diff mbox series

imx: hab: Make imx_hab_is_enabled dependent on FIELD_RETURN

Message ID 20240621130626.729666-1-paul.geurts@prodrive-technologies.com
State Changes Requested
Delegated to: Fabio Estevam
Headers show
Series imx: hab: Make imx_hab_is_enabled dependent on FIELD_RETURN | expand

Commit Message

Paul Geurts June 21, 2024, 1:06 p.m. UTC 
The decision on whether HAB is enabled is solely based on the SEC_CONFIG
fuse. The HAB FIELD_RETURN feature is able to permanently disable HAB on
a CPU, after which it is able to boot unsigned firmware. U-Boot however
does not take into account the FIELD_RETURN mode, and refuses to boot
unsigned software when the feature is enabled.

Also take the FIELD_RETURN fuse into account when deciding whether HAB
is enabled. When The FIELD_RETURN fuse is blown, HAB is not enabled.

Tested on i.MX8M Mini, i.MX8M Plus, i.MX8M Nano and i.MX6ULL

Signed-off-by: Paul Geurts <paul.geurts@prodrive-technologies.com>
---
 arch/arm/include/asm/mach-imx/hab.h |  5 +++--
 arch/arm/mach-imx/hab.c             | 21 +++++++++++++++++----
 arch/arm/mach-imx/imx8m/soc.c       |  7 ++++++-
 arch/arm/mach-imx/mx6/soc.c         |  7 ++++++-
 arch/arm/mach-imx/mx7/soc.c         |  7 ++++++-
 arch/arm/mach-imx/mx7ulp/soc.c      |  7 ++++++-
 6 files changed, 44 insertions(+), 10 deletions(-)

Comments

Marek Vasut June 21, 2024, 2:17 p.m. UTC | #1 
On 6/21/24 3:06 PM, Paul Geurts wrote:
> The decision on whether HAB is enabled is solely based on the SEC_CONFIG
> fuse. The HAB FIELD_RETURN feature is able to permanently disable HAB on
> a CPU, after which it is able to boot unsigned firmware. U-Boot however
> does not take into account the FIELD_RETURN mode, and refuses to boot
> unsigned software when the feature is enabled.
> 
> Also take the FIELD_RETURN fuse into account when deciding whether HAB
> is enabled. When The FIELD_RETURN fuse is blown, HAB is not enabled.
> 
> Tested on i.MX8M Mini, i.MX8M Plus, i.MX8M Nano and i.MX6ULL

The purpose of the field return fuse is to unlock a system when it is 
returned to factory, right ?

Can the system be re-locked afterward too ?
Paul Geurts June 24, 2024, 8:20 a.m. UTC | #2 
>> The decision on whether HAB is enabled is solely based on the SEC_CONFIG
>> fuse. The HAB FIELD_RETURN feature is able to permanently disable HAB on
>> a CPU, after which it is able to boot unsigned firmware. U-Boot however
>> does not take into account the FIELD_RETURN mode, and refuses to boot
>> unsigned software when the feature is enabled.
>> 
>> Also take the FIELD_RETURN fuse into account when deciding whether HAB
>> is enabled. When The FIELD_RETURN fuse is blown, HAB is not enabled.
>> 
>> Tested on i.MX8M Mini, i.MX8M Plus, i.MX8M Nano and i.MX6ULL
>
>The purpose of the field return fuse is to unlock a system when it is 
>returned to factory, right ?

That is the intention of the field return mode indeed.

>
>Can the system be re-locked afterward too ?

No, the field return is enabled by a fuse, which cannot be reverted. The
mode is intended to be able to perform investigations on broken devices,
but these devices are not intended to go back into the field.
Fabio Estevam June 24, 2024, 12:09 p.m. UTC | #3 
Hi Paul,

On Fri, Jun 21, 2024 at 10:06 AM Paul Geurts
<paul.geurts@prodrive-technologies.com> wrote:

> -struct imx_sec_config_fuse_t {
> +struct imx_fuse_t {

Please make the struct renaming a separate patch.

Peng Fan, Ye Li,

Could you please help review this patch?

