i.MX 93 AHAB with U-BOOT#
This notebook describes how to build a bootable AHAB image with ELE firmware and U-BOOT bootloader, load it using the NXPUUU app and how to use NXPELE app.
Set up the environment#
SPSDK is needed with examples extension.
pip install spsdk[examples]
(Please refer to the installation documentation.)This demo was tested with i.MX93 EVK board
Images preparation#
to create resulting binary containing AHAB containers, we need to prepare the binaries
in this section we reproduce the process which is done by the
imx-mkimage
toolObtain all the necessary binaries (lpddr4 firmware, u-boot, bl31, ELE firmware) and put them into inputs directory
U-Boot#
Read the U-Boot documentation to understand the U-Boot build process In order to use the nxpele app, U-Boot must be built with AHAB support. CONFIG_AHAB_BOOT=y If you want to use the nxpele over fastboot, also multiplexing of console output to fastboot must be enabled by setting CONFIG_CONSOLE_MUX=y.
Requirements#
Download these files from the https://www.nxp.com/lgfiles/NMG/MAD/YOCTO/
lpddr4 firmware files
u-boot binary (u-boot SPL and u-boot) built with AHAB support.
bl31.bin binary (ARM Trusted Firmware)
ELE firmware binary AHAB
i.MX93 EVK board
# This env variable sets colored logger output to STDOUT
# Execute this cell to enable execution of the ! line magic
%env JUPYTER_SPSDK=1
%alias execute echo %l && %l
%alias_magic ! execute
env: JUPYTER_SPSDK=1
Created `%!` as an alias for `%execute`.
AHAB Template#
We can generate the template using the nxpimage ahab get-template command. The command will generate a template. The template is a YAML file that contains the AHAB header and the AHAB container. The AHAB header contains the information about the image, such as the version, the number of containers, and the signature. The AHAB container contains the information about the image, such as the image type, the image version, the image size, and the image signature.
The following command generates the template:
nxpimage ahab get-template -f mimx9352 -o ahab_template.yaml
Exporting of the AHAB image#
The AHAB image can be exported using the nxpimage ahab export command. The command will create the AHAB image from the template. The following command creates the AHAB image:
nxpimage ahab export -c ahab_template.yaml
## Export AHAB Images
WORKSPACE = "workspace/" # change this to path to your workspace
U_BOOT_SPL_CONTAINER_CONFIG = "u-boot-spl-container-img_config.yaml"
U_BOOT_ATF_CONTAINER_CONFIG = "u-boot-atf-container-img_config.yaml"
VERBOSITY = "-v"
# EXPORT U-BOOT SPL CONTAINER IMAGE
%! nxpimage $VERBOSITY ahab export -c $U_BOOT_SPL_CONTAINER_CONFIG
nxpimage -v ahab export -c u-boot-spl-container-img_config.yaml
INFO:spsdk.image.ahab.ahab_iae:Adding DDR memory areas into SPL image
INFO:spsdk.apps.nxpimage:Created AHAB Image:
Name: AHAB Image
Starts: 0x0
Ends: 0x529ff
Size: Size: 330.5 kiB; 338,432 B
Alignment: 8 B
Pattern:zeros
AHAB Image for mimx9352_a1
INFO:spsdk.apps.nxpimage:Created AHAB Image memory map:
+==0x0000_0000= AHAB Image ============================+
| Size: 330.5 kiB; 338,432 B |
| AHAB Image for mimx9352_a1 |
| Pattern: zeros |
|+==0x0000_0000= AHAB Containers =====================+|
|| Size: 8.0 kiB; 8,192 B ||
|| AHAB Containers block ||
|| Pattern: zeros ||
||+==0x0000_0000= AHAB Container 0 ==================+||
||| Size: 544 B |||
||| AHAB Container for nxp_SWver:0 |||
||+==0x0000_021f=====================================+||
|| Gap: 480 B ||
||+==0x0000_0400= AHAB Container 1 ==================+||
||| Size: 160 B |||
||| AHAB Container for none_SWver:0 |||
||+==0x0000_049f=====================================+||
|+==0x0000_1fff=======================================+|
|+==0x0000_2000= Container 0 AHAB Data Image 0 =======+|
|| Size: 95.8 kiB; 98,144 B ||
||AHAB encrypted data block for ele core and ele Image||
|| Type. ||
|+==0x0001_9f5f=======================================+|
| Gap: 160 B |
|+==0x0001_a000= U-Boot SPL with DDR tunning images ==+|
|| Size: 226.5 kiB; 231,936 B ||
|| AHAB data block for cortex-a55 core and executable ||
|| Image Type. ||
|+==0x0005_29ff=======================================+|
+==0x0005_29ff=========================================+
Success. (AHAB: outputs\u-boot-spl-container.img created.)
