HAB-Fuses i.MX7D and Easy Install

Hi,

My background: I have got experience using MfgTools and Cortex-A7, setting secure boot HAB-fuses and booting a signed U-Boot and kernel from eMMC and remote.

Regarding the High-Assurance Boot (HAB) feature of the Colibri-iMX7D, please can you tell me if the MfgTools can be used here as well? What is the preferred way to flash the board with activated High Assurance Boot fuses (HAB)?

Please can you point me to the documentation regarding High-Assurance Boot feature of the Colibri-MX7D?

Kind regards, frehberg

To be honest I am not very familiar with MfgTools. Back when we looked at it it seemed to be a Windows only solution and quite inflexible.

That said, the design of Toradex Easy Installer is not that different from MfgTools: Both use a ramdisk (squashfs) to run a minimal Linux system to then do the flashing. From what I understand HAB requires some fuses to be fused correctly. We have the fsl_otp driver enabled which allows to fuse fuses from Linux userspace. We do some fuses in the Apalis/Colibri iMX6 wrapup.sh script which gets executed at the end of the flashing process. Flashing fuses on Colibri iMX7 should work similarly (the fuses we blow are boot specific, so you certainly need to write different fuses. Also i.MX 7 uses a different fuse layout…)
http://git.toradex.com/cgit/meta-toradex-bsp-common.git/tree/recipes-bsp/tezi-metadata/files/mx6/wrapup.sh?h=thud-next

Unfortunately we do not have a complete documentation how to do HAB on Colibri iMX7. Maybe @jeremias.tx has a bit more information how it can be done?

Greetings @frehberg,

I have some experience with HAB on our hardware so let me add some of my thoughts.

Toradex ourselves don’t have any specific HAB documentation for our hardware. In general the NXP provided documentation does do a good enough job of describing the process. The NXP application note found here: https://www.nxp.com/docs/en/application-note/AN4581.pdf describes how to use MfgTools in a HAB environment (Appendix F).

It should be noted that I haven’t done this nor do I think anyone else in Toradex has, as HAB is not something we have a whole lot of experience with.

As Stefan has said above the preferred method to flash Toradex modules is our Easy Installer tool. In theory our easy installer tool can be used also on a module that has been HAB signed. Our easy installer tool uses a variant of imx_usb_loader which has support that should allow for similar functionality as MfgTools with HAB.

Relevant Commit: https://github.com/toradex/imx_loader/commit/6deb910dd0a64267c43e65e95486f975e293823f?diff=unified

Unfortunately this is also something I’m not aware that anyone has tried before.

I hope I was able to provide a little more information regarding flashing of a HAB signed device.

Best Regards,
Jeremias

Hi @jeremias.tx thanks for your response. Once the HAB-fuses have been activated, I doubt the shipped, local EasyInstaller is being booted any longer (as the default bootloader lacks the required, valid signature).
Maybe , there is a recovery mode, that permits to transfer a signed bootloader (or more) over wire, that will start the local EasyInstaller finally?

So the easy installer package does load it’s own bootloader. I’d imagine one could just swap the binary out with an identical but signed bootloader and perhaps that would work.

There was actually a similar question here: https://www.toradex.com/community/questions/40281/cannot-update-secured-uboot-after-having-closed-de.html

But there were never any conclusive results.