Thanks
Paul Geurts June 24, 2024, 6:51 p.m. UTC | #4 
Hi Fabio,

>Hi Paul,
>
>On Fri, Jun 21, 2024 at 10:06 AM Paul Geurts <paul.geurts@prodrive-technologies.com> wrote:
>
>> -struct imx_sec_config_fuse_t {
>> +struct imx_fuse_t {
>
>Please make the struct renaming a separate patch.

Yes, I will do that.

>
>Peng Fan, Ye Li,
>
>Could you please help review this patch?
>
>Thanks
>
Marek Vasut June 25, 2024, 2:13 a.m. UTC | #5 
On 6/24/24 10:20 AM, Paul Geurts wrote:
>>> The decision on whether HAB is enabled is solely based on the SEC_CONFIG
>>> fuse. The HAB FIELD_RETURN feature is able to permanently disable HAB on
>>> a CPU, after which it is able to boot unsigned firmware. U-Boot however
>>> does not take into account the FIELD_RETURN mode, and refuses to boot
>>> unsigned software when the feature is enabled.
>>>
>>> Also take the FIELD_RETURN fuse into account when deciding whether HAB
>>> is enabled. When The FIELD_RETURN fuse is blown, HAB is not enabled.
>>>
>>> Tested on i.MX8M Mini, i.MX8M Plus, i.MX8M Nano and i.MX6ULL
>>
>> The purpose of the field return fuse is to unlock a system when it is
>> returned to factory, right ?
> 
> That is the intention of the field return mode indeed.
> 
>>
>> Can the system be re-locked afterward too ?
> 
> No, the field return is enabled by a fuse, which cannot be reverted. The
> mode is intended to be able to perform investigations on broken devices,
> but these devices are not intended to go back into the field.

Understood, thanks for clarifying.
Ye Li June 25, 2024, 7:19 a.m. UTC | #6 
Hi Paul,

On 6/24/2024 8:09 PM, Fabio Estevam wrote:

> Hi Paul,
>
> On Fri, Jun 21, 2024 at 10:06 AM Paul Geurts
> <paul.geurts@prodrive-technologies.com>  wrote:
>
>> -struct imx_sec_config_fuse_t {
>> +struct imx_fuse_t {
> Please make the struct renaming a separate patch.
>
> Peng Fan, Ye Li,
>
> Could you please help review this patch?
>
> Thanks

Can you take a look iMX8MP FIELD_RETURN fuse, I think it does not have 1 
bit but 8 bits which requires to burn a sequence. Only when the bits 
sequence is matched, the field return can work.  So checking the bit 0 
is not enough.

Fuses for other platforms look ok.


Best regards,

Ye Li
Paul Geurts June 26, 2024, 7:17 a.m. UTC | #7 
Hi,
Thanks for the feedback.

>Hi Paul,
>
>On 6/24/2024 8:09 PM, Fabio Estevam wrote:
>
>> Hi Paul,
>>
>> On Fri, Jun 21, 2024 at 10:06 AM Paul Geurts 
>> <paul.geurts@prodrive-technologies.com>  wrote:
>>
>>> -struct imx_sec_config_fuse_t {
>>> +struct imx_fuse_t {
>> Please make the struct renaming a separate patch.
>>
>> Peng Fan, Ye Li,
>>
>> Could you please help review this patch?
>>
>> Thanks
>
>Can you take a look iMX8MP FIELD_RETURN fuse, I think it does not have 1 bit but 8 bits which requires to burn a sequence. Only when the bits sequence is matched, the field return can work.  So checking the bit 0 is not enough.

Are you sure about that? The security reference manual (IMX8MPSRM) says in Table 5-5
that the FIELD_RETURN fuse is located on fuse 0x630[0], which is a single bit. Also,
the "Chip Security Lifecycle" section (2.15.1) says the following:

FEILD RETURN (SEC_CONFIG[1] fuse = 1 and FIELD_RETURN fuse = 1)

Are you maybe confusing the FIELD_RETURN fuse with the FIELD_RETURN_LOCK sticky bit?
clearing the lock bit _is_ quite the procedure, but it is unrelated to U-Boot, as
this is done by ROM code through CSF.

I tested this on an i.MX8M Plus and it seems to work fine.