# EXPORT U-BOOT ATF CONTAINER IMAGE
%! nxpimage $VERBOSITY ahab export -c $U_BOOT_ATF_CONTAINER_CONFIG
nxpimage -v ahab export -c u-boot-atf-container-img_config.yaml
INFO:spsdk.apps.nxpimage:Created AHAB Image:
Name: AHAB Image
Starts: 0x0
Ends: 0x1289ff
Size: Size: 1.2 MiB; 1,214,976 B
Alignment: 8 B
Pattern:zeros
AHAB Image for mimx9352_a1
INFO:spsdk.apps.nxpimage:Created AHAB Image memory map:
+==0x0000_0000= AHAB Image ====================+
| Size: 1.2 MiB; 1,214,976 B |
| AHAB Image for mimx9352_a1 |
| Pattern: zeros |
|+==0x0000_0000= AHAB Containers =============+|
|| Size: 8.0 kiB; 8,192 B ||
|| AHAB Containers block ||
|| Pattern: zeros ||
||+==0x0000_0000= AHAB Container 0 ==========+||
||| Size: 288 B |||
||| AHAB Container for none_SWver:0 |||
||+==0x0000_011f=============================+||
|+==0x0000_1fff===============================+|
|+==0x0000_2000= ATF - ARM Trusted Firmware ==+|
|| Size: 38.0 kiB; 38,912 B ||
|| AHAB data block for cortex-a55 core and ||
|| executable Image Type. ||
|+==0x0000_b7ff===============================+|
|+==0x0000_b800= U-Boot Firmware =============+|
|| Size: 1.1 MiB; 1,167,872 B ||
|| AHAB data block for cortex-a55 core and ||
|| executable Image Type. ||
|+==0x0012_89ff===============================+|
+==0x0012_89ff=================================+
Success. (AHAB: outputs\u-boot-atf-container.img created.)
AHAB Image Container set#
Now we have the AHAB image with U-Boot SPL DDR and AHAB Image with U-Boot ATF container. We can use the nxpimage binary-image merge command to merge the AHAB images into one binary image. The following command merges the AHAB images:
nxpimage -v bootable-image merge -c u-boot-flash_template.yaml -o flash.bin
U_BOOT_FLASH_BOOT_CFG = "u-boot-bootable.yaml"
U_BOOT_FLASH_BOOT = "outputs/flash.bin"
%! nxpimage $VERBOSITY bootable-image merge --config $U_BOOT_FLASH_BOOT_CFG --output $U_BOOT_FLASH_BOOT
nxpimage -v bootable-image merge --config u-boot-bootable.yaml --output outputs/flash.bin
INFO:spsdk.image.ahab.ahab_iae:Adding DDR memory areas into SPL image
INFO:spsdk.apps.nxpimage:Created Bootable Image:
Name: Bootable Image for mimx9352
Starts: 0x0
Ends: 0x17b5ff
Size: Size: 1.5 MiB; 1,553,920 B
Alignment: 1 B
Pattern:zeros
Memory type: MemoryType.SERIAL_DOWNLOADER
Revision: a1
INFO:spsdk.apps.nxpimage:Created Bootable Image memory map:
+==0x0000_0000= Bootable Image for mimx9352 =============+
| Size: 1.5 MiB; 1,553,920 B |
| Memory type: MemoryType.SERIAL_DOWNLOADER Revision: a1 |
| Pattern: zeros |
|+==0x0000_0000= primary_image_container_set ===========+|
|| Size: 330.5 kiB; 338,432 B ||
|| AHAB Image for mimx9352_a1 ||
|| Pattern: zeros ||
||+==0x0000_0000= AHAB Containers =====================+||
||| Size: 8.0 kiB; 8,192 B |||
||| AHAB Containers block |||
||| Pattern: zeros |||
|||+==0x0000_0000= AHAB Container 0 ==================+|||
|||| Size: 544 B ||||
|||| AHAB Container for nxp_SWver:0 ||||
|||+==0x0000_021f=====================================+|||
||| Gap: 480 B |||
|||+==0x0000_0400= AHAB Container 1 ==================+|||
|||| Size: 160 B ||||
|||| AHAB Container for none_SWver:0 ||||
|||+==0x0000_049f=====================================+|||
||+==0x0000_1fff=======================================+||
||+==0x0000_2000= Container 0 AHAB Data Image 0 =======+||
||| Size: 95.8 kiB; 98,144 B |||
|||AHAB encrypted data block for ele core and ele Image|||
||| Type. |||
||+==0x0001_9f5f=======================================+||
|| Gap: 160 B ||
||+==0x0001_a000= U-Boot SPL with DDR tunning images ==+||
