Enable HAB on Verdin IMX8MM Yocto project

Hi Staff,
I am using Verdin IMX8MM board and trying to enable secure boot(HAB) in Yocto project.
My understanding is we must include meta-toradex-security and meta-toradex-tezi to upgrade the secure u-boot files into eMMC.
Am I correct on these assumptions?
Thank you

Hi, I’m the Toradex AI Assistant. I’m in early beta, and I would appreciate your feedback.
The Toradex Support team will follow up with you shortly!

Did you like my answer?

:+1: :-1:


Yes, your understanding is correct. To enable Hardware Access Boot (HAB) for secure boot on the Verdin iMX8M Mini (iMX8MM) using the Yocto Project, you should include the meta-toradex-security layer in your build. This layer provides the necessary tools and recipes to generate a secure boot enabled Torizon OS image.

Additionally, incorporating the meta-toradex-tezi layer is essential for upgrading the secure U-Boot files into the eMMC. This layer includes support for the Toradex Easy Installer, which facilitates the deployment of images onto Toradex modules, including those with secure boot enabled.

To proceed, ensure that your local Yocto Project environment is set up correctly to include these layers and their dependencies. You will need to follow the steps to configure your build for secure boot, which typically involves generating keys, signing the bootloader and kernel, and ensuring that the secure boot fuses are programmed correctly on your Verdin iMX8MM module.

Remember, enabling secure boot involves burning fuses on the SoC, which is an irreversible process. Ensure you have thoroughly tested your configuration in a non-secure mode before proceeding to enable HAB.

Best regards,
Toradex AI Assistant

Please, also check if these links can help you solve your problem:

Secure Boot on Torizon OS | Toradex Developer Center.

Dear @mayuran,

Welcome to our community!

You will indeed need to add meta-toradex-security layer. However, the meta-toradex-tezi layer is not required. You can use this meta layer to enable secure boot: https://github.com/toradex/meta-toradex-security/tree/kirkstone-6.x.y

Then you will have to create the keys using the cst tool.

After that you build the image and use the Toradex Easy Installer to flash the uboot files (imx-boot-sd and u-boot-sd) by replacing it with the ones it you generated.

Finally you fuse them by using fuse-cmds.txt with the CLOSE bit.

Please be sure to carefully check everything before fusing. Once fusing has been applied, there is no turning back. I highly recommend following the README documents on the git repository.

Best regards

Hi Colin,
Initially I followed the steps without integrating the meta-toradex-tezi layer and replaced the imx-boot-sd and u-boot-sd files. Also I preform the eFusing too. But I was unable to see any secure boot/HAB related steps on that process.
That is why I tried to integrate the meta-toradex-tezi layer to generate the tezi.itb file as I thought it is also replaced.
So if meta-toradex-tezi layer is not required may I know why I am not getting any HAB related steps in the boot messages?
Also I am not able to issue hab_status or ahab_status command too.
If you know why is that?
Thank you

Hi @collin.tx
I tried to perform the steps you specified and finally fused the CLOSE bit too.
After that device did not boot at all.
It seems that HABv4 is used for imx8mm and is it correctly supported by your meta layer?
Do you think we must replace the .itb file?
How to recover the board now? Can your toradex easy installer help to recover the device?
Thank you and expecting your quick response on this.

Dear @mayuran

I am sorry to hear that you are having troubles with secure booting.
Would it be possible for you to share with us all steps you took up until this point?
If there are no HAB tools within the image and thusly uboot than the security meta layer was likely improperly implemented. You should only close the module once you have verified that HAB is fully working with no errors, and it is not possible to do that without the HAB tools available in u-boot. As you said that hab_status was not available, it’s clear that the device was not ready to be closed.
If you still have the private keys you will be able to recover the module. However I would advise to first get a further module to correctly implement the secure boot, after which we can try recovering your previous module.

Best regards

Hi @collin.tx
According to this link it seems that this security meta layer was tested with Verdin IMX8MP.

But can you please confirm that this has been tested with Verdin IMX8MM as we are having that hardware platform?

Here are my steps:
I added the security meta layer and added tdx-signed
Then using cst I generated the keys and issued the bitbake command to compile the OS image.
Then I used Verdin-iMX8MM_ToradexEasyInstaller_6.6.0 as a base and updated the imx-boot-sd and imx-boot files.
Finally I executed recovery-linux.sh

I have the keys so I hope we can recover the board.
Thank you

Hello, I work with Mayuran. We are really stuck on this is there anyway we can get more help with this, here or even pay for some support? Many thanks for any suggestions?

Just to clarify what you are doing here.

Then I used Verdin-iMX8MM_ToradexEasyInstaller_6.6.0 as a base and updated the imx-boot-sd and imx-boot files.

You did a Yocto build with meta-toradex-security then you used the imx-boot-sd and imx-boot files from that build and replaced the files in Verdin-iMX8MM_ToradexEasyInstaller_6.6.0. Is that right?

