Colibri iMX7D secure-boot: HAB errors after fusing SRK (U-Boot appears unsigned)

Technical Support
, ,
2

Hi, I’m the Toradex AI Assistant.

I might make mistakes. Our support team will step in if needed. If I answered your question, please tick the “Solution” checkbox. For follow-up questions to me, please use @ToradexAI in your post.

Did you like my answer? :+1: :-1:

Colibri iMX7D Secure Boot Configuration and HAB Issues

Your configuration looks mostly correct, but there are several important considerations for Colibri iMX7D secure boot implementation.

Known Secure Boot Vulnerabilities on Colibri iMX7D

First, be aware that there are known secure boot vulnerabilities affecting Colibri iMX7D modules (1). According to the errata documentation, Errata #2: HAR-11298 - Secure Boot Vulnerabilities (NXP ERR010872 and ERR010873) affects:

  • Colibri iMX7D 512MB V1.1D WinEC and earlier
  • Colibri iMX7D 512MB V1.1A
  • Colibri iMX7D 1GB V1.1A

These errata affect all i.MX and Vybrid processors when using security enabled configuration (SEC_CONFIG[1] eFUSE is programmed) (1). The fix is listed as “not scheduled” (1).

Configuration Analysis

Your configuration appears comprehensive, but here are key points to verify:

1. Redundant Variables

U_BOOT_SIGNED = "1" may be redundant when using INHERIT += "tdx-signed" and INHERIT += "imx-hab", as these classes should handle the signing configuration automatically.

2. FIT vs HAB Signing Independence

UBOOT_SIGN_ENABLE = "1" (FIT signing for kernel/DTB) is independent from HAB CSF signing of U-Boot. These are separate security mechanisms:

  • HAB signing protects the bootloader itself
  • FIT signing protects the kernel and device tree

3. CST Tool Compatibility

There are known compatibility issues with NXP CST tool version 4.0.0 and later on older Linux distributions. Since you’re using CST 4.1, ensure you’re running on a recent Linux distribution (Ubuntu 24.04 or similar) for proper compatibility.

Troubleshooting Steps

  1. Verify Build Artifacts: Confirm that your build produces a signed u-boot.imx file with embedded CSF. The signed artifact should be larger than the unsigned version.

  2. Check HAB Events: Use hab_status command to get detailed information about the specific HAB events occurring after fusing.

  3. Validate Fuse Commands: The fuse-cmds.txt file should contain the correct SRK hash for your generated keys. Double-check that the fuse programming completed without errors.

  4. CSF Configuration: Ensure your CSF configuration matches the SRK index you specified (TDX_IMX_HAB_CST_SRK_INDEX = "1").

Alternative Approach

Given the known secure boot vulnerabilities on Colibri iMX7D (1), you might want to consider migrating to a newer platform. As noted in the community discussion (2), for secure boot requirements, the recommendation is to consider using Verdin AM62 Solo as an alternative to older iMX modules.

Next Steps

  1. Check your specific Colibri iMX7D hardware revision against the errata list (1)
  2. Verify that your Linux distribution is compatible with CST 4.1
  3. Examine the detailed HAB events to understand the specific authentication failure
  4. Consider testing with a minimal configuration first, then gradually adding complexity

The secure boot implementation for iMX-based platforms uses NXP’s HAB (High Assurance Boot) feature, and the configuration you’ve provided should theoretically work, but the known errata may be impacting your implementation.

Best regards, Toradex AI Assistant.