 0x00 0x02. Labels (2) Labels Labels: As rootfs we use a read-only squashfs (ramdisk). MX SOC family, which allows you to make sure only software images signed by you can be executed on the Performing secure boot in i. I didn't made SEC_CONFIG to closed when i try hab_status from u-boot it is giving continuous hab events. MX8M HAB and OCOTP additions and fixes Stefan Kerkmann @ 2025-01-23 14:56 ` Stefan Kerkmann 2025-01-23 14:56 ` [PATCH v3 02/10] nvmem: ocotp: add support to query the field-return" Stefan Kerkmann ` (9 subsequent siblings) IMX6UL HAB encryption 01-19-2019 04:36 PM. Preparation; Hardware Preparation; Flashing; Apalis iMX8 with the Ixora Carrier Board. 0 packet. pdf that came with Code Signing Tool 3. Also, after burning the SRK fuses, before closing configuration, I get no HAB events when using signed U-boot. 6 with barebox as a boatloder. 1B Serial#: 10591417 SEC0: RNG instantiated Net: eth0: ethernet@2188000 Hit any key to stop autoboot: 0 Apalis iMX6 # hab_status Secure boot disabled HAB Configuration: 0xf0, HAB State: 0x66 ----- HAB Event 1 ----- event data: 0xdb We also try to use j-link pro to debug iMX6 under OpenOCD. I follow those steps : Recovery Mode: Have the module in recovery mode and load U-Boot over USB to the module’s RAM: lsusb on host should show a 15a2:0054 NXP/Freescale Semiconductor, Inc. *PATCH v3 01/10] nvmem: ocotp: add support to get/set srk_revoke sticky bit 2025-01-23 14:56 [PATCH v3 00/10] i. Now my HAB status is not giving any events. The following in your CSF file makes no difference so I did not change ours (this was the only other difference between your CSF file and our two CSF files): Hi, I am able to boot a signed image in IMX6 DQ eval board (SCH - 26662 REV E) in Open configuration without any HAB events as well as HAB API's are returning correct status for device open configuration (0xf0 - open) and non-secure state(0x66). 2,159 Views saisuryanarayan. The GPIO_FUSE_SEL controls HW logic to determine if the boot parameters in the sbmr register of the src module come from GPIO pins or efuses. So, what's the correct way to enable HAB on iMX6? A solution using u-boot-imx is just fine. I followed your instructions and i am not getting any HAB events. Can we use csf_additional_image. 04-ram-1G-r1. NXP Forums 4. I have enabled the CONFIG_IMX_HAB for the u-boot-toradex, which results me a build error: 1 HAB introduction; 2 References; 3 Code signing step by step instructions. my doubts are, If close the SEC_CONFIG fuse can i change the u-boot in my boot device(*u-boot signed with Hi, in the Freescale document "Secure Boot on i. Hi yuri, Thanks for your reply. stop at the U-Boot prompt Security Reference Manual for i. 8进行校准失败。 1、采用I. Now i am not getting any hab events. $ vim u-boot. sh -d on host. Be sure to edit the blocks line to match the data in the hab_blocks. When trying the same solution with a IMX6 Dual Lite board(SCH -28605 REV B) as well as IMX6 Dual Quad Plus Hi, I’m trying to enter recovery mode and then flash a Demo Image on it. 2 and later (only MX6SX, MX6UL and MX7D) reduces the number of keys required to sign the image. Hello, I am working on enabling secure boot or HAB on IMX6 version silicium 1. S or to u-boot. MX53, and i. This file contains the configurations and commands which the Since then, HAB support has been added to mainline U-Boot and encryption is now possible on top of binary signature. MX8M HAB and OCOTP additions and fixes Stefan Kerkmann @ 2025-01-23 14:56 ` Stefan Kerkmann 2025-01-23 14:56 ` [PATCH v3 02/10] nvmem: ocotp: add support to query the field-return" Stefan Kerkmann ` (9 subsequent siblings) The HAB API also provides the status functions to verify the processor security configuration and status. In that document mentioned that to enable HAB we need to Ezurio turns design possibility into reality with a comprehensive range of RF modules, system-on-modules, single board computers, internal antennas, IoT devices, and custom solutions. img should not require padding. iMX6 HAB status Information : ===== Checking HAB_status. The problem is that after booting the