>
>Fuses for other platforms look ok.
>
>
>Best regards,
>
>Ye Li
Ye Li June 26, 2024, 11:55 a.m. UTC | #8 
Hi Paul,

On 6/26/2024 3:17 PM, Paul Geurts wrote:
> Hi,
> Thanks for the feedback.
>
>> Hi Paul,
>>
>> On 6/24/2024 8:09 PM, Fabio Estevam wrote:
>>
>>> Hi Paul,
>>>
>>> On Fri, Jun 21, 2024 at 10:06 AM Paul Geurts
>>> <paul.geurts@prodrive-technologies.com>  wrote:
>>>
>>>> -struct imx_sec_config_fuse_t {
>>>> +struct imx_fuse_t {
>>> Please make the struct renaming a separate patch.
>>>
>>> Peng Fan, Ye Li,
>>>
>>> Could you please help review this patch?
>>>
>>> Thanks
>> Can you take a look iMX8MP FIELD_RETURN fuse, I think it does not have 1 bit but 8 bits which requires to burn a sequence. Only when the bits sequence is matched, the field return can work.  So checking the bit 0 is not enough.
> Are you sure about that? The security reference manual (IMX8MPSRM) says in Table 5-5
> that the FIELD_RETURN fuse is located on fuse 0x630[0], which is a single bit. Also,
> the "Chip Security Lifecycle" section (2.15.1) says the following:
>
> FEILD RETURN (SEC_CONFIG[1] fuse = 1 and FIELD_RETURN fuse = 1)
>
> Are you maybe confusing the FIELD_RETURN fuse with the FIELD_RETURN_LOCK sticky bit?
> clearing the lock bit _is_ quite the procedure, but it is unrelated to U-Boot, as
> this is done by ROM code through CSF.
>
> I tested this on an i.MX8M Plus and it seems to work fine.

I know the steps for field return.  What I mean is the FIELD_RETURN 
fuse.  It is true that security RM mentions it as you quote. But from 
8MP fuse map and ROM codes,  I get different things.

FIELD_RETURN 8-bit code.
FIELD_RETURN = 0, is non-field return mode, functional/secure mode.
FIELD_RETURN = Matching Sequence, device is in field_return mode
FIELD_RETURN != Matching Sequence, device asserts security violation


However, I'm not sure how is it implemented in HAB. Since you have 
tested 8M plus, can you confirm the closed part is successfully 
converted to field return and can boot without signing?


Best regards,

Ye Li

>> Fuses for other platforms look ok.
>>
>>
>> Best regards,
>>
>> Ye Li
Paul Geurts July 1, 2024, 12:39 p.m. UTC | #9 
Hi Ye,

> Hi Paul,
>
> On 6/26/2024 3:17 PM, Paul Geurts wrote:
>> Hi,
>> Thanks for the feedback.
>>
>>> Hi Paul,
>>>
>>> On 6/24/2024 8:09 PM, Fabio Estevam wrote:
>>>
>>>> Hi Paul,
>>>>
>>>> On Fri, Jun 21, 2024 at 10:06 AM Paul Geurts
>>>> <paul.geurts@prodrive-technologies.com>  wrote:
>>>>
>>>>> -struct imx_sec_config_fuse_t {
>>>>> +struct imx_fuse_t {
>>>> Please make the struct renaming a separate patch.
>>>>
>>>> Peng Fan, Ye Li,
>>>>
>>>> Could you please help review this patch?
>>>>
>>>> Thanks
>>> Can you take a look iMX8MP FIELD_RETURN fuse, I think it does not
>>> have 1 bit but 8 bits which requires to burn a sequence. Only when
>>> the bits sequence is matched, the field return can work.  So checking
>>> the bit 0 is not enough.
>> Are you sure about that? The security reference manual (IMX8MPSRM)
>> says in Table 5-5
>> that the FIELD_RETURN fuse is located on fuse 0x630[0], which is a
>> single bit. Also,
>> the "Chip Security Lifecycle" section (2.15.1) says the following:
>>
>> FEILD RETURN (SEC_CONFIG[1] fuse = 1 and FIELD_RETURN fuse = 1)
>>
>> Are you maybe confusing the FIELD_RETURN fuse with the
>> FIELD_RETURN_LOCK sticky bit?
>> clearing the lock bit _is_ quite the procedure, but it is unrelated to
>> U-Boot, as
>> this is done by ROM code through CSF.
>>
>> I tested this on an i.MX8M Plus and it seems to work fine.
>
> I know the steps for field return.  What I mean is the FIELD_RETURN
> fuse.  It is true that security RM mentions it as you quote. But from
> 8MP fuse map and ROM codes,  I get different things.
>
> FIELD_RETURN 8-bit code.
> FIELD_RETURN = 0, is non-field return mode, functional/secure mode.
> FIELD_RETURN = Matching Sequence, device is in field_return mode
> FIELD_RETURN != Matching Sequence, device asserts security violation

