We could use some extra documentation on how to use the hab command to fuse a SoC and what output should be expected. Add this to the documentation. Procedure was done with HABv4 on i.MX8MM, which is not yet upstream[1], but should be equivalent for i.MX6. [1]: https://lore.barebox.org/barebox/20230705144219.504194-1-r.czerwinski@xxxxxxxxxxxxxx/ Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx> --- Documentation/boards/imx.rst | 47 ++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/Documentation/boards/imx.rst b/Documentation/boards/imx.rst index 17465efdd9be..5a4f52b392d5 100644 --- a/Documentation/boards/imx.rst +++ b/Documentation/boards/imx.rst @@ -178,6 +178,53 @@ It must be included in the board's flash header: Analogous to HABv4 options and a template exist for HABv3. +To verify HAB working as intended, install the ``barebox-*-s.img`` onto the +boot medium and trigger a power-on reset. barebox will read the HAB log on +startup and report any errors it finds. A good unfused boot looks like this:: + + HABv4: Status: Operation completed successfully (0xf0) + HABv4: Config: Non-secure IC (0xf0) + HABv4: State: Non-secure state (0x66) + HABv4: No HAB Failure Events Found! + +To have the bootrom verify the barebox binary, the SRK hash needs to be burnt +into the fuses. As fuses can't be unburnt, the ``hab`` command should be used +instead of direct device access to not risk writing unrelated fuses:: + + barebox$ hab -p -s SRK_1_2_3_4_fuse.bin + +Afterwards, images signed with a different key will trigger errors at barebox +startup, but system will still be able to boot to shell. + +To have the BootROM refuse booting differently signed images, the ``SRK_LOCK`` +fuse needs to be burnt:: + + barebox$ hab -p -l + +On next startup, barebox will report that the system is now locked:: + + HABv4: Status: Operation completed successfully (0xf0) + HABv4: Config: Secure IC (0xcc) + HABv4: State: Trusted state (0x99) + HABv4: No HAB Failure Events Found! + +This can also be seen with the ``hab -i`` command:: + + Current SRK hash: <some non-zero value> + secure mode + +Similarly, on supported SoCs, the ``bootrom -l`` command will indicate that +device is closed. Example output after booting via ``imx-usb-loader``:: + + + [e0] Internal use + [11] Boot mode is Boot from Serial Download + [23] Secure config is Closed + [41] FUSE_SEL_VALUE Fuse is blown + [d0] Enters serial download processing + [a0] Image authentication result: PASS (0x000000f0) @3506438144 ticks + [00] End of list + Secure Boot on i.MX6 ~~~~~~~~~~~~~~~~~~~~ -- 2.39.2