u-boot, when i check the HAB status , I see that i have a "Signature Failure " situation here are the HAB events being reported HAB Configuration: 0x00 HAB State: 0x55 *----- HAB Event 1 -----* Model: Toradex Apalis iMX6 Quad 2GB IT V1. cancel. D, 11/2012 2 Preliminary-Subject to Change Without Notice Freescale Confidential ProprietaryFreescale Semiconductor, Inc. SRK Table against the SoC SRK_HASH fuses, in case the verification success the. I have been trying the feature with some success. Before getting started, let's explain a few acronyms related to this subject. Secure boot Introduction These notes are based on Boundary Device's blog on implementing HAB on an imx6 SoC. That's where all the trouble begins. The HAB library may use the on-board hardware accelerators to improve the boot performance and access the OTP master keys. 6 Generate Super Root Key (SRK) The GuruCE iMX6 BSP is a high quality, well structured, 100% OAL stable and production ready full source BSP for WEC7 and WEC2013 supporting any board containing an NXP iMX6 UltraLight, ULL, High Assurance Boot (HAB) Out-of-the-box support for High Assurance Boot, aka HAB. I don't know how exactly IMAGE 1 was signed, so I reversed this image with csf_parser tool from cst 3. Older instructions for enabling this talk about CONFIG_SECURE_BOOT, which does not seems to exist anymore on u-boot. MX 8M family (including i. 10. x. 4 Download the Variscite CST scripts; 3. 6 the processor for Secure state or Trusted state?can you please explain states and key management? 2. I hope you are doing well. So I am not going to authenticate anythyng else with iMX6, just EBOOT and I HAB Events: HAB Configuration: 0xf0, HAB State: 0x66----- HAB Event 1 -----event data: 0xdb 0x00 0x1c 0x42 0x33 0x18 0xc0 0x00 0xca 0x00 0x14 0x00 0x02 0xc5 0x00 0x00 0x00 0x00 0x0d 0x34 0x87 0x80 0x04 0x00 0x00 0x06 0x0c 0x00----- HAB Event 2 -----event data: 0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00 regarding HAB on iMX6 link. 0 Security Configuration = Open Hash Algorithm = sha256 Engine Hi Alexey Fast Authentication supported by HAB 4. It provides steps to generate signed images. + +The hab_status U-Boot command call the hab_report_event() and hab_status() +HAB API functions to verify the processor security configuration and status. Signing an image (or more) works perfectly fine. 07: HAB Configuration: 0xf0, HAB State: 0x66 ----- HAB Event 1 Forums 5 Product Forums 23 Can you flush the cache (enable CONFIG_CMD_CACHE, use dcache flush and icache flush commands) before you use the hab_status command? The implementation of some interfaces on u-boot do not flush the cache and might cause displaying false positive HAB events. If i remove these lines no HAN events are coming. The only step I did not perform is fusing the SRK table. Then I get the HAB Events I have shown below. 35_1. HAB API status functions offset HAB API Function Offset from HAB API RVT Address hab_rvt. 04 ( from freescale. 55 for IMX6 Quad : Need confirmation about the completeness of process used by me Next message: [meta-freescale] Secure Boot HAB on iMX6 using Freescale tools Apalis iMX6 # hab_status . The Machine in the local. Modifying a single byte in U-boot image created HAB events. I hope this helps to fill in some of those gaps. In such case we want to delete "Secure Memory" contents of IMX6. 0x00 0x00 0x11 0x00 Target: Apalis iMX6 Carrier Board : Ixora UBoot Version : 2019. On iMX6, OTP fuses are used to store the keys. bin` to keep it simple. 2. Then is described how an HAB enabled system, via bootrom proper configuration, guarantees that software loaded from external memory devices, like NOR . Jump to solution 09-25-2021 07:58 PM. hab_caam_clock_enable and hab_caam_clock_disable are created to open and close them. I followed the guide ( AN4581 6. report_status 0x24 2. I followed document provided by freescale (AN4581. 