Commit a52ac63177b16cb13cbca57263b36076fa3e8c52
Committed by
Ye Li
1 parent
6279960ae5
Exists in
smarc_8mm-imx_v2018.03_4.14.98_2.0.0_ga
and in
4 other branches
MLK-20916-2: doc: imx: ahab: Update AHAB document to include ahab_status command
Since commit cf2acc5b7cde ("MLK-18942-2 imx8: ahab: Add ahab_status command") the U-Boot is able to display and parse the SECO events. Update AHAB guides to use U-Boot ahab_status command instead of SCFW CLI. Starting in SECO FW v0.2.0 engineering release an invalid image integrity is logged as an event in open mode. As ahab_status is able to return this event the note can be removed. Signed-off-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Ye Li <ye.li@nxp.com> (cherry picked from commit 385ed19051a47f5858e8d326e5ee97f8a08a679d)
Showing 2 changed files with 37 additions and 27 deletions Side-by-side Diff
doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt
... | ... | @@ -268,24 +268,29 @@ |
268 | 268 | ------------------------- |
269 | 269 | |
270 | 270 | If the fuses have been written properly, there should be no SECO events after |
271 | -boot. To validate this, power on the board, and run the following command on | |
272 | -the SCFW terminal: | |
271 | +boot. To validate this, power on the board, and run ahab_status command on | |
272 | +U-Boot terminal. | |
273 | 273 | |
274 | - >$ seco events | |
274 | +No events should be returned after this command: | |
275 | 275 | |
276 | -Nothing should be returned after this command. If you get an error, please | |
277 | -refer to examples below: | |
276 | + => ahab_status | |
277 | + Lifecycle: 0x0020, NXP closed | |
278 | 278 | |
279 | -0x0087EE00 = The container image is not signed. | |
280 | -0x0087FA00 = The container image was signed with wrong key which are not | |
281 | - matching the OTP SRK hashes. | |
279 | + No SECO Events Found! | |
282 | 280 | |
283 | -In case your SRK fuses are not programmed yet the event 0x0087FA00 may also | |
284 | -be displayed. | |
281 | +U-Boot will decode the SECO events and provide more details on the failure, | |
282 | +for example in case container image was signed with wrong keys and are not | |
283 | +matching the OTP SRK hashes: | |
285 | 284 | |
286 | -Note: The SECO FW v1.1.0 is not logging an invalid image integrity as an event | |
287 | -in open mode, in case your image does not boot after moving the lifecycle | |
288 | -please review your image setup. | |
285 | + => ahab_status | |
286 | + Lifecycle: 0x0020, NXP closed | |
287 | + | |
288 | + SECO Event[0] = 0x0087EE00 | |
289 | + CMD = AHAB_AUTH_CONTAINER_REQ (0x87) | |
290 | + IND = AHAB_NO_AUTHENTICATION_IND (0xEE) | |
291 | + | |
292 | +Note: In case your SRK fuses are not programmed yet the event 0x0087FA00 may | |
293 | +also be displayed. | |
289 | 294 | |
290 | 295 | 1.5.6 Close the device |
291 | 296 | ----------------------- |
doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt
... | ... | @@ -309,25 +309,30 @@ |
309 | 309 | 1.7 Verify SECO events |
310 | 310 | ----------------------- |
311 | 311 | |
312 | -If the fuses have been written properly, there should be no SECO events | |
313 | -after boot. To validate this, power on the board, and run the following | |
314 | -command on the SCFW terminal: | |
312 | +If the fuses have been written properly, there should be no SECO events after | |
313 | +boot. To validate this, power on the board, and run ahab_status command on | |
314 | +U-Boot terminal. | |
315 | 315 | |
316 | - >$ seco events | |
316 | +No events should be returned after this command: | |
317 | 317 | |
318 | -Nothing should be returned after this command. If you get an error, please | |
319 | -refer to examples below: | |
318 | + => ahab_status | |
319 | + Lifecycle: 0x0020, NXP closed | |
320 | 320 | |
321 | -0x0087EE00 = The container image is not signed. | |
322 | -0x0087FA00 = The container image was signed with wrong key which are not | |
323 | - matching the OTP SRK hashes. | |
321 | + No SECO Events Found! | |
324 | 322 | |
325 | -In case your SRK fuses are not programmed yet the event 0x0087FA00 may also | |
326 | -be displayed. | |
323 | +U-Boot will decode the SECO events and provide more details on the failure, | |
324 | +for example in case container image was signed with wrong keys and are not | |
325 | +matching the OTP SRK hashes: | |
327 | 326 | |
328 | -Note: The SECO FW v1.1.0 is not logging an invalid image integrity as an event | |
329 | -in open mode, in case your image does not boot after moving the lifecycle | |
330 | -please review your image setup. | |
327 | + => ahab_status | |
328 | + Lifecycle: 0x0020, NXP closed | |
329 | + | |
330 | + SECO Event[0] = 0x0087EE00 | |
331 | + CMD = AHAB_AUTH_CONTAINER_REQ (0x87) | |
332 | + IND = AHAB_NO_AUTHENTICATION_IND (0xEE) | |
333 | + | |
334 | +Note: In case your SRK fuses are not programmed yet the event 0x0087FA00 may | |
335 | +also be displayed. | |
331 | 336 | |
332 | 337 | 1.8 Close the device |
333 | 338 | --------------------- |