Jeremias, great news!
I could finally make it work, from step 0 (creating the certs) using:
I guess it has to do with the openSSL version in the end.
Note: u-boot-nand.imx without CSF attached didn’t work
Hi @gasmbas,
I’m glad to hear the good news!
I still find it slightly odd that u-boot-nand.imx doesn’t work without the CSF but I suppose that is a minor point.
I can’t say I’m too surprised about the openSSL version being the cause, unfortunatley this isn’t too uncommon in the crypto world.
Thank you for your patience while we worked through issue.
Hello,
Just wanted to share my experience with getting secure boot to work on the Colibri i.MX6 ULL.
The steps outlined in High Assurance Boot (HAB) for dummies | Ezurio are correct, but there is one small detail that needs to be changed for the Colibri i.MX6 ULL.
Normally, the output file generated by U-boot is called u-boot.imx. However, for the Colibri i.MX6 ULL, another file is also generated, u-boot-nand.imx. This second file is generated by appending a 1024-byte zero padding to the end of u-boot.imx. u-boot-nand.imx is that we flash on to the device.
The HAB Blocks output at the end of the U-boot build refers to the length of u-boot.imx file, not u-boot-nand.imx. So, inside the Authenticate Data section of the CSF file, the Blocks parameter needs to refer to u-boot.imx. However, once the csf binary is generated, it needs to be appended to the end of the u-boot-nand.imx file. This will generate the final signed binary that you can flash on to the device.
