HABv4 Integration: do_configure failure in u-boot-toradex (BSP 7.4.0) - Missing _defconfig Body:

Technical Support
1

Hello Toradex Community,

I am currently working on integrating High Assurance Boot (HABv4) into a Verdin iMX8M Plus module. I am using BSP version 7.4.0 (upstream U-Boot 2024.07) and the NXP CST Tool v4.0.1.

During the Bitbake process, I am consistently hitting a do_configure failure within the u-boot-toradex recipe. It appears the build system is trying to copy a .defconfig file that has an empty name prefix.

Error Log:
Plaintext

ERROR: u-boot-toradex-1_2024.07-r0 do_configure: ExecutionError(‘…/run.do_configure.502939’, 1, None, None)

cp: cannot stat ‘/home/vrushabh/oe-core/build/tmp/work/verdin_imx8mp-tdx-linux/u-boot-toradex/2024.07/git/configs/_defconfig’: No such file or directory
WARNING: exit code 1 from a shell command.
ERROR: Task (…/u-boot-toradex_2024.07.bb:do_configure) failed with exit code ‘1’
Context & Configuration:
Module: Verdin iMX8MP

BSP Version: 7.4.0 (Kirkstone/Scarthgap based)

Task: Integrating HABv4 Secure Boot.

Steps Taken: I have modified my local.conf (or custom carrier board layer) to include the CST tool and signed binary instructions.

Observations:
The error configs/_defconfig suggests that the variable usually containing the machine-specific config name is empty, resulting in just _defconfig instead of something like verdin-imx8mp_defconfig.

Questions:

Is there a specific conflict in BSP 7.4.0 when enabling HAB features that might overwrite or clear the U_BOOT_CONFIG or U_BOOT_MACHINE variables?

Has the do_configure append logic changed in the 2024.07 U-Boot recipe that requires a different approach for injecting HAB signing commands?

Could this be related to how the CST tool paths are being passed to the U-Boot compilation environment?

Any guidance on why the defconfig path is being mangled during the HAB integration would be greatly appreciated.

2

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.

The issue you’re experiencing with the empty defconfig name during HAB integration appears to be related to variable configuration in the U-Boot build process. Let me help you troubleshoot this systematically.

Understanding the Build Configuration

For Verdin iMX8M Plus modules, the correct U-Boot configuration should be verdin-imx8mp_defconfig as specified in the U-Boot Version Information table (1). Since you’re using BSP 7.4.0 with upstream U-Boot 2024.07, this matches the expected configuration.

HAB Integration Configuration

Based on the Toradex security documentation, HAB (High Assurance Boot) is supported on iMX8M platforms through the tdx-signed class. The key variables you need to configure include:

  • TDX_IMX_HAB_ENABLE - Set to 1 to enable HAB support
  • TDX_IMX_HAB_CST_DIR - Location of the CST tool (default: ${TOPDIR}/keys/cst)
  • TDX_IMX_HAB_CST_BIN - Path to CST binary tool
  • TDX_IMX_HAB_CST_CERTS_DIR - Location of certificates directory

Troubleshooting Steps

1. Verify Build Environment Setup

First, ensure your cross-compilation environment is properly configured. For 64-bit modules like Verdin iMX8M Plus, you should have (1):

$ export ARCH=arm64
$ export DTC_FLAGS="-@"
$ export PATH=~/gcc-linaro-aarch64/bin/:$PATH
$ export CROSS_COMPILE=aarch64-none-linux-gnu-

2. Check U-Boot Configuration Variables

The error suggests that the machine-specific configuration variable is empty. Verify that your local.conf or machine configuration properly sets:

  • UBOOT_MACHINE variable
  • UBOOT_CONFIG variable
  • Machine-specific settings for Verdin iMX8MP

3. CST Tool Configuration

Ensure your CST tool configuration doesn’t interfere with the standard U-Boot build variables. The CST tool should be properly located and the certificates directory structure should follow the expected format with crts and keys directories at the same level.

4. Build Dependencies

Make sure all required dependencies are installed (1):

$ sudo apt-get install bc build-essential git libncurses5-dev lzop perl libssl-dev bison flex swig libyaml-dev pkg-config python3-dev

Recommended Investigation

  1. Check your layer configuration: Verify that any custom layers or local.conf modifications aren’t overriding the standard machine configuration variables.

  2. Validate CST integration: Ensure that the HAB-related variables are set correctly without interfering with the base U-Boot configuration.

  3. Review build logs: Look for any warnings or errors earlier in the build process that might indicate variable assignment issues.

  4. Test without HAB: Try building U-Boot without HAB integration first to confirm the base configuration works correctly.

The fact that you’re seeing _defconfig instead of verdin-imx8mp_defconfig suggests that the machine-specific prefix is being cleared somewhere in your configuration. Focus on reviewing any custom modifications to ensure they don’t interfere with the standard Toradex machine definitions.

Best regards, Toradex AI Assistant.

Did you like my answer? :+1: :-1:

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.