Commit a52ac63177b16cb13cbca57263b36076fa3e8c52
Committed by
Ye Li
Ye Li
1 parent
6279960ae5
Exists in
smarc_8mm-imx_v2018.03_4.14.98_2.0.0_ga
and in
4 other branches
MLK-20916-2: doc: imx: ahab: Update AHAB document to include ahab_status command
Since commit cf2acc5b7cde ("MLK-18942-2 imx8: ahab: Add ahab_status command") the U-Boot is able to display and parse the SECO events. Update AHAB guides to use U-Boot ahab_status command instead of SCFW CLI. Starting in SECO FW v0.2.0 engineering release an invalid image integrity is logged as an event in open mode. As ahab_status is able to return this event the note can be removed. Signed-off-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Ye Li <ye.li@nxp.com> (cherry picked from commit 385ed19051a47f5858e8d326e5ee97f8a08a679d)
Showing 2 changed files with 37 additions and 27 deletions Side-by-side Diff
doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt
| ... | ... | @@ -268,24 +268,29 @@ |
| 268 | 268 | ------------------------- |
| 269 | 269 | |
| 270 | 270 | If the fuses have been written properly, there should be no SECO events after |
| 271 | -boot. To validate this, power on the board, and run the following command on | |
| 272 | -the SCFW terminal: | |
| 271 | +boot. To validate this, power on the board, and run ahab_status command on | |
| 272 | +U-Boot terminal. | |
| 273 | 273 | |
| 274 | - >$ seco events | |
| 274 | +No events should be returned after this command: | |
| 275 | 275 | |
| 276 | -Nothing should be returned after this command. If you get an error, please | |
| 277 | -refer to examples below: | |
| 276 | + => ahab_status | |
| 277 | + Lifecycle: 0x0020, NXP closed | |
| 278 | 278 | |
| 279 | -0x0087EE00 = The container image is not signed. | |
| 280 | -0x0087FA00 = The container image was signed with wrong key which are not | |
| 281 | - matching the OTP SRK hashes. | |
| 279 | + No SECO Events Found! | |
| 282 | 280 | |
| 283 | -In case your SRK fuses are not programmed yet the event 0x0087FA00 may also | |
| 284 | -be displayed. | |
| 281 | +U-Boot will decode the SECO events and provide more details on the failure, | |
| 282 | +for example in case container image was signed with wrong keys and are not | |
| 283 | +matching the OTP SRK hashes: | |
| 285 | 284 | |
| 286 | -Note: The SECO FW v1.1.0 is not logging an invalid image integrity as an event | |
| 287 | -in open mode, in case your image does not boot after moving the lifecycle | |
| 288 | -please review your image setup. | |
| 285 | + => ahab_status | |
| 286 | + Lifecycle: 0x0020, NXP closed | |
| 287 | + | |
| 288 | + SECO Event[0] = 0x0087EE00 | |
| 289 | + CMD = AHAB_AUTH_CONTAINER_REQ (0x87) | |
| 290 | + IND = AHAB_NO_AUTHENTICATION_IND (0xEE) | |
| 291 | + | |
| 292 | +Note: In case your SRK fuses are not programmed yet the event 0x0087FA00 may | |
| 293 | +also be displayed. | |
| 289 | 294 | |
| 290 | 295 | 1.5.6 Close the device |
| 291 | 296 | ----------------------- |
doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt
| ... | ... | @@ -309,25 +309,30 @@ |
| 309 | 309 | 1.7 Verify SECO events |
| 310 | 310 | ----------------------- |
| 311 | 311 | |
| 312 | -If the fuses have been written properly, there should be no SECO events | |
| 313 | -after boot. To validate this, power on the board, and run the following | |
| 314 | -command on the SCFW terminal: | |
| 312 | +If the fuses have been written properly, there should be no SECO events after | |
| 313 | +boot. To validate this, power on the board, and run ahab_status command on | |
| 314 | +U-Boot terminal. | |
| 315 | 315 | |
| 316 | - >$ seco events | |
| 316 | +No events should be returned after this command: | |
| 317 | 317 | |
| 318 | -Nothing should be returned after this command. If you get an error, please | |
| 319 | -refer to examples below: | |
| 318 | + => ahab_status | |
| 319 | + Lifecycle: 0x0020, NXP closed | |
| 320 | 320 | |
| 321 | -0x0087EE00 = The container image is not signed. | |
| 322 | -0x0087FA00 = The container image was signed with wrong key which are not | |
| 323 | - matching the OTP SRK hashes. | |
| 321 | + No SECO Events Found! | |
| 324 | 322 | |
| 325 | -In case your SRK fuses are not programmed yet the event 0x0087FA00 may also | |
| 326 | -be displayed. | |
| 323 | +U-Boot will decode the SECO events and provide more details on the failure, | |
| 324 | +for example in case container image was signed with wrong keys and are not | |
| 325 | +matching the OTP SRK hashes: | |
| 327 | 326 | |
| 328 | -Note: The SECO FW v1.1.0 is not logging an invalid image integrity as an event | |
| 329 | -in open mode, in case your image does not boot after moving the lifecycle | |
| 330 | -please review your image setup. | |
| 327 | + => ahab_status | |
| 328 | + Lifecycle: 0x0020, NXP closed | |
| 329 | + | |
| 330 | + SECO Event[0] = 0x0087EE00 | |
| 331 | + CMD = AHAB_AUTH_CONTAINER_REQ (0x87) | |
| 332 | + IND = AHAB_NO_AUTHENTICATION_IND (0xEE) | |
| 333 | + | |
| 334 | +Note: In case your SRK fuses are not programmed yet the event 0x0087FA00 may | |
| 335 | +also be displayed. | |
| 331 | 336 | |
| 332 | 337 | 1.8 Close the device |
| 333 | 338 | --------------------- |