Secure boot using IMX8MP and Mallow board V1.1

Hello Toradex support,

I am trying to use secure boot on IMX8MP and Mallow board V1.1. I followed the code-signing-tool from NXP (CST_UG.pdf in cst-3.4.1):

cd keys

./hab4_pki_tree.sh

with rsa, 2048, and 4 keys

cd ../crts

../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c SRK1_sha256_2048_65537_v3_usr_crt.pem,SRK2_sha256_2048_65537_v3_usr_crt.pem,SRK3_sha256_2048_65537_v3_usr_crt.pem,SRK4_sha256_2048_65537_v3_usr_crt.pem -f 1

Then, I try to build tdx-reference-multimedia-image using Yocto, modifying local.conf:

# SECURE BOOT
INHERIT += "tdx-signed"
TDX_IMX_HAB_ENABLE = "1"
UBOOT_SIGN_ENABLE = "1"
TDX_IMX_HAB_CST_SRK_CA = "0"
TDX_IMX_HAB_CST_KEY_SIZE = "2048"
TDX_IMX_HAB_CST_DIG_ALGO = "sha256"
TDX_IMX_HAB_CST_DIR = "/home/matej/cst-3.4.1"
TDX_IMX_HAB_CST_CERTS_DIR = "/home/matej/cst-3.4.1/crts"

The build, however, fails. Here is the log:

WARNING: You have included the meta-tpm layer, but 'tpm or tpm2' has not been enabled in your DISTRO_FEATURES. Some bbappend files and preferred version setting may not take effect. See the meta-tpm README for details on enabling tpm support.
WARNING: You have included the meta-security layer, but 'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files and preferred version setting may not take effect. See the meta-security README for details on enabling security support.
WARNING: Host distribution "linuxmint-21.3" has not been validated with this version of the build system; you may possibly experience unexpected failures. It is recommended that you use a tested distribution.
WARNING: No recipes in default available for:
  /home/matej/oe-core-imx8mp/build/../layers/meta-toradex-nxp/recipes-bsp/imx-mkimage/imx-mkimage_1.0.bbappend
  /home/matej/oe-core-imx8mp/build/../layers/meta-toradex-nxp/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.0.imx.bbappend
NOTE: Resolving any missing task queue dependencies

Build Configuration:
BB_VERSION           = "2.0.0"
BUILD_SYS            = "x86_64-linux"
NATIVELSBSTRING      = "universal"
TARGET_SYS           = "aarch64-tdx-linux"
MACHINE              = "verdin-imx8mp"
DISTRO               = "tdx-xwayland"
DISTRO_VERSION       = "6.7.0-devel-20250114114651+build.0"
TUNE_FEATURES        = "aarch64 armv8a crc cortexa53"
TARGET_FPU           = ""
meta-toradex-nxp     = "HEAD:92a03e8efa00234026139919789989a11bc7ed58"
meta-freescale       = "HEAD:4c81b4161b99698b03332842b588dd8235ac47e4"
meta-freescale-3rdparty = "HEAD:9e94b64bdfebcf7bfdf2af6447cec866a4efa814"
meta-toradex-ti      = "HEAD:514cf7550c3873c8011b63e4a52f46223c2ea0f6"
meta-arm-toolchain   
meta-arm             = "HEAD:260e3adc2bf322f52d81c0642c825088a88bb051"
meta-ti-bsp          
meta-ti-extras       = "HEAD:c57b63147d2ac0dde16e43f7407d0ff50e62efdb"
meta-toradex-bsp-common = "HEAD:0fc41401fb86fa642f43c103441a81c69498a0ce"
meta-oe              
meta-filesystems     
meta-gnome           
meta-xfce            
meta-networking      
meta-multimedia      
meta-python          = "HEAD:8e297cdc841c6cad34097f00a6903ba25edfc153"
meta-freescale-distro = "HEAD:d5bbb487b2816dfc74984a78b67f7361ce404253"
meta-toradex-demos   = "HEAD:df4296ba9a5334ac036b2445dd7fe848de9290bb"
meta-qt5             = "HEAD:644ebf220245bdc06e7696ccc90acc97a0dd2566"
meta-tpm             = "HEAD:353078bc06c8b471736daab6ed193e30d533d1f1"
meta-toradex-distro  = "HEAD:7212583d894bbf5501fb1ff20c131ce485b4e4b7"
meta-poky            = "HEAD:6518f291d692997632304451695b6c194fec6fa6"
meta                 = "HEAD:ab2649ef6c83f0ae7cac554a72e6bea4dcda0e99"
meta-custom          = "<unknown>:<unknown>"
meta-perl            = "HEAD:8e297cdc841c6cad34097f00a6903ba25edfc153"
meta-security        = "HEAD:353078bc06c8b471736daab6ed193e30d533d1f1"
meta-toradex-security = "kirkstone-6.x.y:c05a06c4283beb2ad36e08d22d97eee3d52778f3"

