High Assurance Boot (HAB) for i.MX6 CPUs
-To authenticate U-Boot only by the CPU there is no code required in
-U-Boot itself. However, the U-Boot image to be programmed into the
+To enable the authenticated or encrypted boot mode of U-Boot, it is
+required to set the proper configuration for the target board. This
+is done by adding the following configuration in the defconfig file:
+
+CONFIG_SECURE_BOOT=y
+
+In addition, the U-Boot image to be programmed into the
boot media needs to be properly constructed, i.e. it must contain a
proper Command Sequence File (CSF).
The DEK blob is generated by an authenticated U-Boot image with
the dek_blob cmd enabled. The image used for DEK blob generation
-needs to have the following configurations enabled:
+needs to have the following configurations enabled in Kconfig:
-CONFIG_SECURE_BOOT
-CONFIG_SYS_FSL_SEC_COMPAT 4 /* HAB version */
-CONFIG_FSL_CAAM
-CONFIG_CMD_DEKBLOB
+CONFIG_SECURE_BOOT=y
+CONFIG_CMD_DEKBLOB=y
Note: The encrypted boot feature is only supported by HABv4 or
greater.