That is indeed different from what is mentioned in documentation. I have
asked our NXP FAE about the discrepancy and I will adjust the code if
needed.

>
>
> However, I'm not sure how is it implemented in HAB. Since you have
> tested 8M plus, can you confirm the closed part is successfully
> converted to field return and can boot without signing?

Maybe I did something wrong while testing. I will retest it on a new
board when I have received some more information from NXP.

>
>
>  Best regards,
>
> Ye Li
>
Ye Li July 2, 2024, 7:41 a.m. UTC | #10 
Hi Paul,

On 7/1/2024 8:39 PM, Paul Geurts wrote:
> Hi Ye,
>
>> Hi Paul,
>>
>> On 6/26/2024 3:17 PM, Paul Geurts wrote:
>>> Hi,
>>> Thanks for the feedback.
>>>
>>>> Hi Paul,
>>>>
>>>> On 6/24/2024 8:09 PM, Fabio Estevam wrote:
>>>>
>>>>> Hi Paul,
>>>>>
>>>>> On Fri, Jun 21, 2024 at 10:06 AM Paul Geurts
>>>>> <paul.geurts@prodrive-technologies.com>  wrote:
>>>>>
>>>>>> -struct imx_sec_config_fuse_t {
>>>>>> +struct imx_fuse_t {
>>>>> Please make the struct renaming a separate patch.
>>>>>
>>>>> Peng Fan, Ye Li,
>>>>>
>>>>> Could you please help review this patch?
>>>>>
>>>>> Thanks
>>>> Can you take a look iMX8MP FIELD_RETURN fuse, I think it does not
>>>> have 1 bit but 8 bits which requires to burn a sequence. Only when
>>>> the bits sequence is matched, the field return can work.  So checking
>>>> the bit 0 is not enough.
>>> Are you sure about that? The security reference manual (IMX8MPSRM)
>>> says in Table 5-5
>>> that the FIELD_RETURN fuse is located on fuse 0x630[0], which is a
>>> single bit. Also,
>>> the "Chip Security Lifecycle" section (2.15.1) says the following:
>>>
>>> FEILD RETURN (SEC_CONFIG[1] fuse = 1 and FIELD_RETURN fuse = 1)
>>>
>>> Are you maybe confusing the FIELD_RETURN fuse with the
>>> FIELD_RETURN_LOCK sticky bit?
>>> clearing the lock bit _is_ quite the procedure, but it is unrelated to
>>> U-Boot, as
>>> this is done by ROM code through CSF.
>>>
>>> I tested this on an i.MX8M Plus and it seems to work fine.
>> I know the steps for field return.  What I mean is the FIELD_RETURN
>> fuse.  It is true that security RM mentions it as you quote. But from
>> 8MP fuse map and ROM codes,  I get different things.
>>
>> FIELD_RETURN 8-bit code.
>> FIELD_RETURN = 0, is non-field return mode, functional/secure mode.
>> FIELD_RETURN = Matching Sequence, device is in field_return mode
>> FIELD_RETURN != Matching Sequence, device asserts security violation
> That is indeed different from what is mentioned in documentation. I have
> asked our NXP FAE about the discrepancy and I will adjust the code if
> needed.

Thanks for confirm. I also cross checked with teams. 8MP must burn a 
pattern. Otherwise HAB won't covert to field return.

Additional, do you think it is very necessary to add this patch set?  
Because field return is a pure debug feature, it won't be deployed on 
productions. The developers working on field return parts can re-build 
u-boot with CONFIG_IMX_HAB disabled.

This patch may introduce risk to HAB in some sense,  especially for 
productions. One mistake would make unsigned image bypass authentication 
result.


