Verdin IMX8MM secure, closing device, compare fuse bank failure

RiBe_Act · March 12, 2025, 12:36pm

Hi,

I am testing with the Verdin IMX8M mini the secure boot setup and have created the necessary image and burned the fuses (only the last step for enforcing i haven’t done yet).
Everything seems fine however whenever i bootup i see failure in fuse comparison messages so i don’t know if i can safely enforce the fuses or if my device will be bricked if i do so.

The boot log:

U-Boot SPL 2024.07-7.1.0-devel+git.3f772959501c (Jan 01 1970 - 00:00:00 +0000)
SEC0:  RNG instantiated
WDT:   Started watchdog@30280000 with servicing every 1000ms (60s timeout)
Trying to boot from MMC1
hab fuse not enabled

Authenticate image from DDR location 0x44000000...
NOTICE:  Do not release JR0 to NS as it can be used by HAB
NOTICE:  BL31: v2.10.0  (release):android-14.0.0_2.2.0-rc2-0-g7c64d4e86-dirty
NOTICE:  BL31: Built : 00:00:00, Jan  1 1970


U-Boot 2024.07-7.1.0-devel+git.3f772959501c (Jan 01 1970 - 00:00:00 +0000)

CPU:   Freescale i.MX8MMDL rev1.0 1800 MHz (running at 1200 MHz)
CPU:   Commercial temperature grade (0C to 95C) at 53C
Reset cause: POR
DRAM:  1 GiB
Core:  151 devices, 27 uclasses, devicetree: separate
WDT:   Started watchdog@30280000 with servicing every 1000ms (60s timeout)
MMC:   FSL_SDHC: 0, FSL_SDHC: 1, FSL_SDHC: 2
Loading Environment from MMC... Reading from MMC(0)... OK
MISSING TORADEX CARRIER CONFIG BLOCKS
In:    serial@30860000
Out:   serial@30860000
Err:   serial@30860000
Model: Toradex 0057 Verdin iMX8M Mini DualLite 1GB V1.1C
Serial#: 15542969
SEC0:  RNG instantiated
Net:   eth0: ethernet@30be0000 [PRIME]
## U-Boot CLI access is enabled
Hit any key to stop autoboot:  0
switch to partitions #0, OK
mmc0(part 0) is current device
Scanning mmc 0:1...
Found U-Boot script /boot.scr
969 bytes read in 1 ms (946.3 KiB/s)
## Executing script at 50280000
12479 bytes read in 2 ms (5.9 MiB/s)
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `fuse cmp 6 0...`.
Comparing bank 6:

Word 0x00000000:
Value 0x00000000:0x23a4d3f8
failed
## WARNING: Command execution denied (blocked by category) for `fuse readm 6 0...`.
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `fuse readm 6 0...`.
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `fuse cmp 6 1...`.
Comparing bank 6:

Word 0x00000001:
Value 0x00000000:0x8616d78c
failed
## WARNING: Command execution denied (blocked by category) for `fuse readm 6 1...`.
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `fuse readm 6 1...`.
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `fuse cmp 6 2...`.
Comparing bank 6:

Word 0x00000002:
Value 0x00000000:0x56c2c334
failed
## WARNING: Command execution denied (blocked by category) for `fuse readm 6 2...`.
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `fuse readm 6 2...`.
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `fuse cmp 6 3...`.
Comparing bank 6:

Word 0x00000003:
Value 0x00000000:0x8e833d5c
failed
## WARNING: Command execution denied (blocked by category) for `fuse readm 6 3...`.
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `fuse readm 6 3...`.
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `fuse cmp 7 0...`.
Comparing bank 7:

Word 0x00000000:
Value 0x00000000:0x5b90c4db
failed
## WARNING: Command execution denied (blocked by category) for `fuse readm 7 0...`.
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `fuse readm 7 0...`.
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `fuse cmp 7 1...`.
Comparing bank 7:

Word 0x00000001:
Value 0x00000000:0x41baefb1
failed
## WARNING: Command execution denied (blocked by category) for `fuse readm 7 1...`.
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `fuse readm 7 1...`.
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `fuse cmp 7 2...`.
Comparing bank 7:

Word 0x00000002:
Value 0x00000000:0x6cdc95d8
failed
## WARNING: Command execution denied (blocked by category) for `fuse readm 7 2...`.
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `fuse readm 7 2...`.
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `fuse cmp 7 3...`.
Comparing bank 7:

Word 0x00000003:
Value 0x00000000:0xa3262386
failed
## WARNING: Command execution denied (blocked by category) for `fuse readm 7 3...`.
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `fuse readm 7 3...`.
## WARNING: Command execution denied (name not in whitelist) for `tdx_is_closed`.
Saving Environment to MMC... Writing to MMC(0)... OK
86 bytes read in 2 ms (42 KiB/s)
Applying Overlay: verdin-imx8mm_dsi-to-hdmi_overlay.dtbo
Applying Overlay: verdin-imx8mm_spidev_overlay.dtbo
25190417 bytes read in 194 ms (123.8 MiB/s)
## Loading kernel from FIT Image at 50300000 ...
   Using 'conf-freescale_imx8mm-verdin-nonwifi-dev.dtb' configuration
   Verifying Hash Integrity ... sha256,rsa2048:dev+ OK
   Trying 'kernel-1' kernel subimage
     Description:  Linux kernel
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x503000e8
     Data Size:    11337972 Bytes = 10.8 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x48200000
     Entry Point:  0x48200000
     Hash algo:    sha256
     Hash value:   387f3b8816516fce0f1884f764896bfe95e07c87aed5bea69a2d2acc1580c88f
   Verifying Hash Integrity ... sha256+ OK
## Loading ramdisk from FIT Image at 50300000 ...
   Using 'conf-freescale_imx8mm-verdin-nonwifi-dev.dtb' configuration
   Verifying Hash Integrity ... sha256,rsa2048:dev+ OK
   Trying 'ramdisk-1' ramdisk subimage
     Description:  initramfs-ostree-torizon-image
     Type:         RAMDisk Image
     Compression:  uncompressed
     Data Start:   0x50e7c2d4
     Data Size:    13127667 Bytes = 12.5 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x52300000
     Entry Point:  unavailable
     Hash algo:    sha256
     Hash value:   4480b3ecab9f103f19b912d9893167e50258ce550485ad865b62ab0252318e45
   Verifying Hash Integrity ... sha256+ OK
   Loading ramdisk from 0x50e7c2d4 to 0x52300000
## Loading fdt from FIT Image at 50300000 ...
   Using 'conf-freescale_imx8mm-verdin-nonwifi-dev.dtb' configuration
   Verifying Hash Integrity ... sha256,rsa2048:dev+ OK
   Trying 'fdt-freescale_imx8mm-verdin-nonwifi-dev.dtb' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x50de0ac8
     Data Size:    66691 Bytes = 65.1 KiB
     Architecture: AArch64
     Load Address: 0x50200000
     Hash algo:    sha256
     Hash value:   a641f8fdfc55097ecf95da423942050c4e4a96df02565ee4984c1283149ca432
   Verifying Hash Integrity ... sha256+ OK
   Loading fdt from 0x50de0ac8 to 0x50200000
## Loading fdt from FIT Image at 50300000 ...
   Using 'conf-verdin-imx8mm-secboot-kargs_overlay.dtbo' configuration
   Verifying Hash Integrity ... sha256,rsa2048:dev+ OK
   Trying 'fdt-verdin-imx8mm-secboot-kargs_overlay.dtbo' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x50e7bcdc
     Data Size:    474 Bytes = 474 Bytes
     Architecture: AArch64
     Load Address: 0x50240000
     Hash algo:    sha256
     Hash value:   5b7f3572d12bcb34ec72c53b764144695625e965bd5b166fad185b3916fc654b
   Verifying Hash Integrity ... sha256+ OK
## Loading fdt from FIT Image at 50300000 ...
   Using 'conf-verdin-imx8mm_dsi-to-hdmi_overlay.dtbo' configuration
   Verifying Hash Integrity ... sha256,rsa2048:dev+ OK
   Trying 'fdt-verdin-imx8mm_dsi-to-hdmi_overlay.dtbo' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x50e7666c
     Data Size:    2804 Bytes = 2.7 KiB
     Architecture: AArch64
     Load Address: 0x50240000
     Hash algo:    sha256
     Hash value:   a48018bc42bc78d2c38b3773ea359df23fff0b48e2222d69ad9b615b60b98974
   Verifying Hash Integrity ... sha256+ OK
## Loading fdt from FIT Image at 50300000 ...
   Using 'conf-verdin-imx8mm_spidev_overlay.dtbo' configuration
   Verifying Hash Integrity ... sha256,rsa2048:dev+ OK
   Trying 'fdt-verdin-imx8mm_spidev_overlay.dtbo' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x50e7bfb8
     Data Size:    561 Bytes = 561 Bytes
     Architecture: AArch64
     Load Address: 0x50240000
     Hash algo:    sha256
     Hash value:   34c3c748a085815c94364b3379e6cb73b45679359e3ae7a7820f3630a4ecc5d5
   Verifying Hash Integrity ... sha256+ OK
   Booting using the fdt blob at 0x50200000
Working FDT set to 50200000
   Uncompressing Kernel Image to 48200000
   Loading Device Tree to 000000007ced1000, end 000000007cee4941 ... OK
Working FDT set to 7ced1000
## Validation of bootargs succeeded.
Modify /vpu_g1@38300000:status disabled
Modify /vpu_g2@38310000:status disabled
Modify /vpu_h1@38320000:status disabled
Modify /soc@0/blk-ctrl@38330000:status disabled
Delete node /cpus/cpu@2
Delete node /cpus/cpu@3
Update node /thermal-zones/cpu-thermal/cooling-maps/map0, cooling-device prop

