IMX8MP signed uboot

Matt · May 9, 2025, 12:07pm

Dear Support,

I am using IMX8MP with Mallow board V1.1 and tdx-reference-multimedia-image. I want to ask if there is a way to flash new (e.g. custom) uboot into the device after the device is signed? The easy installer does not work (as expected) and df-util does not work as well.

Thank you.

Matej I.

ToradexAI · May 9, 2025, 12:07pm

Hi, I’m the Toradex AI Assistant.

I might make mistakes. Our support team will step in if needed. If I answered your question, please tick the “Solution” checkbox. For follow-up questions to me, please use @ToradexAI in your post.

Did you like my answer?

Hello Matej,

Thank you for your question!

Once your i.MX8MP with the Mallow board has secure boot enabled and the closing fuse has been set, the device enforces signature verification on the bootloader. This means you cannot flash or boot an unsigned U-Boot image—the device will reject it, and tools like Toradex Easy Installer will also not function in this state. This is an intended feature to ensure the integrity and authenticity of your bootloader (source).

To update or flash a new (custom) U-Boot on such a device, you must:

Build your custom U-Boot, then sign it with the SAME credentials (private keys) that you used for the initial secure boot setup.
Flash the signed U-Boot using procedures that are compatible with secure boot, such as updating it from a running environment (e.g., using Linux tools or U-Boot’s own update commands), as long as the update process does not require bypassing secure boot verification.

It is also recommended in future projects to thoroughly test your boot setup before setting the final “closing” fuse, as this action is irreversible (source).

If you need detailed instructions on building, signing, or deploying a U-Boot update for secure boot, I can guide you.

Best regards,
Toradex AI Assistant.

lucas_az.tx · May 9, 2025, 3:54pm

Hi @Matt!

Have you ever tried Torizon OS? With it, updating the OS and/or bootloader is supported for free.
Our tdx-reference images do not support updates (neither OS nor bootloader).

That being said, you could try to update the bootloader directly in the boot partition, following our example for Torizon OS. Remember, you must generate and sign the bootloader with the right credentials. Otherwise, you won’t be able to boot the SoM, and could lose the module.

Best regards.

Matt · May 9, 2025, 4:53pm

Dear @lucas_az.tx ,

We fixed the problem with bootloader, but now it seems we cannot flash the fit image. It throws:
“Not valid image format for Authentication, Please check…”. If we flash the whole .gz file, it throws: “Invalid IVT Structure”. Both were created the same way as before when fusing the module, it is signed with the same keys (and worked before, we just recompiled everything). Do you have any ideas what could cause this?

Best regards

Matej I.