Verdin iMX8MP recovery / re-flash on a HAB-CLOSED device

Hello,

we run a custom Torizon OS (Yocto “torizon-docker” base + TorizonCore Builder changes) on Verdin iMX8MP, with HAB secure boot enabled via meta-toradex-security.
We have successfully closed a pilot device.

The device itself works fine. Our questions are about the recovery / re-flashing path once a module is CLOSED.
To be honest before testing Easy Installer on that device we thought Easy Installer can be started but only installing proper signed images will work.
But it seems not so (yes…makes sense if thinking about it).

How is recovery / re-flashing via the Toradex Easy Installer (recovery mode / uuu) intended to work once a Verdin iMX8MP is in the HAB CLOSED state?

Tested running the stock Easy Installer recovery on the closed device:

  • the module enter serial download mode (lsusb: “1fc9:0146 NXP Semiconductors SP Blank”)?
  • recovery-linux.sh / uuu fails at the recovery loader stage:
    SDPS: boot -f ../imx-boot-recoverytezi
    HID(W): LIBUSB_ERROR_NO_DEVICE (-4)
    Success 0 Failure 1
  • the exact same script/package worked while the device was still OPEN.

We also tried the obvious shortcut using our own HAB-signed imx-boot (the same flash.bin that is written to the eMMC) as the SDP loader instead of imx-boot-recoverytezi. On the CLOSED device the BootROM auth it, but the bootloader then simply boots the existing eMMC OS (it finds /boot.scr, loads the signed FIT, boots Torizon OS to the login prompt) instead of entering the Easy Installer. uuu stays at “SDPS: boot -f …” and the Easy Installer never runs.

We have already read related community threads.
From these we see a recovery imx-boot signed with our own SRK is needed, and that a documented method was in progress for ~end of Q2.

  1. Is the documented closed-device recovery method / boot-container signing available? If so, can you point us to it?

  2. On a CLOSED iMX8MP device, must the recovery imx-boot loaded via SDP/uuu be HAB-signed with the device’s SRK?

  3. How do we obtain or build a SIGNED Toradex Easy Installer / signed “imx-boot-recoverytezi” using our own HAB keys?

  • Which Yocto recipe / image / bitbake target produces the recovery (TEZI) imx-boot (is there a Verdin iMX8MP equivalent of the colibri_imx7_tezi_recovery_defconfig? …read about in other thread), and how does meta-toradex-security HAB signing apply to that recovery bootloader?
  • We already TRIED using our production imx-boot as the SDP loader: HAB accepts it, but it boots the eMMC OS instead of the Easy Installer. So we presumably need the recovery-defconfig EI U-Boot signed with our SRK. can you confirm, and tell us exactly how to build/sign that recovery imx-boot for Verdin iMX8MP?
  • Or, if signing the prebuilt loader is the intended path: what is the exact CST procedure (CSF/offsets) to sign the existing imx-boot-recoverytezi?
  1. What is yur recommended procedure for re-flashing / recovering CLOSED iMX8MP devices in production?

Our environment:

  • Module: Verdin iMX8M Plus Quad 4GB
  • Torizon OS base: 7.6.0, meta-toradex-security
  • U-Boot: 2024.07-7.6.0-devel
  • Signing: NXP CST 4.0.1; HAB PKI = SRK (CA) + CSF/IMG
  • Easy Installer: Verdin-iMX8MP_ToradexEasyInstaller_7.6.0+build.11
  • Device state: CLOSED (SEC_CONFIG set), boots our signed image normally, OTA works.

Looking forward and thanks for support.

Hi, I’m the Toradex AI Assistant.

I might make mistakes or occasionally get you wrong. Our support team will step in if needed.



You’ve identified a critical challenge: on a HAB-CLOSED Verdin iMX8M Plus, the recovery bootloader (imx-boot-recoverytezi) loaded via Serial Download Protocol (SDP) must also be HAB-signed with your device’s SRK keys, otherwise the BootROM will reject it(1)(2)(3).