0 Kudos Reply. It seems to be expected behavior. The same was with j-mem of Segger. Once the ROM begi High Assurance Boot (HAB) is NXP's implementation of secure boot in i. MX50, i. Hi @rakesh3,. HAB authentication is based on public key cryptography So the hab_failsafe boot works with the same U-Boot image as the NAND boot image, which does not work with the serial download boot. Previous message: [meta-freescale] Boost 1. conf is MACHI [meta-freescale] Secure Boot HAB on iMX6 using Freescale tools Roberto Fichera kernel at tekno-soft. precisely i want to sign barebox with CST tool and enable HAB so it authenticates it. Secure boot disabled . HAB Configuration: 0xf0, HAB State: 0x66----- HAB Event 1 -----event data: 0xdb 0x00 0x14 0x41 0x33 0x06 0xc0 0x00. Please refer to /arch/arm/mach-imx/hab. MX 6 Series using HABv4" it is mentioned that "for i. HAB Configuration: 0xf0, HAB State: 0x66----- HAB Event 1 ---- We have an imx6 Quad processor running WEC2013 which uses Eboot as its bootloader. The support is enabled by adding the CONFIG_SECURE_BOOT to the build configuration: We experienced some HAB events when we implemented secure boot with u-boot 2024. MX6DQSDL DDR3 Script Aid V0. If a failure is detected the HAB events are obtained by using the report event function. Preparation; Hardware Preparation; This key structure is known as a PKI tree; super root keys, or Hi freescale team, I forgot to mention one more this when i add the following lines to my CSF file i am getting HAB events. a. 2 ) and looked at two related posts. we have used simple bare-metal code for reading OCOTP_CFG0(0x021BC410) and OCOTP_CFG1(0x021BC420). So please let me know what is missing in setps for secure boot. txt file created earlier. I'm working to get iMX6 HAB to boot a signed U-Boot binary. Turn on suggestions. Hi @ciaran_lequeux,. => hab_status. The two important data structures are. MX8M HAB and OCOTP additions and fixes Stefan Kerkmann @ 2025-01-23 14:56 ` Stefan Kerkmann 2025-01-23 14:56 ` [PATCH v3 02/10] nvmem: ocotp: add support to query the field-return" Stefan Kerkmann ` (8 subsequent siblings) 9 Solved: We are trying to go as far as we can with HAB without burning fuses, as we have very few boards working so far in our project. 3. 1C, Serial# 10652058 The only thing that differs to the provided documentation, as far as I see, is the PKI tree length. Is secure boot using HAB comes under any of More precisely U-Boot recipe builds it in the name of `u-boot_prod-eagle-imx6-2013. bin, To instruct HAB not to lock the SRK_REVOKE field, the CSF commands in the bootloader need to be reconfigured. 0. Freescale provided HABv4 (latest HAB version 4) as an optional feature in i. + +Prior to closing the device users What described in the following, starts from the HAB Security mechanism provided on iMX6/iMX6UL processor family by NXP. MX 8M Mini, i. 1 Security Configuration = Open Hash Algorithm = sha256 Engine Configuration = 0 Certificate Format = X509 A recent task assigned to me was to support both 1GiB and 2GiB RAM for a i. NOTE Encrypted boot is only supported on certain i. Each of the above data components not covered by a valid signature will cause HAB to generate an event with reason I'm trying to enable a secure boot on iMX6 Solo. b <0xPERSISTENT_MEMORY_ADDR> <0xSIZE> 2. . Contributor III Mark as New; Bookmark; Subscribe; Mute; Subscribe to RSS Feed; Permalink; Print; Report Inappropriate Content; I followed every single step of the following guide, but my device doesn't boot. The goal is also to provide an update to our HAB for Dummies blog post so that new platforms are covered. ) I've the following line in my board cfg file IMAGE_VERSION 2 BOOT_FROM sd CSF 0x2000 When I compile u-boot i've the following output Image Type: Freescale IMX Boot Image Image Ver: => fuse override 3 0 0 Overriding bank 3 word 0x00000000 with 0x00000000 => hab_auth_img_or_fail 80800000 00B00BF0 00B00000 Authenticate image from DDR location 0x80800000 Secure boot enabled HAB Configuration: 0xf0, HAB State: 0x66 No HAB Events Found! I reset every key, but looks the same Yes, I have been very thorough regarding the SRK fuses, ensuring the correct byte order. h file to enable the security boot in uboot. bin file. yhhkf fqe orqf hmmhh kgqgi dlxpv nrsuumk iopr etxlg hvuprh wemjev pxci fmjq vzdxb scttk