Best regards,

Ye Li

>>
>> However, I'm not sure how is it implemented in HAB. Since you have
>> tested 8M plus, can you confirm the closed part is successfully
>> converted to field return and can boot without signing?
> Maybe I did something wrong while testing. I will retest it on a new
> board when I have received some more information from NXP.
>
>>
>>   Best regards,
>>
>> Ye Li
>>
Paul Geurts July 2, 2024, 9:09 a.m. UTC | #11 
Hi Ye,

> Hi Paul,
>
>On 7/1/2024 8:39 PM, Paul Geurts wrote:
>> Hi Ye,
>>
>>> Hi Paul,
>>>
>>> On 6/26/2024 3:17 PM, Paul Geurts wrote:
>>>> Hi,
>>>> Thanks for the feedback.
>>>>
>>>>> Hi Paul,
>>>>>
>>>>> On 6/24/2024 8:09 PM, Fabio Estevam wrote:
>>>>>
>>>>>> Hi Paul,
>>>>>>
>>>>>> On Fri, Jun 21, 2024 at 10:06 AM Paul Geurts
>>>>>> <paul.geurts@prodrive-technologies.com>  wrote:
>>>>>>
>>>>>>> -struct imx_sec_config_fuse_t {
>>>>>>> +struct imx_fuse_t {
>>>>>> Please make the struct renaming a separate patch.
>>>>>>
>>>>>> Peng Fan, Ye Li,
>>>>>>
>>>>>> Could you please help review this patch?
>>>>>>
>>>>>> Thanks
>>>>> Can you take a look iMX8MP FIELD_RETURN fuse, I think it does not
>>>>> have 1 bit but 8 bits which requires to burn a sequence. Only when
>>>>> the bits sequence is matched, the field return can work.  So checking
>>>>> the bit 0 is not enough.
>>>> Are you sure about that? The security reference manual (IMX8MPSRM)
>>>> says in Table 5-5
>>>> that the FIELD_RETURN fuse is located on fuse 0x630[0], which is a
>>>> single bit. Also,
>>>> the "Chip Security Lifecycle" section (2.15.1) says the following:
>>>>
>>>> FEILD RETURN (SEC_CONFIG[1] fuse = 1 and FIELD_RETURN fuse = 1)
>>>>
>>>> Are you maybe confusing the FIELD_RETURN fuse with the
>>>> FIELD_RETURN_LOCK sticky bit?
>>>> clearing the lock bit _is_ quite the procedure, but it is unrelated to
>>>> U-Boot, as
>>>> this is done by ROM code through CSF.
>>>>
>>>> I tested this on an i.MX8M Plus and it seems to work fine.
>>> I know the steps for field return.  What I mean is the FIELD_RETURN
>>> fuse.  It is true that security RM mentions it as you quote. But from
>>> 8MP fuse map and ROM codes,  I get different things.
>>>
>>> FIELD_RETURN 8-bit code.
>>> FIELD_RETURN = 0, is non-field return mode, functional/secure mode.
>>> FIELD_RETURN = Matching Sequence, device is in field_return mode
>>> FIELD_RETURN != Matching Sequence, device asserts security violation
>> That is indeed different from what is mentioned in documentation. I have
>> asked our NXP FAE about the discrepancy and I will adjust the code if
>> needed.
>
> Thanks for confirm. I also cross checked with teams. 8MP must burn a 
> pattern. Otherwise HAB won't covert to field return.

Okay, thanks for checking, I will wait for the details and make the necessary adjustments

>
> Additional, do you think it is very necessary to add this patch set?  
> Because field return is a pure debug feature, it won't be deployed on 
> productions. The developers working on field return parts can re-build 
> u-boot with CONFIG_IMX_HAB disabled.

In an OEM situation, is a lot of cases, the company creating the bootloader (OEM) is typically neither the one
singing the bootloader nor performing the FIELD_RETURN setting (end customer/VAR). The end
customer is typically neither interested nor capable of rebuilding the bootloader with CONFIG_IMX_HAB
disabled.

This means 2 bootloaders need to be maintained in parallel by the OEM, creating unnecessary overhead. This
also introduces additional risk as the end customer may sign the wrong bootloader (with HAB disabled).

>
> This patch may introduce risk to HAB in some sense,  especially for 
> productions. One mistake would make unsigned image bypass authentication 
> result.