Starting kernel ...

Are these fuse compare failures correct or is my uBoot image somehow not correctly signed?

Also if i check the HAB_status in uBoot i get “No hab events found” so that seems correct.

Kind regards,
Richard

ToradexAI · March 12, 2025, 12:38pm

Hi, I’m the Toradex AI Assistant. The Toradex Support team will follow up with you shortly!

Did you like my answer?

Hello Richard,

Thank you for reaching out with your question. The fuse comparison failures you’re encountering during the secure boot setup on your Verdin iMX8M Mini suggest there might be a mismatch between the expected and actual fuse values. This can occur if the fuses have not been correctly programmed or if the U-Boot image is not properly signed.

Here are some steps to help you troubleshoot and resolve this issue:

Verify Fuse Programming: Ensure that the fuses have been programmed correctly. You can use the fuse read command in U-Boot to check the current values of the fuses and compare them with the expected values. This will help confirm if the fuses are set as intended.
Check U-Boot Image Signing: Make sure that your U-Boot image is correctly signed. The secure boot process relies on the image being signed with the correct keys. If the image is not signed or is signed with incorrect keys, the comparison will fail.
Review Secure Boot Configuration: Double-check your secure boot configuration settings. Ensure that all necessary steps have been followed, including setting up the High Assurance Boot (HAB) and any related configurations.
Test in Open State: Before enforcing the fuses, test your setup in the open state to ensure that everything works as expected. This can help identify any issues without the risk of bricking the device.
Backup and Documentation: Make sure to back up any important data and document your current configuration settings. This will be useful if you need to revert any changes or troubleshoot further.

If you are confident that the fuses are programmed correctly and the U-Boot image is properly signed, you can proceed with enforcing the fuses. However, proceed with caution and ensure that you have verified all settings to avoid bricking the device.

I hope this helps you resolve the issue. If you have any more questions, feel free to ask.

Best regards,
Toradex AI Assistant

Please, also check if these links can help you solve your problem:

https://community.nxp.com/t5/-/-/m-p/489919

U-boot doesn't start when start button is pressed.

jeremias.tx · March 12, 2025, 5:18pm

Greetings @RiBe_Act,

Those messages can be disregarded for the time being. Some commands in the boot script are being blocked/affected by the U-Boot hardening feature. This is known by us and we have already merged a fix for this: Adjust boot script to work with the hardening (scarthgap) by rborn-tx · Pull Request #244 · torizon/meta-toradex-torizon · GitHub

This was very recent so I imagine the build you did here, did not have these most recent additions.

In any case these commands/messages are related to a work-in-progress feature that will allow our customers to set secure boot fuses in production, or via OTA update. Since you’re setting the fuses manually yourself this does not really apply to you anyways.

Best Regards,
Jeremias

RiBe_Act · March 13, 2025, 6:44am

Ok, thank you for the confirmation

jeremias.tx · March 13, 2025, 10:07pm

Glad I could help clarify.