Hello,
we run a custom Torizon OS (Yocto “torizon-docker” base + TorizonCore Builder changes) on Verdin iMX8MP, with HAB secure boot enabled via meta-toradex-security.
We have successfully closed a pilot device.
The device itself works fine. Our questions are about the recovery / re-flashing path once a module is CLOSED.
To be honest before testing Easy Installer on that device we thought Easy Installer can be started but only installing proper signed images will work.
But it seems not so (yes…makes sense if thinking about it).
How is recovery / re-flashing via the Toradex Easy Installer (recovery mode / uuu) intended to work once a Verdin iMX8MP is in the HAB CLOSED state?
Tested running the stock Easy Installer recovery on the closed device:
- the module enter serial download mode (lsusb: “1fc9:0146 NXP Semiconductors SP Blank”)?
- recovery-linux.sh / uuu fails at the recovery loader stage:
SDPS: boot -f ../imx-boot-recoverytezi
HID(W): LIBUSB_ERROR_NO_DEVICE (-4)
Success 0 Failure 1 - the exact same script/package worked while the device was still OPEN.
We also tried the obvious shortcut using our own HAB-signed imx-boot (the same flash.bin that is written to the eMMC) as the SDP loader instead of imx-boot-recoverytezi. On the CLOSED device the BootROM auth it, but the bootloader then simply boots the existing eMMC OS (it finds /boot.scr, loads the signed FIT, boots Torizon OS to the login prompt) instead of entering the Easy Installer. uuu stays at “SDPS: boot -f …” and the Easy Installer never runs.
We have already read related community threads.
From these we see a recovery imx-boot signed with our own SRK is needed, and that a documented method was in progress for ~end of Q2.
-
Is the documented closed-device recovery method / boot-container signing available? If so, can you point us to it?
-
On a CLOSED iMX8MP device, must the recovery imx-boot loaded via SDP/uuu be HAB-signed with the device’s SRK?
-
How do we obtain or build a SIGNED Toradex Easy Installer / signed “imx-boot-recoverytezi” using our own HAB keys?
- Which Yocto recipe / image / bitbake target produces the recovery (TEZI) imx-boot (is there a Verdin iMX8MP equivalent of the colibri_imx7_tezi_recovery_defconfig? …read about in other thread), and how does meta-toradex-security HAB signing apply to that recovery bootloader?
- We already TRIED using our production imx-boot as the SDP loader: HAB accepts it, but it boots the eMMC OS instead of the Easy Installer. So we presumably need the recovery-defconfig EI U-Boot signed with our SRK. can you confirm, and tell us exactly how to build/sign that recovery imx-boot for Verdin iMX8MP?
- Or, if signing the prebuilt loader is the intended path: what is the exact CST procedure (CSF/offsets) to sign the existing imx-boot-recoverytezi?
- What is yur recommended procedure for re-flashing / recovering CLOSED iMX8MP devices in production?
Our environment:
- Module: Verdin iMX8M Plus Quad 4GB
- Torizon OS base: 7.6.0, meta-toradex-security
- U-Boot: 2024.07-7.6.0-devel
- Signing: NXP CST 4.0.1; HAB PKI = SRK (CA) + CSF/IMG
- Easy Installer: Verdin-iMX8MP_ToradexEasyInstaller_7.6.0+build.11
- Device state: CLOSED (SEC_CONFIG set), boots our signed image normally, OTA works.
Looking forward and thanks for support.