Secureboot (HAB) not working in Toradex BSP - 3.0.4 Apalis iMX6

Technical Support
, , , , ,
1

Target: Apalis iMX6
Carrier Board : Ixora
UBoot Version : 2019.07

Here adding a configuration in apalis_imx6_defconfig of u-boot-toradex
CONFIG_SECURE_BOOT=y

| ./tools/mkimage -n spl/u-boot-spl.cfgout -T imximage -e 0x00908000 -d spl/u-boot-spl.bin SPL >SPL.log && cat SPL.log
| Image Type: Freescale IMX Boot Image
| Image Ver: 2 (i.MX53/6/7 compatible)
| Mode: DCD
| Data Size: 65536 Bytes = 64.00 KiB = 0.06 MiB
| Load Address: 00907420
| Entry Point: 00908000
| HAB Blocks: 0x00907400 0x00000000 0x0000bc00
| DCD Blocks: 0x00910000 0x0000002c 0x00000004
| /home/karthik/oe-core/build/tmp/work/apalis_imx6-tdx-linux-gnueabi/u-boot-toradex/1_2019.07+gitAUTOINC+26d926eda0-r0/git/scripts/check-config.sh u-boot.cfg /home/karthik/oe-core/build/tmp/work/apalis_imx6-tdx-linux-gnueabi/u-boot-toradex/1_2019.07+gitAUTOINC+26d926eda0-r0/git/scripts/config_whitelist.txt /home/karthik/oe-core/build/tmp/work/apalis_imx6-tdx-linux-gnueabi/u-boot-toradex/1_2019.07+gitAUTOINC+26d926eda0-r0/git
| make[1]: Leaving directory ‘/home/karthik/oe-core/build/tmp/work/apalis_imx6-tdx-linux-gnueabi/u-boot-toradex/1_2019.07+gitAUTOINC+26d926eda0-r0/build/apalis_imx6_defconfig’
| make: Leaving directory ‘/home/karthik/oe-core/build/tmp/work/apalis_imx6-tdx-linux-gnueabi/u-boot-toradex/1_2019.07+gitAUTOINC+26d926eda0-r0/git’
| cp: cannot stat ‘/home/karthik/oe-core/build/tmp/work/apalis_imx6-tdx-linux-gnueabi/u-boot-toradex/1_2019.07+gitAUTOINC+26d926eda0-r0/build/apalis_imx6_defconfig/u-boot.img’: No such file or directory
| WARNING: exit code 1 from a shell command.
| ERROR: Function failed: do_compile (log file is located at /home/karthik/oe-core/build/tmp/work/apalis_imx6-tdx-linux-gnueabi/u-boot-toradex/1_2019.07+gitAUTOINC+26d926eda0-r0/temp/log.do_compile.107008)
ERROR: Task (/home/karthik/oe-core/build/…/layers/meta-toradex-nxp/recipes-bsp/u-boot/u-boot-toradex_2019.07.bb:do_compile) failed with exit code ‘1’
NOTE: Tasks Summary: Attempted 628 tasks of which 621 didn’t need to be rerun and 1 failed.
NOTE: Writing buildhistory

here the ivt files are created in the build directory

karthik@karthik-Precision-3680:~/oe-core/build$ ls /home/karthik/oe-core/build/tmp/work/apalis_imx6-tdx-linux-gnueabi/u-boot-toradex/1_2019.07+gitAUTOINC+26d926eda0-r0/build/apalis_imx6_defconfig/
arch drivers include source tools u-boot.dtb u-boot.lds
board dts lib spl u-boot u-boot-dtb.bin u-boot.map
cmd env Makefile SPL u-boot.bin u-boot-dtb.img u-boot-nodtb.bin
common examples net SPL.log u-boot.cfg u-boot-ivt.img u-boot.srec
disk fs scripts System.map u-boot.cfg.configs u-boot-ivt.img.log u-boot.sym

how to achieve secure boot in Uboot2019.07

2

Hi, I’m the Toradex AI Assistant. The Toradex Support team will follow up with you shortly!

Did you like my answer?

:+1: :-1:

Hello,

To enable Secure Boot on your Apalis iMX6 module using U-Boot 2019.07, it’s important to address the error you’re encountering, where the u-boot.img file is missing. This issue may stem from a misconfiguration or incorrect file paths in your build setup.

Here are some steps to help you troubleshoot and resolve this:

  1. Verify Configuration: Ensure that the CONFIG_SECURE_BOOT=y option is correctly set in your apalis_imx6_defconfig. This is crucial for enabling Secure Boot support in U-Boot.

  2. Check File Paths: The error suggests that the build process cannot locate the u-boot.img file. Double-check that your build environment paths are correct and that the necessary files are being generated in the expected directories.

  3. Dependencies and Tools: Confirm that all required tools and dependencies for building U-Boot are installed on your system, including the ARM GNU Toolchain for cross-compilation.

  4. Build Process: Follow the standard procedure for building U-Boot:

    • Obtain the U-Boot source code from the appropriate repository.
    • Apply any necessary patches specific to your module.
    • Configure U-Boot using the correct defconfig for your module.
    • Compile U-Boot, ensuring no errors occur during the process.

  5. Secure Boot Setup: Beyond resolving the compilation error, ensure your Secure Boot environment is correctly configured:

    • Generate and manage signing keys securely.
    • Configure the HAB (High Assurance Boot) settings according to NXP’s guidelines.
    • Sign the U-Boot binary and other necessary components.

By following these steps, you should be able to resolve the compilation issue and proceed with enabling Secure Boot on your device. If further issues arise, ensure that all configurations align with the specific requirements of your hardware and software environment.

Best regards,
Toradex AI Assistant

Please, also check if these links can help you solve your problem:

U-boot with CONFIG_SECURE_BOOT enabled fail to build.

3

Greetings @Karthik-Gnanaguru,

Our BSP 3.0.4 is quite old and no longer maintained by us anymore. I would recommend trying on our latest BSP versions.

Best Regards,
Jeremias