[U-Boot] nxp: HABv4 secure boot on iMX7 NAND broken

Igor Opaniuk igor.opaniuk at gmail.com
Tue Jul 30 13:56:05 UTC 2019 

Hi Bryan,

On Tue, Jul 30, 2019 at 4:32 PM Bryan O'Donoghue
<bryan.odonoghue at linaro.org> wrote:
>
>
>
> On 30/07/2019 12:00, Igor Opaniuk wrote:
> > Hi folks,
> >
> > Just curious if you ever faced any issues with HABv4 based
> > secure boot on iMX7 SoC-based boards + NAND +
> > mainline U-Boot (although it works perfectly when booting from
> > eMMC).
> >
> > I'm currently playing with it on Colibri iMX7 NAND version,
> > following all steps from [1],
> > (colibri_imx7_defconfig, where CONFIG_SECURE_BOOT=y
> > and CONFIG_FSL_CAAM=y, without these two options enabled
> > it's booting ok) and facing the same issue as explained
> > in one of NXP forum threads [2]. Taking into account that default
> > BootROM doesn't provide any output at all to the serial console it is like
> > looking for a needle in a haystack.
>
> When HAB authentication fails in the BootROM it should drop you back
> into serial download mode.
>
> Does that happen ?

Yes, it does.

imx_usb detects it(15a2:0076(mx7)):

config file <imx_flash/imx_usb.conf>
vid=0x066f pid=0x3780 file_name=mx23_usb_work.conf
vid=0x15a2 pid=0x004f file_name=mx28_usb_work.conf
vid=0x15a2 pid=0x0052 file_name=mx50_usb_work.conf
vid=0x15a2 pid=0x0054 file_name=mx6_usb_work.conf
vid=0x15a2 pid=0x0061 file_name=mx6_usb_work.conf
vid=0x15a2 pid=0x0063 file_name=mx6_usb_work.conf
vid=0x15a2 pid=0x0071 file_name=mx6_usb_work.conf
vid=0x15a2 pid=0x007d file_name=mx6_usb_work.conf
vid=0x15a2 pid=0x0076 file_name=mx7_usb_work.conf
vid=0x15a2 pid=0x0041 file_name=mx51_usb_work.conf
vid=0x15a2 pid=0x004e file_name=mx53_usb_work.conf
vid=0x15a2 pid=0x006a file_name=vybrid_usb_work.conf
vid=0x066f pid=0x37ff file_name=linux_gadget.conf
config file <imx_flash/mx7_usb_work.conf>
parse imx_flash/mx7_usb_work.conf
15a2:0076(mx7) bConfigurationValue =1
Interface 0 claimed
HAB security state: development mode (0x56787856)
== work item
filename colibri-imx7_bin/u-boot-nand.imx
load_size 0 bytes
load_addr 0x00000000
dcd 1
clear_dcd 0
plug 1
jump_mode 2
jump_addr 0x00000000
== end work item
main dcd length 1b4
sub dcd length 164
sub dcd length c
Check Data Command(10) success @307900c4=1d9 mask 1
sub dcd length 34
sub dcd length c
Check Data Command(10) success @307a0004=1 mask 1

loading binary file(colibri-imx7_bin/u-boot-nand.imx) to 877ff400,
skip=0, fsize=a2c00 type=aa

<<<666624, 666624 bytes>>>
succeeded (status 0x88888888)
jumping to 0x877ff400


-- 
Best regards - Freundliche GrĂ¼sse - Meilleures salutations

Igor Opaniuk

mailto: igor.opaniuk at gmail.com
skype: igor.opanyuk
+380 (93) 836 40 67
http://ua.linkedin.com/in/iopaniuk

More information about the U-Boot mailing list