3. Program the signed U-Boot image

The signed U-Boot images can be flashed like any other U-Boot image:

=> update uboot tftp u-boot-signed-{machine}.imx

Note Flashing a signed U-Boot does not enable any security features in the target. See Close the device to learn how to close your device to only boot signed U-Boot images.

CAUTION! Do not program encrypted images on an open device, as the kernel will not boot.

Reset the device, and check that there are no secure events reported using the trustfence command:

=> reset
(...)
=> trustfence status
* SRK fuses:    	[NOT PROGRAMMED]
   Key 0:       	[OK]
   Key 1:       	[OK]
   Key 2:       	[OK]
   Key 3:       	[OK]
* Secure boot:  	[OPEN]
* Encrypted U-Boot: 	[NO]
* HAB events:   	[NO ERRORS]

The output shows the device is in open configuration, the SRK e-fuses are not burned, no keys are revoked, and the current U-Boot image is not encrypted.

In this case, no secure boot events are generated. This indicates the image should be able to boot the device when closed.

If secure boot events were present, we can get additional information with the hab_status command to understand why the signature verification failed. This is a U-Boot command that will dump extra debug information from the High Assurance Boot ROM. See the NXP secure boot application notes for more information on event decoding.