iMXRT1021 flexspiNOR unable to use HAB Encrypted XIP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

iMXRT1021 flexspiNOR unable to use HAB Encrypted XIP

8,178 Views
t_thurgood
Contributor III

Hi,

I am using the iMXRT1021 with flexqspiNOR flash. We want to encrypt the .sb image and the use on-the-fly BEE decryption. I am using the elftosb.exe, sdphost and blhost to produce and flash the .sb image.

This all works for normal (unsigned) image, but I cannot get the past the first stage of encryption.

I have downloaded, "Code-signing-tools", "openssl", "ubuntu shell for win10". I can create all the SRKs and certificates.

elftosb\elftosb.exe -f imx -V -c bd_file\imx-flexspinor-normal-signed.bd -o elftosb\img\ivt_output_xip.bin elftosb\img\hermes.s19

results in a ivt_output_xip.bin with 0kB.

Second stage..

elftosb\elftosb.exe -f kinetis -V -c bd_file\program_flexspinor_image_qspinor_encrypt.bd -o elftosb\img\encrypt_hermes_image.sb elftosb\img\ivt_output_xip_nopadding.bin

results in...

failed to open source file: elftosb\img\ivt_output_xip_nopadding.bin (ignoring for now)
error: line 55: error opening source 'myBinFile'

And no .sb image is produced.

Please advise how I can generate an encrypted .sb file, download and execute with BEE.

best regards,

Tony

imx-flexspinor-normal-signed.bd

options {
flags = 0x04;
startAddress = 0x60000000;
ivtOffset = 0x0400;
initialLoadSize = 0x2000;
//DCDFilePath = "dcd.bin";
# Note: This is required if the cst and elftsb are not in the same folder
// cstFolderPath = "/Users/nxf38031/Desktop/CSTFolder";
cstFolderPath = "/Projects/code_signing_tool/cst-3.2.0/release/";

# Note: This is required if the default entrypoint is not the Reset_Handler
# Please set the entryPointAddress to Reset_Handler address
// entryPointAddress = 0x60002411;
entryPointAddress = 0x60019358;
}

sources {
elfFile = extern(0);
}

constants {
SEC_CSF_HEADER = 20;
SEC_CSF_INSTALL_SRK = 21;
SEC_CSF_INSTALL_CSFK = 22;
SEC_CSF_INSTALL_NOCAK = 23;
SEC_CSF_AUTHENTICATE_CSF = 24;
SEC_CSF_INSTALL_KEY = 25;
SEC_CSF_AUTHENTICATE_DATA = 26;
SEC_CSF_INSTALL_SECRET_KEY = 27;
SEC_CSF_DECRYPT_DATA = 28;
SEC_NOP = 29;
SEC_SET_MID = 30;
SEC_SET_ENGINE = 31;
SEC_INIT = 32;
SEC_UNLOCK = 33;
SEC_XIP_REGION0 = 34;
SEC_XIP_REGION1 = 35;
}

section (SEC_CSF_HEADER;
Header_Version="4.2",
Header_HashAlgorithm="sha256",
Header_Engine="DCP",
Header_EngineConfiguration=0,
Header_CertificateFormat="x509",
Header_SignatureFormat="CMS"
)
{
}

section (SEC_CSF_INSTALL_SRK;
InstallSRK_Table="crts/SRK_1_2_3_4_table.bin", // "valid file path"
InstallSRK_SourceIndex=0
)
{
}

section (SEC_CSF_INSTALL_CSFK;
InstallCSFK_File="crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem", // "valid file path"
InstallCSFK_CertificateFormat="x509" // "x509"
)
{
}

section (SEC_CSF_AUTHENTICATE_CSF)
{
}

section (SEC_CSF_INSTALL_KEY;
InstallKey_File="crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem",
InstallKey_VerificationIndex=0, // Accepts integer or string
InstallKey_TargetIndex=2) // Accepts integer or string
{
}

section (SEC_CSF_AUTHENTICATE_DATA;
AuthenticateData_VerificationIndex=2,
AuthenticateData_Engine="DCP",
AuthenticateData_EngineConfiguration=0)
{
}

section (SEC_SET_ENGINE;
SetEngine_HashAlgorithm = "sha256", // "sha1", "Sha256", "sha512"
SetEngine_Engine = "DCP", // "ANY", "SAHARA", "RTIC", "DCP", "CAAM" and "SW"
SetEngine_EngineConfiguration = "0") // "valid engine configuration values"
{
}


section (SEC_UNLOCK;
Unlock_Engine = "SNVS", // "SRTC", "CAAM", SNVS and OCOTP
Unlock_features = "ZMK WRITE" // "Refer to Table-24"
)
{
}

