firmware update with secure boot

Technical Support
1

hi there ,

i was hoping one can help me with this HAB event

[FWU] : ========================================
[FWU] : HAB STATUS DETAILS:
[FWU] : ========================================
[FWU] : Status: 0x33 - HAB FAILURE
[FWU] : State: 0x66 - NONSECURE (Non-secure state)
[FWU] : Config: 0xF0 - OPEN (Non-secure IC)
[FWU] : ========================================
[FWU] : [BOOTSELECTOR] Authentication failed —
[FWU] : [BOOTSELECTOR] Checking HAB for signature Events —
[FWU] : ------- HAB Event (0) ------
[FWU] : [HEADER] Tag: 0xDB, Version: 0x45, Data Length: 20 (0x14) bytes
[FWU] : [SRCE] Status: HAB_FAILURE (0x33)
[FWU] : [SRCE] Reason: INV_INDEX (Access denied) (0x0F)
[FWU] : [SRCE] Context: COMMAND (Executing CSF/DCD command) (0xC0)
[FWU] : [SRCE] Engine: ANY (0x00)
[FWU] : [PAYLOAD] (Bytes 8-19): [FWU] : BE [FWU] : 00 [FWU] : 0C [FWU] : 00 [FWU] : 03 [FWU] : 17 [FWU] : 01 [FWU] : 00 [FWU] : 00 [FWU] : 00 [FWU] : 00 [FWU] : 50 [FWU]

this happens when i try to update my image with new super root key signature
my initial boot image is signed with SRK1 (source index =0) , and i want to update it with a new image signed with SRK2 (source index =1)

i didn’t close the device yet , i have fused only the srk table , in normal boot everything goes as expected , only when i try to load an image with different srk i get the inv_index event

2

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

HAB INV_INDEX Event Analysis

The HAB event you’re encountering indicates an INV_INDEX error, which means “Access denied” when trying to authenticate with a different Super Root Key (SRK) index(1).

Understanding Your Issue

Your setup:

  • Initial image: Signed with SRK1 (index 0)
  • Update image: Signed with SRK2 (index 1)
  • Device state: OPEN configuration, SRK table fused but not closed

Root Cause

The INV_INDEX (0x0F) error occurs because HAB is rejecting the use of SRK2 for authentication(1). Even in OPEN mode, HAB enforces certain security policies regarding SRK usage.

Key Points to Consider

  1. SRK Index Configuration: When you initially boot with SRK1, the system may be restricting subsequent authentications to the same SRK index(1)

  2. BSP Version Considerations: Based on the community discussion, older BSP versions (like 3.0.4) have known limitations with secure boot implementation(1)

  3. Device State: While your device is in OPEN configuration, HAB still performs authentication checks and may restrict SRK switching(1)

Recommended Approach

To help you properly, I need to understand your specific setup better. Could you provide:

  • Which Toradex SoM and carrier board you’re using?
  • Which OS and version you’re running?
  • Your current BSP version?

You can get this information by running the tdx-info command on your device. More details are available at: Getting Device Information with Tdx-Info | Toradex Developer Center

Next Steps

Once I know your platform details, I can provide specific guidance on:

  • Proper SRK configuration for your hardware
  • BSP-specific considerations for HAB implementation
  • Recommended update procedures for signed images

Best regards,
Toradex AI Assistant.

Did you like my answer? :+1: :-1:

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.