Hi,
I found the following posting dealing with HAB/AHAB on Apalis iMX8x:
Is that answer still valid and does it apply to Colibri iMX8x as well?
Thanks.
Greetings @rubi0030,
If you’re referring to what our current status is on HAB/AHAB support then that post is more or less still accurate.
We still have not done or committed anything from our side regarding HAB/AHAB. Therefore it should still be expected to work as NXP documents. Though we ourselves have not really tested this, so I can’t guarantee anything at this time.
Best Regards,
Jeremias
Your competitors provide support on secure boot for imx8x, imx8mm and imxmp SOM. They provide step-by-steps instructions while Toradex simply ignores this feature as device security becomes significantly important.
Dear @jeremias.tx,
It has been a year since your last reply, have you made any progress on this issue? Security for our products is very important and as @pshulam says other companies do HAB support for products very similar to yours.
Best regards,
Julián
Hi @jbruno,
What I can say now is that our teams have begun looking into secure boot/HAB and how we can best integrate it into our products, while providing an easy to use workflow. We just recently started this effort, but we hope to have something we can publicly share in time.
If you can share, may I ask your use-case for which you require HAB? Is it for some certification or some other product requirement? This information can help the team make sure they’re designing something that will be of use and actually fulfill customer requirements.
Best Regards,
Jeremias
Hi @jeremias.tx,
We are planning to enable HAB to secure our boards. Our approach for now would be opt for signed bootloader (spl + uboot) and kernel. We have been spending a lot of time reading and analysing all the available documentation on this topic and it is really complex and can be implemented in many different ways. We would like to know what your approach will be in order to put our efforts in the same direction.
Best regards,
Julián
For HAB we are simply following the documented approach from NXP. We may come out with additional tooling that simplifies this, but underneath it all it’s still just the standard NXP HAB process.
For kernel signing and verification we are currently looking at using FIT images and their properties which are standard feature upstream: u-boot/verified-boot.txt at master · u-boot/u-boot · GitHub
Now our implementation here may vary slightly when we unveil it but will follow this core functionality. All that said, you are of course welcome to try any other methods that may better fit your use-case. We’re just trying to find a solution that fits a large variety of use-cases, but obviously it may not fit all of them.
Best Regards,
Jeremias