Sstate summary: Wanted 439 Local 430 Mirrors 0 Missed 9 Current 3197 (97% match, 99% complete)
NOTE: Executing Tasks
NOTE: Setscene tasks completed
NOTE: Running task 3899 of 8784 (/home/matej/oe-core-imx8mp/build/../layers/meta-toradex-nxp/recipes-kernel/linux/linux-toradex_5.15-2.2.x.bb:do_package_qa)
NOTE: recipe linux-toradex-5.15.148+gitAUTOINC+f437ddb719-r0: task do_package_qa: Started
NOTE: Running task 8401 of 8784 (/home/matej/oe-core-imx8mp/build/../layers/meta-freescale/recipes-bsp/imx-mkimage/imx-boot_1.0.bb:do_compile)
NOTE: recipe imx-boot-1.0-r0: task do_compile: Started
ERROR: imx-boot-1.0-r0 do_compile: ExecutionError('/home/matej/oe-core-imx8mp/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/temp/run.do_compile.8420', 126, None, None)
ERROR: Logfile of failure stored in: /home/matej/oe-core-imx8mp/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/temp/log.do_compile.8420
NOTE: recipe imx-boot-1.0-r0: task do_compile: Failed
ERROR: Task (/home/matej/oe-core-imx8mp/build/../layers/meta-freescale/recipes-bsp/imx-mkimage/imx-boot_1.0.bb:do_compile) failed with exit code '1'
NOTE: recipe linux-toradex-5.15.148+gitAUTOINC+f437ddb719-r0: task do_package_qa: Succeeded
NOTE: Tasks Summary: Attempted 8759 tasks of which 8757 didn't need to be rerun and 1 failed.
NOTE: Writing buildhistory
NOTE: Writing buildhistory took: 3 seconds

I also include the log file home/matej/oe-core-imx8mp/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/temp/log.do_compile.8420.
log.do_compile.8420 (6.5 KB)

I am not sure the whole process is correct. Do you have any suggestions what may cause the problem?

Thank you.

Best regards

Matej I.

Hi, I’m the Toradex AI Assistant. The Toradex Support team will follow up with you shortly!

Did you like my answer?

Hello Matej,

Thank you for reaching out with your question about enabling secure boot on the IMX8MP with the Mallow board V1.1. Let’s go through some steps to help resolve the build failure you’re experiencing.

1. Yocto Configuration: Double-check your local.conf file to ensure all paths and variables related to secure boot are correctly set. Verify that TDX_IMX_HAB_CST_DIR and TDX_IMX_HAB_CST_CERTS_DIR point to the correct directories.

2. Dependencies and Layers: The warnings about meta-tpm and meta-security layers suggest missing features. Ensure DISTRO_FEATURES includes tpm or tpm2 and security if needed.

3. Host Distribution: Consider using a validated host distribution like Ubuntu, as your current Linux Mint version might introduce unexpected issues.

4. Recipe and Layer Setup: Check your bblayers.conf to ensure all necessary layers are included and correctly configured, especially for imx-mkimage and gstreamer.

5. Log File Analysis: Review the log.do_compile.8420 file for specific error messages that could indicate the root cause of the failure. Look for missing dependencies or permission issues.

6. Secure Boot Keys: Ensure the keys generated with the NXP tool are correctly integrated into your build process and are in the expected format and location.

7. Clean Build Environment: Sometimes, residual files from previous builds can cause issues. Consider cleaning the build environment with bitbake -c cleanall <recipe> for affected recipes before rebuilding.

By addressing these areas, you should be able to identify and resolve the issue causing the build failure. If you need further assistance, feel free to reach out.

Best regards,
Toradex AI Assistant

Please, also check if these links can help you solve your problem:

Bitbake error while following the instructions on Toradex guideline.

