Secure boot vs ATF

Hi everyone,

on a meeting with a potential client we got asked about the capabilities of a secure boot in the iMX8. To my knowledge, secure boot is an UEFI verification where any binary load at boot needs to be validated against known keys, so I don’t really know how could this be applied to us in our former SPL + Uboot based booting.

However, checking the iMX8 page some interesting comments where done regarding the ATF (ARM Trusted Firmware), and checking a bit more of this, it looks like a similar idea but I’m not sure. Could we tell the customers that we offer Secure Boot through ARM Trusted Firmware? Can customers sign their own firmware to avoid others being booted? I can understand the concern of running custom firmware in their devices.

Thanks and best regards,

I guess if talking about secure boot on X86 resp. X86_64 this is certainly handled by the BIOS which nowadays may be UEFI. However, on ARM resp. ARM64 based systems running in a more embedded setting, UEFI is not quite that common as of yet. That said, at least on the i.MX 6 the secure boot feature is available as so-called high assurance boot (HAB). I would assume the i.MX 8 having similar functionality however, I did not verify whether that is true. Please note that at least as far as I know so far nobody at Toradex ever tried HAB as of yet. Please, further note that lately some security flaws were identified which may render HAB not quite as secure as one may wish for unless latest i.MX 6 chips are assembled.