||| Size: 226.5 kiB; 231,936 B |||
||| AHAB data block for cortex-a55 core and executable |||
||| Image Type. |||
||+==0x0005_29ff=======================================+||
|+==0x0005_29ff=========================================+|
| Gap: 512 B |
|+==0x0005_2c00= secondary_image_container_set =========+|
|| Size: 1.2 MiB; 1,214,976 B ||
|| AHAB Image for mimx9352_a1 ||
|| Pattern: zeros ||
||+==0x0005_2c00= AHAB Containers =====================+||
||| Size: 8.0 kiB; 8,192 B |||
||| AHAB Containers block |||
||| Pattern: zeros |||
|||+==0x0005_2c00= AHAB Container 0 ==================+|||
|||| Size: 288 B ||||
|||| AHAB Container for none_SWver:0 ||||
|||+==0x0005_2d1f=====================================+|||
||+==0x0005_4bff=======================================+||
||+==0x0005_4c00= ATF - ARM Trusted Firmware ==========+||
||| Size: 38.0 kiB; 38,912 B |||
||| AHAB data block for cortex-a55 core and executable |||
||| Image Type. |||
||+==0x0005_e3ff=======================================+||
||+==0x0005_e400= U-Boot Firmware =====================+||
||| Size: 1.1 MiB; 1,167,872 B |||
||| AHAB data block for cortex-a55 core and executable |||
||| Image Type. |||
||+==0x0017_b5ff=======================================+||
|+==0x0017_b5ff=========================================+|
+==0x0017_b5ff===========================================+
Success. (Bootable Image: outputs\flash.bin created)
Image download#
First we put the iMX93
into serial downloader mode for Cortex-A (0011
), and use uuu
to upload the flash.bin
containing U-Boot and other firmware.
The picture below shows the desired DIP switch configuration for flashing Cortex-A:
%! nxpuuu $VERBOSITY write -f mimx9352 -b emmc $U_BOOT_FLASH_BOOT
nxpuuu -v write -f mimx9352 -b emmc outputs/flash.bin
SDPS: boot -f outputs/flash.bin
Done
NXPELE#
NXPELE is a tool that can communicate with the EdgeLock enclave. It might be used for example for writing and reading the fuses and keyblob generation.
To communicate with the iMX93
, we need to set it into eMMC boot for Cortex-A (0000
), then find out the serial port for the U-Boot console, and stop the autoboot. In later version of SPSDK, it might be possible to do that automatically.
The picture below shows the desired DIP switch configuration for booting from Cortex-A:
%! nxpele -f mimx9352 -p COM174 -d uboot_serial get-info
nxpele -f mimx9352 -p COM174 -d uboot_serial get-info
ELE get info ends successfully:
Command: 0xda
Version: 2
Length: 160
SoC ID: MX93 - 0x9300
SoC version: A100
Life Cycle: OEM_OPEN - 0x0010
SSSM state: 4
UUID: c2917e5a15ea4be7a4dd47ecb6f86567
SHA256 ROM PATCH: 725e3348349e8664b79b93020e8d2e2273d83f33fd9ea7381cce9999df6fbe9a
SHA256 FW: 538dfd478a65368f6c493a98d1eb1ea52ff3a4612e776c6baeae9161b7ef3673
Advanced information:
OEM SRKH: 0000000000000000000000000000000000000000000000000000000000000000
IMEM state: The IMEM is fully loaded and all ELE functionality can be used - 0xCA
CSAL state: EdgeLock secure enclave random context initialization succeed - 0x02
TRNG state: TRNG entropy is valid and ready to be read - 0x03
%! nxpele -f mimx9352 -p COM174 -d uboot_serial generate-keyblob DEK -a AES_CBC --key-id 0 --key 00000000000000000000000000000000 --key-size 128
nxpele -f mimx9352 -p COM174 generate-keyblob DEK -a AES_CBC --key-id 0 --key 00000000000000000000000000000000 --key-size 128
ELE generate DEK key blob ends successfully:
0048008101100300000231a42fe7958f4d7c5c7b31ff3e1506a8d3af82d45c029426b7c58da076af3ab01dde66b81a57ae57ca057b7afa970418647a27d5725f97e95233fbcba0da