Greetings @Matt,

I just tried a Yocto build myself here and it completed without any issues. For reference I built verdin-imx8mp with the following configurations:

INHERIT += "tdx-signed"
TDX_IMX_HAB_CST_DIR = "/workdir/torizon/layers/cst"

Everything else is using the default values as documented: meta-toradex-security/docs/README-secure-boot-imx.md at kirkstone-6.x.y · toradex/meta-toradex-security · GitHub

I noticed you’re not using the latest for the Kirkstone build, maybe try updating your build to latest and see if it works. On my side my build has the following hashes for the meta-layers:

Build Configuration:
BB_VERSION           = "2.0.0"
BUILD_SYS            = "x86_64-linux"
NATIVELSBSTRING      = "debian-11"
TARGET_SYS           = "aarch64-tdx-linux"
MACHINE              = "verdin-imx8mp"
DISTRO               = "torizon"
DISTRO_VERSION       = "6.8.1-devel-20250114204715+build.0"
TUNE_FEATURES        = "aarch64 armv8a crc cortexa53"
TARGET_FPU           = ""
meta-toradex-torizon = "kirkstone-6.x.y:81a898a6c511db9da1c4b588ff83848858dcbf1f"
meta-toradex-security = "HEAD:f0e742a02d61dff3f80023ca1074f27b1210688b"
meta-toradex-distro  = "HEAD:3c38a3acc69b7ad28908044bc2735a9d4f2b4e9f"
meta-toradex-bsp-common = "HEAD:ba654fce46cb76cf9b5141a219506f27db9d81bb"
meta-oe
meta-networking
meta-filesystems
meta-python
meta-perl            = "HEAD:7b3fdcdfaab2fc964bbf9eec2cce4e03001fa8cf"
meta-virtualization  = "HEAD:02a6c00d9370992a54296633de26a13a9a08ca2a"
meta-updater         = "HEAD:7c6232ed799e5cce837ad811ef1bddd44f12ecea"
meta-toradex-nxp     = "HEAD:a82c2e40db2991924b21b12eb141e6fe5b62bb13"
meta-freescale       = "HEAD:c525e0c19bdc46d45f71873b5f286f49abb69418"
meta-freescale-3rdparty = "HEAD:9e94b64bdfebcf7bfdf2af6447cec866a4efa814"
meta-yocto-bsp
meta-poky            = "HEAD:f9d0be9bb3c447cad6292434b803c317c9efac53"
meta-security        = "HEAD:353078bc06c8b471736daab6ed193e30d533d1f1"
meta-toradex-ti      = "HEAD:38f4b5c1af28ead6bc6ff21812bea33951c5f2a6"
meta-arm-toolchain
meta-arm             = "HEAD:936c02ec13661bd86a05f7f90e1b920d5092d670"
meta-ti-bsp
meta-ti-extras       = "HEAD:417233481d8daa46633045fac358260d07cf1670"
meta                 = "HEAD:a20b02fdfe64c005f7587a1d9077bdc282f7b6b1"

This was with our Torizon distro and image instead of the reference image. Though this shouldn’t make a huge difference for this, since your build failed on a common recipe.

Best Regards,
Jeremias

Dear @jeremias.tx ,

Thank you for the information. Now I got the error

 |  ERROR: Could not find '/home/matej/cst-3.4.1/crts/SRK1_sha256_2048_65537_v3_ca_crt.pem'

Because I did not have CA flag set when creating keys. Should there be CA flag when creating keys for fusing via NXP tool? (so SRK1_sha256_2048_65537_v3_ca_crt.pem instead of SRK1_sha256_2048_65537_v3_usr_crt.pem)

I tried to build it with CA flag on different computer and the build was successful. However, when I install the image (without fusing keys via Uboot console), the image loads successfully. Is this expected behaviour? When I dealt with secure boot implementetation on AM62 and I built the image, I could not get into the image without fusing the keys first (that is the point of secure boot). It is possible that the build was successful but it did not sign it? Should I be able to enter the installed system without fusing the keys?

Thank you.

Matej I.

Should there be CA flag when creating keys for fusing via NXP tool?

Well it’s optional depending on how you generated your keys you should set the appropriate values for TDX_IMX_HAB_CST_SRK_CA in your Yocto build. On my side during my test build I generated keys with the CA flag. No particular reason I did, it was just a test anyways.