If you’re building for one our devices there should be a “Tezi” tar file produced from the build that can then be flashed using Easy Installer. Did you try that? Replacing the files in Verdin-iMX8MM_ToradexEasyInstaller_6.6.0 doesn’t really do anything. These are not what gets flashed to the device.

Best Regards,

As it is warned numerous times in numerous places, you shouldn’t close your device until make sure you don’t have (A)HAB errors in HAB log. More over you shouldn’t burn any single fuse, including SRK key until you make sure HAB log is errors free. Your device should ignore empty SRK key. You should burn non zero SRK after you get working boot image signing process. You may decide to change your SRK for some reason, but changing SRK will render devices with former SRK keys incompatible with new generated keys. So you first should make sure current SRK is OK for you purpose, and only then burn SRK, reverify zero errors in HAB log, and only the burn device CLOSE fuse.

Lack of hab_status like command in U-Boot means such command is disabled in U-Boot config. Still, you can inspect HAB log with the help of hab_log_parser, which is a part of CST. hab_log_parser, depending on command line switches, either uses SDP protocol to read HAB log from target or takes binary/ascii dump of HAB log SRAM locations from file, which you may get using other U-Boot commands or perhaps using some JTAG adapter.

Recovery is possible, provided you programmed key fuses properly and didn’t loose matching keys in your CST files. To launch recoveryxx.sh/cmd for closed target you need signed U-Boot file in Tezi files on your host PC. I mean U-Boot binary, which recovery.sh writes to target has to be signed. Unfortunately, in general it is not the same U-Boot file, which you get after bitbake. I didn’t try iMX8 yet, as well I’m not sure how it is with SPL U-Boot, but on something like iMX7 *.csf file for recovery U-Boot needs different “Blocks =” record, which should include SRAM locations, where uuu/imxusb puts DCD of your U-Boot. Additionally, compred to uuu, imxusb needs DCD pointer cleared in IVT…
So it would be easier for you to just start from fresh, not fused device.

Hi @jeremias.tx
Yes I performed the steps you described.

What do you mean by flash the .tar file?
Do you want me to use the imx-boot from that tar file or?
Can you elaborate little more please?

Thank you and expecting your prompt answer.

Have you ever used our Easy Installer tool to flash a custom image before? It would be the same concept as that. If you did a Yocto build with our meta-layers then in your build artifacts from your Yocto build there should be a tar file called something like Verdin-iMX8MP_Reference-Multimedia-Image-Tezi_6.7.0-devel-20240606005006+build.0.tar. Basically you’re looking for something with “Tezi” in the name.

You take this untar it and put it on a SD or USB drive. You attach the drive containing this to your device while it’s running Easy Installer. Then in Easy Installer UI you should see an option to flash your custom image. If you built this image with meta-toradex-security correctly, then the flashed image should have the signed binaries and such as you configured them during the build.

Also as @Edward has stated, please be very careful when fusing anything on the device. This is an irreversible action and if you make a mistake, recovery of your device will be difficult or impossible depending on the circumstances.

Best Regards,

Hi I rebuild the image and flashed it
Here is the kernel output I am getting:
Any idea why I get this error?

U-Boot SPL 2022.04-6.7.0-devel+git.7588eb559ca2 (May 28 2024 - 11:19:14 +0000)
DDRINFO: start DRAM init
DDRINFO:ddrphy calibration done
DDRINFO: ddrmix config done
Failed to initialize “Synchronous Abort” handler, esr 0x96000000
elr: 00000000007e582c lr : 00000000007e54e8
x 0: ffffffffffffffff x 1: 0000000000000000
x 2: 00000000007e5654 x 3: 0000000000000000
x 4: 00000000422001f0 x 5: 0000000000000000
x 6: 00000000ffffffff x 7: 00000000422001e0
x 8: 0000000000802010 x 9: 0000000000000002
x10: 00000000ffffffff x11: 0000000000802010
x12: 0000000000000000 x13: 0000000000000e30
x14: 00000000007f9f50 x15: 0000000000000040
x16: 00000000007eab80 x17: 000000000000c180
x18: 000000000091fe40 x19: 000000000091fcf0
x20: 00000000ffffffd0 x21: 000000000091fc90
x22: 00000000007f77dd x23: ffffffffffffffff
x24: 000000000091fcf0 x25: 0000000000000030
x26: 00000000007f6d6c x27: 000000000091fc30
x28: 0000000000000000 x29: 000000000091fbb0

Hmm hard to say what went wrong here. Could you describe how you setup the Yocto build that produced this image?

For example what image did you build? What manifest did you use for the build? What did you put in your local.conf file.

Also did you already fuse anything on this specific device?

Last I checked Verdin i.MX8M Mini works just fine when enabling HAB with our security meta-layer.

Best Regards,