Building and Signing U-Boot. HAB warning

Technical Support
1

We are aiming to implement full Secure Boot Chain of Trust with U-Boot and an OS that is not linux on a apalis-imx6. To that aim we have started experimenting with U-Boot.

We are trying to modify and build U-Boot from source. Our main guide has been Build U-Boot From Source Code and we were able to build it without modifications.

Then following these guides and posts:

  • https://github.com/u-boot/u-boot/blob/master/doc/imx/habv4/guides/mx8m_spl_secure_boot.txt
  • https://github.com/u-boot/u-boot/blob/master/doc/imx/habv4/guides/mx6_mx7_spl_secure_boot.txt
  • https://community.toradex.com/t/enable-hab-on-apalis-imx6-raises-build-error-in-u-boot/20516

We were able to build U-Boot with HAB enabled and sign SPL and U-Boot images with NXP’s CST tool. We used the imx6_template.csf from the meta-toradex-security layer as a template for our own CSF script file.

We downloaded the Reference Minimal Embedded Linux Image , replaced the SPL and U-Boot binaries with the ones we built and flashed it to a board with Toradex Easy Installer. U-Boot and Linux booted OK.

We stopped U-Boot from booting and from the U-Boot console we executed the hab_status command. We got the following output:


Industrial temperature grade DDR3 timings.
Trying to boot from MMC1
hab fuse not enabled

Authenticate image from DDR location 0x177fffc0...


U-Boot 2022.07-00015-g8fca111e67 (Jul 22 2024 - 14:13:39 -0300)

CPU:   Freescale i.MX6D rev1.6 at 792MHz
CPU:   Industrial temperature grade (-40C to 105C) at 32C
Reset cause: POR
DRAM:  1 GiB
PMIC:  device id: 0x10, revision id: 0x21, programmed
Core:  113 devices, 19 uclasses, devicetree: separate
MMC:   FSL_SDHC: 1, FSL_SDHC: 2, FSL_SDHC: 0
Loading Environment from MMC... OK
In:    serial@2020000
Out:   serial@2020000
Err:   serial@2020000
Model: Toradex 0035 Apalis iMX6D 1GB IT V1.1B
Serial#: 10591417
SEC0:  RNG instantiated
Net:   eth0: ethernet@2188000
Hit any key to stop autoboot:  0
Apalis iMX6 # hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66

--------- HAB Event 1 -----------------
event data:
        0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
        0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
        0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
        0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
        0x00 0x00 0x00 0x01

STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)

We were expecting to get:

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

What could be the problem?

Regards.

Secureboot (HAB) not working in Toradex BSP - 3.0.4 Apalis iMX6
2

Greetings @martinM,

Please see the section in our article here: Secure Boot | Toradex Developer Center

This specific HAB event is a known warning on some i.MX6 SoCs. As our documentation states this should cause no harm or issues going forward. You can consult the NXP report on this for more info, or contact NXP with further questions.

We are aiming to implement full Secure Boot Chain of Trust with U-Boot and an OS that is not linux on a apalis-imx6.

Out of curiosity what OS are you trying to implement a secure chain of trust for? If you don’t mind sharing.

Best Regards,
Jeremias

3

This as non-fatal warning applies not only for some iMX6, but as well for non-secure VF variants.

On iMX6ULL warning appears using ENGINE = ANY (or DCP?), instead of ENGINE = SW. No wonder warning is there, because iMX6ULL (contrary to iMX6UL) doesn’t include CAAM. And DCP, which is available on iMX6ULL, is unable to HW assist all HAB functions. ENGINE = SW in cst file suppresses HAB_WARNINGs.

On VF the same non-fatal warning appears on parts with partially disabled CAAM features (NN parts, which are used in VF Colibries). HAB still is functional and works well with HAB_WARNING (0x69) present.

HAB_WARNING’s are OK for closing, HAB_ERROR’s are not OK.