I think this risk is mitigated by the fuse unlocking procedure imposed by HAB. I don't think someone
will accidentally go through the entire procedure of unlocking the FIELD_RETURN fuse and then
also accidentally burning the fuse. The risk in code IMO is not greater then the risk already there by
reading out the SEC_CONFIG fuse.

>
>
> Best regards,
>
> Ye Li
>
>>>
>>> However, I'm not sure how is it implemented in HAB. Since you have
>>> tested 8M plus, can you confirm the closed part is successfully
>>> converted to field return and can boot without signing?
>> Maybe I did something wrong while testing. I will retest it on a new
>> board when I have received some more information from NXP.
>>
>>>
>>>   Best regards,
>>>
>>> Ye Li
>>>
Fabio Estevam July 18, 2024, 5:02 p.m. UTC | #12 
Hi Ye Li,

On Tue, Jul 2, 2024 at 6:09 AM Paul Geurts
<paul.geurts@prodrive-technologies.com> wrote:

> > Thanks for confirm. I also cross checked with teams. 8MP must burn a
> > pattern. Otherwise HAB won't covert to field return.
>
> Okay, thanks for checking, I will wait for the details and make the necessary adjustments

Please let us know if you have more information on this so we can
proceed with this patch.

Thanks
Fabio Estevam Aug. 2, 2024, 7:28 p.m. UTC | #13 
Hi Paul,

On Thu, Jul 18, 2024 at 2:02 PM Fabio Estevam <festevam@gmail.com> wrote:

> > Okay, thanks for checking, I will wait for the details and make the necessary adjustments
>
> Please let us know if you have more information on this so we can
> proceed with this patch.

Please re-send this series whenever you receive a confirmation from NXP.

Thanks
diff mbox series

Patch

diff --git a/arch/arm/include/asm/mach-imx/hab.h b/arch/arm/include/asm/mach-imx/hab.h
index 2abf28ea45bc..d70e8eac1358 100644
--- a/arch/arm/include/asm/mach-imx/hab.h
+++ b/arch/arm/include/asm/mach-imx/hab.h
@@ -132,13 +132,14 @@  enum hab_target {
 	HAB_TGT_ANY		= 0x55,
 };
 
-struct imx_sec_config_fuse_t {
+struct imx_fuse_t {
 	int bank;
 	int word;
 };
 
 #if defined(CONFIG_IMX_HAB)
-extern struct imx_sec_config_fuse_t const imx_sec_config_fuse;
+extern struct imx_fuse_t const imx_sec_config_fuse;
+extern struct imx_fuse_t const imx_field_return_fuse;
 #endif
 
 /*Function prototype description*/
diff --git a/arch/arm/mach-imx/hab.c b/arch/arm/mach-imx/hab.c
index 27e053ef701c..03d827e6c1eb 100644
--- a/arch/arm/mach-imx/hab.c
+++ b/arch/arm/mach-imx/hab.c
@@ -27,6 +27,7 @@  DECLARE_GLOBAL_DATA_PTR;
 #define IS_HAB_ENABLED_BIT \
 	(is_soc_type(MXC_SOC_MX7ULP) ? 0x80000000 :	\
 	 ((is_soc_type(MXC_SOC_MX7) || is_soc_type(MXC_SOC_IMX8M)) ? 0x2000000 : 0x2))
+#define IS_FIELD_RETURN_BIT 0x00000001
 
 #ifdef CONFIG_MX7ULP
 #define HAB_M4_PERSISTENT_START	((soc_rev() >= CHIP_REV_2_0) ? 0x20008040 : \
@@ -871,18 +872,30 @@  static int validate_ivt(struct ivt *ivt_initial)
 
 bool imx_hab_is_enabled(void)
 {
-	struct imx_sec_config_fuse_t *fuse =
-		(struct imx_sec_config_fuse_t *)&imx_sec_config_fuse;
+	struct imx_fuse_t *sec_config =
+		(struct imx_fuse_t *)&imx_sec_config_fuse;
+	struct imx_fuse_t *field_return =
+		(struct imx_fuse_t *)&imx_field_return_fuse;
 	uint32_t reg;
+	bool is_enabled;
 	int ret;
 
