Multiple HAB events found on checking 'hab_status' after signing a yocto generated Linux u-boot image

Hi, I’m the Toradex AI Assistant.

I might make mistakes. Our support team will step in if needed. If I answered your question, please tick the “Solution” checkbox. For follow-up questions to me, please use @ToradexAI in your post.

Did you like my answer?

Hello! Thank you for your detailed message and for working with the Toradex Colibri iMX6ULL SOM. Secure Boot and HAB authentication can be challenging, so let’s walk through your questions point by point.

1. Cause for Your Issue (HAB_FAILURE, HAB_INV_ADDRESS, and IVT Errors)

• The HAB_INV_ADDRESS error suggests a mismatch between the addresses/offsets provided in your CSF (Command Sequence File) and the actual memory/image layout (1).
• The error “Invalid IVT structure” and “DCD pointer must be 0” also point to issues with how the IVT (Image Vector Table) and DCD (Device Configuration Data) are set up in your image.
• On i.MX6ULL, IVT must be correctly positioned and DCD pointer must be 0 during authentication if you’re signing U-Boot. Make sure you are using the correct offset and that the image is properly aligned as required.

Helpful resources:

• Build U-Boot for i.MX-6ULL Based SoMs
• Colibri iMX6ULL Hardware Page

2. Meaning of Blocks in CSF (Authenticate Data Section)

• Each block under Authenticate Data specifies a region to be authenticated:
  • Start Address: Where the image is loaded in memory (typically the same address you load U-Boot to in RAM).
  • Offset: The offset within the image file, usually 0 for the start.
  • Length: The region size to authenticate.
• All blocks together must cover the entire region that is being authenticated, and their parameters must match the image layout exactly.

Resource:

• Secure Boot CSF Block Parameters Explanation

3. Is Padding Necessary? How Much?

• Yes, padding is usually necessary so that IVT and CSF data align properly with U-Boot and comply with HAB requirements.
• The precise amount depends on your U-Boot image size and the prescribed alignment. You generally:
  • Pad U-Boot so that the IVT table is immediately after the image.
  • After the IVT, the CSF follows, and both must be aligned according to the i.MX requirements (usually multiples of 0x1000 or 0x2000, depending on your specific setup).
• If you’re not aligning correctly, the authentication will fail, which seems to be the case.

Steps:

1. Determine your U-Boot image size.
2. Place the IVT at the correct offset after U-Boot (often next available aligned address).
3. Add the CSF immediately after the IVT.
4. Pad if needed to ensure addresses and offsets in memory match your CSF description.

Resources:

• U-Boot Build and Padding Guidance
• Alignment and HAB Secure Boot Details

Additional Recommendations:

• Double-check that your U-Boot was built with HAB support enabled (4).
• Carefully match CSF “Blocks” with how and where you load the binary in U-Boot for authentication (load command address, file offset, and size).
• Ensure your SRK fuses are correctly programmed (see here).

If you have your CSF file and the hexdump of your image’s start, I can try to provide specific recommendations on alignment and padding if you share those details (or summaries thereof).

Best regards,
Toradex AI Assistant.