Set up secure boot

Hi,

I follow the Set up secure boot instruction and can sucessfully build the uboot image.
But when I udpate the signed uboot, the boot progress stucks at “DRAM: 256 MiB” as follows

console output

CPU: i.MX6UL rev1.1 528 MHz (running at 396 MHz)
CPU: Industrial temperature grade (-40C to 105C) at 47C
Reset cause: POR
I2C: ready
DRAM: 256 MiB

console output

I use the ccimx6ul Starter Kit
And the uboot image file name is u-boot-dtb-signed-ccimx6ulstarter-2020.04-r0.imx
When I recover the uboot using normal uboot image, and type in command “hab_status”, I get the following error

--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x22 0x0a 0x00

STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)

Please help, thanks in advance.

please provide the output of the:
“trustfence status” U-boot command

This is the output of the “trustfence status” command

=> trustfence status

  • SRK fuses: [NOT PROGRAMMED]
    Key 0: [OK]
    Key 1: [OK]
    Key 2: [OK]
    Key 3: [OK]
  • Secure boot: [OPEN]
  • Encrypted U-Boot: [NO]
  • HAB events: [ERRORS PRESENT!]

Which version of DEY are you using?
it looks like a known bug related to an issue with the toolchain in which U-Boot code changes (such as enabling Trustfence-related configurations) will cause the binary to freeze in seemingly random places early in the boot process.

we do have a workaround for this issue that is available in the latest Digi U-Boot sources in GitHub. If you build their Yocto project using the dey-3.0 maintenance branch instead of the latest release tag, you should be able to include this workaround into your code. Hopefully, that solves the freezing issue (along with other unrelated issues that have been fixed after the latest 3.0 release).

~$ cd /usr/local/dey-3.0
~$ repo init -u https://github.com/digi-embedded/dey-manifest.git -b zeus
~$ repo sync -j8 --no-repo-verify

Then clean and rebuild your workspace project.

I follow the install instruction and currently use the stable release version
https://github.com/digi-embedded/dey-manifest.git -b refs/tags/3.0-r4.1

I will rebuild with the zeus branch. But is it ok to use this branch for production?

yes, it is ok. We are close to releasing DEY 3.2 btw