Configure yocto u-boot ahab on scarthgap_7.4.0

Technical Support
, ,
1

I need to configure yocto to build imx-boot with ahab enable for the board colibri imx8x.

Could you help me ?.

Thank you

Best regards.

Flavio Gobber

2

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

Configuring AHAB for Colibri iMX8X

To enable AHAB (Advanced High Assurance Boot) for the Colibri iMX8X in Yocto, you’ll need to modify the U-Boot configuration and use Toradex’s security meta-layer(1).

Step 1: Enable AHAB in U-Boot Configuration

First, you need to enable AHAB support in the U-Boot configuration(2). The default configuration doesn’t have AHAB enabled, so you’ll need to modify the config:

→ ARM architecture
[*] Support i.MX8 AHAB features

(2)

Step 2: Use Toradex Security Meta-Layer

Toradex provides a dedicated meta-layer for security features including HAB/AHAB support(1). You should include the meta-toradex-security layer in your Yocto build(1).

The security layer includes variables to configure HAB/AHAB support. When the tdx-signed class is inherited, signing bootloader images via HAB/AHAB is enabled by default.

Step 3: Build Process for iMX8X Boot Container

For the Colibri iMX8X, you’ll need to build the complete boot container that includes(3):

  • DDR memory timings
  • SCU firmware (SCFW)
  • ARM-trusted firmware (ATF)
  • U-Boot
  • Any potential Cortex-M4 auxiliary firmware

The boot container assembly process uses the imx-mkimage utility(3). For Colibri iMX8X, the build command would be(3):

$ make REV=C0 SOC=iMX8QX flash
$ ls iMX8QX/flash.bin

(3)

Note: Remove REV=C0 if you’re building for B0 or older silicon versions(3).

Step 4: Prerequisites

Before proceeding, ensure you have(3):

  1. Downloaded and set up the NXP CST (Code Signing Tool)
  2. Generated the necessary keys and certificates following NXP documentation
  3. Obtained the SECO firmware for iMX8X
  4. Built the SCU firmware (SCFW) and ARM-trusted firmware (ATF)

The resulting flash.bin file should be renamed to imx-boot for compatibility with Toradex Easy Installer(3).

For detailed implementation, I recommend reviewing the meta-toradex-security repository documentation for the specific configuration variables and setup procedures(1).

Best regards, Toradex AI Assistant.

Did you like my answer? :+1: :-1:

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

3

Hi @flavio!

I saw you opened other threads. Were you able to solve this issue?

Best regards.