Labels (1)
81 Replies

1,138 Views
t_thurgood
Contributor III

Hi Kerry,

Thank you for the update. I will be looking into this again this week. I have been working on downloading/flashing the sb image using an embedded programmer (not linux or windows).

best regards,

Tony

0 Kudos

1,138 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi Tony Thurgood,

  If you have any updated information after you check it, just let me know.

Best Regards,

Wish it helps you!

Have a great day,
Kerry

 

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

 

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos

1,130 Views
t_thurgood
Contributor III

Hi Kerry,

I have got a bit further with this, but still not fully working.

Firstly, I noticed in some of you screenshots that MCU Boot Utility v2.2.0 was being used. I was using v2.2.1, so I downloaded the latest zip into a new folder and extracted the latest version, then copied the CST folders as before.

Using the MCU Boot Utility, I was able to connect to my board;

1. Setup the program choices... select my (proven) image file, key_pass, cert settings etc.

2. Choose BEE Encrypted Mode.

Image Generation Sequence

3. Click "Generate Certificate, SRK" (enter n,n,2048,10,4,y) ...successful

4. Click "Generate Signed Bootable Image"  ...successfully produced ivt_filename_extracted_dcd_signed.bin

5. Click "Prepare for Encryption" ...successful

Image Loading Sequence

6. Click "Burn SRK data" ...successful

7. Click "Load Encrypted Image" ...successful 

At this stage everything looks ok. I put my board in "boot internal mode" and power reset, which will normally run the firmware, but no response. I guess the program wont run from the start location.

To investigate, I wanted to go back to the MCU Boot Utility tool and look at the eFuses. So put board in serial mode, but MCU Boot fails to reconnect. I tried lots of options, but it always complained that I need to generate certs first (that is a bad idea, as I want to continue with existing encryption), I have attached 2 screenshots showing the error messages.

you_should_gen_certs.png

try_again.png

As a further investigation, I decided to try the NXP command line tools.

I ran the .\SDP-boot.bat com3

This was successful, it connected and downloaded the ivt_flashloader.bin... 

PS C:\Projects\Hub2_Firmware_dev\Tools\Serial-Download> .\SDP-boot.bat com3
Download a bootloader to Hermes...
Status (HAB mode) = 305411090 (0x12343412) HAB enabled.
Reponse Status = 4042322160 (0xf0f0f0f0) HAB Success.
Preparing to send 60415 (0xebff) bytes to the target.
(1/1)1%Status (HAB mode) = 305411090 (0x12343412) HAB enabled.
Reponse Status = 2290649224 (0x88888888) Write File complete.
Status (HAB mode) = 305411090 (0x12343412) HAB enabled.
Done.

Now the flashloader was installed, I tried using blhost...

PS C:\Projects\Hub2_Firmware_dev\Tools\Serial-Download\blhost> .\blhost.exe -p com3 reset
Error: Initial ping failure: No response received for ping command.

As you can see, this failed.

So I am now stuck and need help.

What do I do next?

Why doesn't the MCU Boot Utility reconnect, when sdphost.exe is seen to work?

Why doe the MCU Boot Utility want to generate more certificates when they are already there and my eFuses blown?

Please can you prove that this procedure works with your hardware and describe the steps I need to take, to achieve the same?

Has Jay Heng managed to run encrypted f/w on a 1021 target, if so please forward the procedure steps?

best regards,

Tony

 

0 Kudos

1,138 Views
t_thurgood
Contributor III

Hi Kerry,

Have you been able to recreate/investigate this problem?

br,

Tony

0 Kudos

1,138 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi Tony Thurgood,

    So sorry for my later reply!

