i.MX95: Secure Boot support
Ye Li
ye.li at oss.nxp.com
Mon Jun 15 17:23:42 CEST 2026
Hi Fabio,
On 6/13/2026 7:55 PM, Fabio Estevam wrote:
> Hi Ye Li and Peng,
>
> Could you please confirm whether i.MX95 secure boot is supported in
> the U-Boot mainline?
>
> Are the changes below enough, or more is needed?
>
> diff --git a/board/nxp/imx95_evk/imx95_evk.env
> b/board/nxp/imx95_evk/imx95_evk.env
> index 19f9bd5c16e5..596c819a7d1e 100644
> --- a/board/nxp/imx95_evk/imx95_evk.env
> +++ b/board/nxp/imx95_evk/imx95_evk.env
> @@ -1,4 +1,8 @@
> +#ifdef CONFIG_AHAB_BOOT
> +sec_boot=yes
> +#else
> sec_boot=no
> +#endif
> initrd_addr=0x93800000
> emmc_dev=0
> sd_dev=1
> diff --git a/configs/imx95_19x19_evk_defconfig
> b/configs/imx95_19x19_evk_defconfig
> index 542b71f5c075..313f3e8dec03 100644
> --- a/configs/imx95_19x19_evk_defconfig
> +++ b/configs/imx95_19x19_evk_defconfig
> @@ -1 +1,2 @@
> #include <configs/imx95_evk.config>
> +CONFIG_AHAB_BOOT=y
The main codes of AHAB boot is already in u-boot mainline. Above changes
can authenticate signed kernel. But this version uses env variables
auth_os + boot_os (booti) to do authenticate and boot kernel. This
requires env must not be changed. Users should be careful of it. We have
another patch recently in downstream
(https://github.com/nxp-imx/uboot-imx/commit/5da4255f28cdb9c59b0d4380a38e0e2a962b4465)
to enforce the authentication into booti command. But I feel it is
difficult to upstream.
Best regards,
Ye Li
>
> Any pointers on this topic are appreciated.
>
> Thanks,
>
> Fabio Estevam
More information about the U-Boot
mailing list