-	ret = fuse_read(fuse->bank, fuse->word, &reg);
+	ret = fuse_read(sec_config->bank, sec_config->word, &reg);
 	if (ret) {
 		puts("\nSecure boot fuse read error\n");
 		return ret;
 	}
+	is_enabled = (reg & IS_HAB_ENABLED_BIT) == IS_HAB_ENABLED_BIT;
+	if (is_enabled) {
+		ret = fuse_read(field_return->bank, field_return->word, &reg);
+		if (ret) {
+			puts("\nField return fuse read error\n");
+			return ret;
+		}
+		is_enabled = !(reg & IS_FIELD_RETURN_BIT);
+	}
 
-	return (reg & IS_HAB_ENABLED_BIT) == IS_HAB_ENABLED_BIT;
+	return is_enabled;
 }
 
 int imx_hab_authenticate_image(uint32_t ddr_start, uint32_t image_size,
diff --git a/arch/arm/mach-imx/imx8m/soc.c b/arch/arm/mach-imx/imx8m/soc.c
index 0c49fb9cd488..af0844946378 100644
--- a/arch/arm/mach-imx/imx8m/soc.c
+++ b/arch/arm/mach-imx/imx8m/soc.c
@@ -36,10 +36,15 @@ 
 DECLARE_GLOBAL_DATA_PTR;
 
 #if defined(CONFIG_IMX_HAB)
-struct imx_sec_config_fuse_t const imx_sec_config_fuse = {
+struct imx_fuse_t const imx_sec_config_fuse = {
 	.bank = 1,
 	.word = 3,
 };
+
+struct imx_fuse_t const imx_field_return_fuse = {
+	.bank = 8,
+	.word = 3,
+};
 #endif
 
 int timer_init(void)
diff --git a/arch/arm/mach-imx/mx6/soc.c b/arch/arm/mach-imx/mx6/soc.c
index c2875e727c94..02179b02b8d2 100644
--- a/arch/arm/mach-imx/mx6/soc.c
+++ b/arch/arm/mach-imx/mx6/soc.c
@@ -52,10 +52,15 @@  U_BOOT_DRVINFO(imx6_thermal) = {
 #endif
 
 #if defined(CONFIG_IMX_HAB)
-struct imx_sec_config_fuse_t const imx_sec_config_fuse = {
+struct imx_fuse_t const imx_sec_config_fuse = {
 	.bank = 0,
 	.word = 6,
 };
+
+struct imx_fuse_t const imx_field_return_fuse = {
+	.bank = 5,
+	.word = 6,
+};
 #endif
 
 u32 get_nr_cpus(void)
diff --git a/arch/arm/mach-imx/mx7/soc.c b/arch/arm/mach-imx/mx7/soc.c
index 689dbefe8ee0..3369696e4614 100644
--- a/arch/arm/mach-imx/mx7/soc.c
+++ b/arch/arm/mach-imx/mx7/soc.c
@@ -128,10 +128,15 @@  static void isolate_resource(void)
 #endif
 
 #if defined(CONFIG_IMX_HAB)
-struct imx_sec_config_fuse_t const imx_sec_config_fuse = {
+struct imx_fuse_t const imx_sec_config_fuse = {
 	.bank = 1,
 	.word = 3,
 };
+
+struct imx_fuse_t const imx_field_return_fuse = {
+	.bank = 8,
+	.word = 3,
+};
 #endif
 
 static bool is_mx7d(void)
diff --git a/arch/arm/mach-imx/mx7ulp/soc.c b/arch/arm/mach-imx/mx7ulp/soc.c
index 217b7c45867d..d11204cb2479 100644
--- a/arch/arm/mach-imx/mx7ulp/soc.c
+++ b/arch/arm/mach-imx/mx7ulp/soc.c
@@ -38,10 +38,15 @@ 
 static char *get_reset_cause(char *);
 
 #if defined(CONFIG_IMX_HAB)
-struct imx_sec_config_fuse_t const imx_sec_config_fuse = {
+struct imx_fuse_t const imx_sec_config_fuse = {
 	.bank = 29,
 	.word = 6,
 };
+
+struct imx_fuse_t const imx_field_return_fuse = {
+	.bank = 9,
+	.word = 6,
+};
 #endif
 
 #define ROM_VERSION_ADDR 0x80