However, when I install the image (without fusing keys via Uboot console), the image loads successfully. Is this expected behaviour? When I dealt with secure boot implementetation on AM62 and I built the image, I could not get into the image without fusing the keys first (that is the point of secure boot). It is possible that the build was successful but it did not sign it? Should I be able to enter the installed system without fusing the keys?

Yeah that is expected, all the Yocto build does is sign the U-Boot bootloader binary. However the NXP secure-boot behavior itself isn’t actually enforced until the fuses are set on the device. Until the fuses are set the device will still boot whatever software you flash to it. If you check your Yocto build in the deploy directory there should be a file called fuses-cmds.txt that contains the commands that should be executed in U-Boot to set your fuses for your keys.

Keep in mind these fuses are one-time only irreversible operations. Once you set the final closing fuse, then that device will only boot bootloaders that have been signed with matching credentials. This also means you can’t run our Toradex Easy Installer either making it difficult to work with such a fused device.

Thank you for the information, I do not have the file fuses-cmds.txt in the deploy folder. What I find weird is the log file that the error of the build refers to:

ERROR: imx-boot-1.0-r0 do_compile: ExecutionError('/home/matej/oe-core-imx8mp/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/temp/run.do_compile.6415', 126, None, None)
ERROR: Logfile of failure stored in: /home/matej/oe-core-imx8mp/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/temp/log.do_compile.6415

But I do not see errors in the log file itself:

DEBUG: Executing shell function do_compile
NOTE: UBOOT_CONFIG = sd, UBOOT_DTB_NAME = imx8mp-verdin.dtb
NOTE: 8MQ/8MM/8MN/8MP boot binary build
NOTE: Copy ddr_firmware: lpddr4_pmu_train_1d_dmem_202006.bin from /home/matej/oe-core-imx8mp/build/deploy/images/verdin-imx8mp -> /home/matej/oe-core-imx8mp/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/iMX8M 
NOTE: Copy ddr_firmware: lpddr4_pmu_train_1d_imem_202006.bin from /home/matej/oe-core-imx8mp/build/deploy/images/verdin-imx8mp -> /home/matej/oe-core-imx8mp/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/iMX8M 
NOTE: Copy ddr_firmware: lpddr4_pmu_train_2d_dmem_202006.bin from /home/matej/oe-core-imx8mp/build/deploy/images/verdin-imx8mp -> /home/matej/oe-core-imx8mp/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/iMX8M 
NOTE: Copy ddr_firmware: lpddr4_pmu_train_2d_imem_202006.bin from /home/matej/oe-core-imx8mp/build/deploy/images/verdin-imx8mp -> /home/matej/oe-core-imx8mp/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/iMX8M 
NOTE: building iMX8MP -  flash_evk_emmc_fastboot
31764+0 records in
31764+0 records out
127056 bytes (127 kB, 124 KiB) copied, 0.0211984 s, 6.0 MB/s
./../scripts/dtb_check.sh imx8mp-evk.dtb evk.dtb imx8mp-verdin.dtb-sd
Use u-boot DTB: imx8mp-verdin.dtb-sd
./../scripts/pad_image.sh tee.bin
Pad file tee.bin NOT found
./../scripts/pad_image.sh bl31.bin
bl31.bin is padded to 41296
./../scripts/pad_image.sh u-boot-nodtb.bin evk.dtb
u-boot-nodtb.bin + evk.dtb are padded to 917216
BL32=tee.bin DEK_BLOB_LOAD_ADDR=0x40400000 TEE_LOAD_ADDR=0x56000000 ATF_LOAD_ADDR=0x00970000 ../iMX8M/mkimage_fit_atf.sh evk.dtb > u-boot.its
bl31.bin size: 
41296
u-boot-nodtb.bin size: 
858040
evk.dtb size: 
59176
mkimage -E -p 0x5000 -f u-boot.its u-boot.itb
FIT description: Configuration to load ATF before U-Boot
Created:         Wed Oct 19 06:29:00 2022
 Image 0 (uboot-1)
  Description:  U-Boot (64-bit)
  Created:      Wed Oct 19 06:29:00 2022
  Type:         Standalone Program
  Compression:  uncompressed
  Data Size:    858040 Bytes = 837.93 KiB = 0.82 MiB
  Architecture: AArch64
  Load Address: 0x40200000
  Entry Point:  unavailable
 Image 1 (fdt-1)
  Description:  evk
  Created:      Wed Oct 19 06:29:00 2022
  Type:         Flat Device Tree
  Compression:  uncompressed
  Data Size:    59176 Bytes = 57.79 KiB = 0.06 MiB
  Architecture: Unknown Architecture
 Image 2 (atf-1)
  Description:  ARM Trusted Firmware
  Created:      Wed Oct 19 06:29:00 2022
  Type:         Firmware
  Compression:  uncompressed
  Data Size:    41296 Bytes = 40.33 KiB = 0.04 MiB
  Architecture: AArch64
  OS:           Unknown OS
  Load Address: 0x00970000
 Default Configuration: 'config-1'
 Configuration 0 (config-1)
  Description:  evk
  Kernel:       unavailable
  Firmware:     uboot-1
  FDT:          fdt-1
  Loadables:    atf-1
./mkimage_imx8 -version v2 -dev emmc_fastboot -fit -loader u-boot-spl-ddr.bin 0x920000 -second_loader u-boot.itb 0x40200000 0x60000 -out flash.bin
Platform:	i.MX8M (mScale)
ROM VERSION:	v2
BOOT DEVICE:	emmc_fastboot
Using FIT image
LOADER IMAGE:	u-boot-spl-ddr.bin start addr: 0x00920000
SECOND LOADER IMAGE:	u-boot.itb start addr: 0x40200000 offset: 0x00060000
Output:		flash.bin
fit_size: 888
1+0 records in
1+0 records out
888 bytes copied, 5.829e-05 s, 15.2 MB/s
FIT hash: deec96adb5b196a880b8ad28aab9b3c4192ae46629486ac266e586aaea543
========= IVT HEADER [HDMI FW] =========
header.tag: 		0x0
header.length: 		0x0
header.version: 	0x0
entry: 			0x0
reserved1: 		0x0
dcd_ptr: 		0x0
boot_data_ptr: 		0x0
self: 			0x0
csf: 			0x0
reserved2: 		0x0
boot_data.start: 	0x0
boot_data.size: 	0x0
boot_data.plugin: 	0x0
========= IVT HEADER [PLUGIN] =========
header.tag: 		0x0
header.length: 		0x0
header.version: 	0x0
entry: 			0x0
reserved1: 		0x0
dcd_ptr: 		0x0
boot_data_ptr: 		0x0
self: 			0x0
csf: 			0x0
reserved2: 		0x0
boot_data.start: 	0x0
boot_data.size: 	0x0
boot_data.plugin: 	0x0
========= IVT HEADER [LOADER IMAGE] =========
header.tag: 		0xd1
header.length: 		0x2000
header.version: 	0x41
entry: 			0x920000
reserved1: 		0x0
dcd_ptr: 		0x0
boot_data_ptr: 		0x91ffe0
self: 			0x91ffc0
csf: 			0x9571c0
reserved2: 		0x0
boot_data.start: 	0x91ffc0
boot_data.size: 	0x39260
boot_data.plugin: 	0x0
========= OFFSET dump =========
Loader IMAGE:
 header_image_off 	0x0
 dcd_off 		0x0
 image_off 		0x40
 csf_off 		0x37200
 spl hab block: 	0x91ffc0 0x0 0x37200

