Dear Toradex community,
HAB is enabled on my Verdin iMX8M Plus and is working fine. I have implemented an A/B strategy for updating u-boot using two eMMC partitions - as described in Drew Moseley’s excellent article Considerations for Updating the Bootloader Over-the-Air.
The situation is as follows:
- I installed a correctly signed u-boot (signed with an SRK from HAB) in boot partition 1.
- I installed a wrongly signed or unsigned u-boot in boot partition 2 via an OTA update.
- Boot partition is the active boot partition.
If I power on the device, the device boots and starts the main application - as if the dodgy u-boot in partition 2 doesn’t exist. A deeper analysis shows the following.
- HAB tries to boot from u-boot in partition 2. It finds out that the signature is wrong. Sometimes it issues HAB events, sometimes not.
- HAB skips booting from partition 2 and tries u-boot from partition 1. As partition 1 has a correct signature, it finishes booting and starts the application.
As my two u-boot instances have different LOCALVERSIONs, I can tell them apart from the u-boot messages (starting with U-Boot SPL
and U-Boot
) in the serial console. There are no messages from the dodgy u-boot.
If I zero out the good boot partition 1, the boot process gets stuck before a single u-boot message is printed in the serial console. There is no alternate u-boot to which the boot process can fall back.
Is this automatic fallback from a wrongly signed u-boot to a correctly signed u-boot a supported HAB feature? Or, is this fallback a lucky accident?
Thanks,
Burkhard