The behavior you observed is expected:

  • The stock imx-boot-recoverytezi from Toradex Easy Installer is unsigned, so the CLOSED device’s BootROM refuses to execute it(1).
  • When you used your production imx-boot (which is HAB-signed), the BootROM accepted it, but U-Boot then followed its normal boot flow (loading /boot.scr from eMMC) instead of entering recovery mode(1)(4).

Answers to Your Questions

1. Is the documented closed-device recovery method available?

The meta-toradex-security layer provides comprehensive Secure Boot support, including bootloader signing(3). However, signing the Toradex Easy Installer recovery bootloader for CLOSED devices is not explicitly documented in the standard workflows(1)(2)(3). The recovery process on CLOSED devices requires you to build and sign your own recovery bootloader using your SRK keys.


2. Must the recovery imx-boot be HAB-signed with the device’s SRK?

Yes. On a CLOSED iMX8M Plus, the BootROM enforces HAB authentication for all boot images, including those loaded via SDP(2)(3). If the recovery bootloader is not signed with the correct SRK, the BootROM will refuse to execute it(1)(3).


3. How to obtain or build a SIGNED Toradex Easy Installer recovery imx-boot?

You need to:

A. Build the Recovery U-Boot

The Toradex Easy Installer uses a special U-Boot configuration. For Verdin iMX8M Plus, you must:

  • Use the Yocto BSP with meta-toradex-security enabled(3).
  • Build a U-Boot image configured for recovery mode (the equivalent of the recovery defconfig for your SoM)(1)(4).

The meta-toradex-security layer supports HAB signing via the tdx-signed or tdxref-signed classes(3). When enabled, these classes automatically sign the bootloader and kernel images during the build(2)(3).

B. Sign the Recovery Bootloader

Once you have built the recovery U-Boot image, you must sign it using the same SRK keys and CST procedures you used for your production image(2)(4):

  1. Generate the PKI tree (if not already done) using the NXP CST tool(2)(4).
  2. Create CSF files (csf_spl.txt and csf_fit.txt) referencing your SRK certificates(2)(4).
  3. Sign the boot container using the CST tool to produce signed imx-boot binaries(2)(4).

The signing procedure is the same as for your production image. Refer to the CST documentation and the examples in the U-Boot source tree(4).

C. Use the Signed Recovery Bootloader

Replace the stock imx-boot-recoverytezi in your Easy Installer package with your signed recovery bootloader, then run the recovery script(1).


4. Recommended procedure for re-flashing CLOSED iMX8MP devices in production?

For CLOSED devices, the recommended workflow is:

  1. Build and sign a dedicated recovery U-Boot configured to enter Toradex Easy Installer mode (not boot from eMMC)(1)(3).
  2. Load the signed recovery bootloader via SDP/uuu on CLOSED devices(1).
  3. Flash the production image using Toradex Easy Installer as usual(1).

Alternatively, you can:

  • Use OTA updates via Torizon Cloud for field updates, avoiding the need for physical recovery(3).
  • Implement a fallback boot partition strategy in your production image to enable recovery without SDP.

Key Takeaway

The core issue is that Toradex Easy Installer’s stock recovery bootloader is unsigned. On CLOSED devices, you must build and sign your own recovery bootloader using meta-toradex-security and your SRK keys(2)(3). The exact Yocto recipe and build target for the recovery bootloader may require consulting the meta-toradex-security repository or reaching out to Toradex support for SoM-specific guidance.

For further details on HSM-backed signing and the full Secure Boot workflow, refer to the Secure Boot documentation for NXP i.MX SoMs(2)(3).


Best regards,
Toradex AI Assistant.


Did you like my answer? :+1: :-1:

If I answered your question, please tick the “Solution” checkbox.

For follow-up questions to me, please use @ToradexAI in your post.

Greetings @sol_ad,

Our team is actually in the middle of developing a tool that can be used to re-flash closed devices such as yours. An initial version of this tool should soon be available. I would recommending waiting for this tool if your need here isn’t too urgent.

Best Regards,
Jeremias

Hi @jeremias.tx ,

many thanks for quick response!
Do you have a time schedule for such tool that we can communicate to our internal and external customers?

We do have an early/initial version of the tool that is currently undergoing some limited customer validation. I’ve brought your case here to the attention of our team. They will be in touch with you shortly regarding this.

Best Regards,
Jeremias