Second Loader IMAGE:
 sld_header_off 	0x60000
 sld_csf_off 		0x61020
 sld hab block: 	0x401fadc0 0x60000 0x1020
SPL CSF block:
	Blocks = 	0x91ffc0 0x0 0x37200 "flash.bin"
SLD CSF block:
	Blocks = 	0x401fadc0 0x60000 0x1020 "flash.bin",\
 fit-fdt csf_off 	0x63020
 fit-fdt hab block: 	0x401fadc0 0x60000 0x3020
SLD FIT-FDT CSF block:
	Blocks = 	0x401fadc0 0x60000 0x3020 "flash.bin"
NOTE: UBOOT_CONFIG = sd, UBOOT_DTB_NAME = imx8mp-verdin.dtb
NOTE: 8MQ/8MM/8MN/8MP boot binary build
NOTE: Copy ddr_firmware: lpddr4_pmu_train_1d_dmem_202006.bin from /home/matej/oe-core-imx8mp/build/deploy/images/verdin-imx8mp -> /home/matej/oe-core-imx8mp/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/iMX8M 
NOTE: Copy ddr_firmware: lpddr4_pmu_train_1d_imem_202006.bin from /home/matej/oe-core-imx8mp/build/deploy/images/verdin-imx8mp -> /home/matej/oe-core-imx8mp/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/iMX8M 
NOTE: Copy ddr_firmware: lpddr4_pmu_train_2d_dmem_202006.bin from /home/matej/oe-core-imx8mp/build/deploy/images/verdin-imx8mp -> /home/matej/oe-core-imx8mp/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/iMX8M 
NOTE: Copy ddr_firmware: lpddr4_pmu_train_2d_imem_202006.bin from /home/matej/oe-core-imx8mp/build/deploy/images/verdin-imx8mp -> /home/matej/oe-core-imx8mp/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/iMX8M 
/home/matej/oe-core-imx8mp/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/mx8m_create_csf.sh -t flash_evk_emmc_fastboot
Verified TDX_IMX_HAB_CST_SRK=/home/matej/cst-3.4.1/crts/SRK_1_2_3_4_table.bin
Verified TDX_IMX_HAB_CST_SRK_CERT=/home/matej/cst-3.4.1/crts/SRK1_sha256_2048_65537_v3_ca_crt.pem
Verified TDX_IMX_HAB_CST_CSF_CERT=/home/matej/cst-3.4.1/crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem
Verified TDX_IMX_HAB_CST_IMG_CERT=/home/matej/cst-3.4.1/crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem
Verified TDX_IMX_HAB_CST_BIN=/home/matej/cst-3.4.1/linux64/bin/cst
Verified IMXBOOT=/home/matej/oe-core-imx8mp/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/git/imx-boot-verdin-imx8mp-sd.bin-flash_evk_emmc_fastboot
Verified LOG_MKIMAGE=/home/matej/oe-core-imx8mp/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/mkimage.log
Verified LOG_PRINT_FIT_HAB=/home/matej/oe-core-imx8mp/build/tmp/work/verdin_imx8mp-tdx-linux/imx-boot/1.0-r0/mkimage.hab
Creating CSF file: flash_evk_emmc_fastboot-csf-spl.csf
WARNING: exit code 126 from a shell command.

What does cause the error?

Best regards

Matej I.

Wait I thought you said in your previous comment that the build was successful now? Did you change something? If your build was succesful then there should be a fuse-cmds.txt file in your deploy directory along with all the other build artifacts.

Looking at your log file the last printed line is:

Creating CSF file: flash_evk_emmc_fastboot-csf-spl.csf

This comes from this script that is ran during the build to generate the CSF file: meta-toradex-security/dynamic-layers/freescale/recipes-bsp/imx-mkimage/files/mx8m_create_csf.sh at kirkstone-6.x.y · toradex/meta-toradex-security · GitHub

This means something after this line is printed is silently failing for you, for some reason. It’s hard to say what failed though since there’s no log lines after this. You may need to trace the script starting from that log line onwards to see where your build might be failing silently. I can’t seem to reproduce your build issue so I’m not sure what the issue could be.

Best Regards,
Jeremias

Hello @jeremias.tx ,

Yes, the build was successful, but I tried it on two PCs. The beforementioned error was caused by priviledges to the cst folder from NXP. Now it works.

Thank you for the information. It seems that the fusing was successful now. Is there an indication during boot that the fusing is active? During boot I see:

Verifying Hash Integrity ... sha256,rsa2048:dev+ OK

Is that the debug log when hashes are compared?

My second question is about Easy installer. Now, when I go to recovery mode and try to run the EasyInstaller script, I get the following error:

HID(W):LIBUSB_ERROR_IO

I guess this is inteded, as the tezi feature is disabled by secure boot. Is this correct?

Thank you.

Best regards

Matej I.

Thank you for the information. It seems that the fusing was successful now. Is there an indication during boot that the fusing is active? During boot I see:

There’s not really any visible indication. That log line you see is unrelated to NXP HAB and is related to the FIT image verification. If you set every fuse including the final closing fuse, then your indication is that the system booted in the first place. If something went wrong during fusing and you closed the device, then obviously the device wouldn’t boot at all in that case.

I guess this is inteded, as the tezi feature is disabled by secure boot. Is this correct?

As I said before in this thread, once you set the final closing fuse the device will only boot properly signed bootloaders. Toradex Easy Installer works by loading it’s own bootloader, therefore it wouldn’t work properly.

Best Regards,
Jeremias