Hab_status unknown in U-Boot even with tdx-signed + HAB enabled (Verdin iMX8MP)

Technical Support
,
1

Hi Toradex team,
I’m enabling HAB secure boot signing in my Yocto build for Verdin iMX8MP using meta-toradex-security and tdx-signed, but in U-Boot I can’t run hab_status.
Setup (Yocto / local.conf)
INHERIT += “tdx-signed”
TDX_IMX_HAB_ENABLE = “1”
UBOOT_SIGN_ENABLE = “1”
TDX_IMX_HAB_CST_SRK_CA = “1”
TDX_IMX_HAB_CST_KEY_SIZE = “2048”
TDX_IMX_HAB_CST_DIG_ALGO = “sha256”
CFS_SIGN_KEYNAME = “cfs-dev”
TDX_IMX_HAB_CST_DIR = “/home/secure-boot/cst-4.0.1”
TDX_IMX_HAB_CST_CERTS_DIR = “/home/secure-boot/cst-4.0.1/crts”

Issue: In U-boot:
Verdin iMX8MP # hab_status
Unknown command ‘hab_status’ - try ‘help’
Boot log snippet (FIT boot):
I do see hash verification:
Verifying Hash Integrity ... sha256+ OK for kernel/ramdisk/fdt
but I do not see any rsa2048 / signature verification messages.

  1. If tdx-signed is enabled, but hab_status is missing, does that indicate I’m booting an non-secure U-Boot (bootloader not updated on media)?
  2. What is the correct way to enable hab_status in a Yocto build for Verdin iMX8MP?
  3. What is the recommended method to confirm HAB signing/verification on an open device before fusing (expected console messages / commands)?
2

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

I’d be glad to help! Could you let me know which OS and version you are using?

To provide you with the most accurate guidance for HAB secure boot setup on your Verdin iMX8MP, I need to understand your complete platform configuration. Could you please share:

  1. OS Version: Which version of Torizon OS or BSP are you running?
  2. Complete Platform Info: You can get this by running the tdx-info command on your device - see tdx-info documentation for details

The missing hab_status command and verification behavior can vary significantly between different OS versions and configurations, so knowing your exact platform will help me provide the most relevant troubleshooting steps for your HAB secure boot implementation.

Best regards, Toradex AI Assistant.

Did you like my answer? :+1: :-1:

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

3

Here are the details asked for:

tdx-info

Bootloader: U-Boot

Kernel version: 6.6.101-rt59-7.4.0-devel #1 SMP PREEMPT_RT Thu
Distro name: NAME=“TDX Wayland with XWayland”
Distro version: VERSION_ID=7.4.0-devel-20251007093847-build.0
Distro variant: -
Hostname: verdin-imx8mp-15629381

Hardware info

HW model: Toradex Verdin iMX8M Plus WB on Verdin Development Board

Toradex version: 0070 V1.1A
Serial number: 15629381
Processor arch: aarch64

4

Thank you for providing the platform details. Based on your Torizon OS 7.4.0-devel setup on Verdin iMX8M Plus, I can help address your HAB secure boot questions.

Understanding the hab_status Command

For your Verdin iMX8M Plus, the correct command is ahab_status, not hab_status (1). The Verdin iMX8M Plus uses AHAB (Advanced High Assurance Boot) rather than HAB (1). On iMX8M devices, this feature is available and it is called AHAB (1).

Try running:

Verdin iMX8MP # ahab_status

Addressing Your Specific Questions

1. Missing hab_status Command

The missing hab_status command doesn’t indicate a non-secure U-Boot (1). For your iMX8M Plus platform, you should use ahab_status instead to check the secure boot status (1).

2. Enabling AHAB Status in Yocto Build

Your current Yocto configuration looks correct for enabling secure boot (1). The tdx-signed class enables HAB/AHAB support by default when inherited (1). Your configuration with:

  • INHERIT += "tdx-signed"
  • TDX_IMX_HAB_ENABLE = "1"

Should enable the necessary AHAB functionality (1).

3. Confirming AHAB Signing/Verification

To confirm AHAB signing and verification on an open device before fusing (1):

  1. Use the correct status command: Run ahab_status instead of hab_status (1)
  2. Check for verification messages: You should see signature verification during boot (1)
  3. Verify fuse commands generation: After your build, check for the generated fuse-cmds.txt file in your images directory (1)

Device State and Verification

On NXP devices, the Secure Boot image will run normally after installation because the device is in the open state (1). In this state, the ROM code does not prevent the boot of unsigned images, but signed images should still show verification messages (1).

Next Steps

  1. Try ahab_status command in U-Boot
  2. Check your build output for fuse-cmds.txt in the images directory
  3. Look for AHAB-related verification messages during boot rather than HAB messages

The fact that you see hash verification (sha256+ OK) indicates that FIT image signing is working correctly (1).

Best regards, Toradex AI Assistant.

Did you like my answer? :+1: :-1:

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

5

I tried your suggestion, but on my Verdin iMX8MP both commands are missing:
Verdin iMX8MP # hab_status
Unknown command ‘hab_status’ - try ‘help’

Verdin iMX8MP # ahab_status
Unknown command ‘ahab_status’ - try ‘help’
Given both commands are unknown, it looks like the HAB status command is simply not compiled into the U-Boot I’m currently running. In my Yocto build I have enabled signing via:
INHERIT += “tdx-signed”
TDX_IMX_HAB_ENABLE = “1”
UBOOT_SIGN_ENABLE = “1”
(and CST config, keys, etc.)

  1. For Verdin iMX8MP, what exact U-Boot config options are needed to enable the HAB status command ? Do you have a recommended U-Boot config fragment / bbappend example for meta-toradex-security to ensure hab_status is available?
  2. If the HAB command is intentionally not present, what is Toradex’s recommended way to read/verify HAB events on iMX8MP ?
  3. During FIT boot I only see “Verifying Hash Integrity … sha256+ OK” for kernel/ramdisk/dtb. What exact boot log lines should I expect when FIT signature verification is enabled and actually being enforced by U-Boot?
6

If the hab_status command is not available in U-Boot, it sounds like something strange happened in your build. If you have TDX_IMX_HAB_ENABLE enabled with meta-toradex-security then the resulting U-Boot should have this command available. Are you flashing the full image onto the device? Maybe the bootloader is old and not the one you just built?

Best Regards,
Jeremias

7

It is a shame toradex is using only a bot to reply and giving wrong information, IMX8MP uses HABv4 not AHAB.