    Now, I still need to check more detail with you, just make sure your requirement and the secure mode is clear, because I can't use the validation board now, and that board also have some problems, now I will try one MIMXRT1021-EVK which I have the risk to damage my MIMXRT1021-EVK on board chip.

    1. Do you already do the HAB signed operation before you do the BEE?

    2. What the detail BEE mode you want to use

      Because BEE also have a lot of mode, please help to check this MCUBootutility manual:

NXP-MCUBootUtility/README.md at master · JayHeng/NXP-MCUBootUtility · GitHub 

  Do you want to use the top security mode:3.3.7 Mode 7: Enable dual-level OTFAD encryption (user-defined Key) ?

  In fact, this mode I also didn't use it before, I just test the single-enginee BEE encryption in the previous time.

  So, please help to make sure the BEE mode which you want to use.

  I find in chapter 3.3.7 Mode 7: Enable dual-level OTFAD encryption (user-defined Key) picture,  I can't find the same Advanced key settings, so I still need to check it with the MCUBootutility author, whether the published tool have the limit and notes.

Please help check the mode you are using now, and do you already do the HAB signed operation before you do the BEE mode?

Best Regards,

kerry

0 Kudos

1,138 Views
t_thurgood
Contributor III

Hi Kerry

I have looked at the README.md document and seen the BEE options. However, I am not sure what is best suited for our application and whether all of those modes are available on the iMXRT1021?

Basically we want to be able to download a bd image and encrypt this on-the-fly (OTFAD) when it is written to flash, then execute using BEE. So maybe... Mode 5: Enable dual-engine BEE encryption (user-defined Key) ?

I can generate SRKs and understand that these will need to be programmed into the eFuses. I'm not sure about the SNVS key? (we don't have battery backed NV ram).

The other point is, the MCUBootUtility is fine to demonstrate the usability of this procedure but we will want to implement the download/flash using a stand alone factory programmer that runs on a PIC32. So we will want to implement something that replicates the sdphost and blhost tools.

We use the IMXRT1020RM.pdf as our reference guide and section 6.10 describes the BEE operation, but gives little detail. 

6.10 Bus Encryption Engine (BEE)
The Bus Encryption Engine (BEE) is implemented as an on-the-fly decryption engine,
which is used for decrypting cypher context of FlexSPI. The main features of the BEE
are:
• Standard AXI interconnection
• On-the-fly AES-128 decryption, supporting ECB and CTR modes
• Aliased memory space support. Address remapping for up to two individual regions
• Independent AES Key management for those two individual regions
• Bus access pattern optimization with the aid of the local store and forward buffer
• Non-secured access filtering based on the security label of the access
• Illegal access check and filtering

The README.md document is useful but it is not published as a 1021 reference guide and I am not sure which encryption modes will work?


Can you please enquire and advise which mode will work for us and demonstrate this using the 1021 target hardware.

Thanks and Happy New Year,

Tony

0 Kudos

1,138 Views
john8
Contributor III

All the dual mode does for you is allow a SEPARATE key for each of two BEE regions i.e

BEE Region0 0x60008000, size 0x20000 and

BEE Region1 0x60030000, size 0x20000 (or however you partition your flash)

this only works on RT106x mcu's - NOT RT1021/5x

There is also a third region, which does not have its own key (as far as I tell) and the RT1010 is different again with 4x regions and 4x independent keys.  

regards,

0 Kudos

1,138 Views
kerryzhou
NXP TechSupport
NXP TechSupport

HiTony Thurgood,

      Answer your several questions.

1.  Mode 5: Enable dual-engine BEE encryption (user-defined Key) 

    I think you can use the user-defined key mode with BEE, and, it seems you just can use this mode in the RT1021.

Because I find RT1021 even don't have the OTPMK key both in the OCOTP and fuse map.

   This is the RT1060:

pastedImage_1.png

This is the RT1020 RM:

pastedImage_2.png

No OTMPK key, the SNVS key should from OTMPK key, so RT1020 may just can use the user key mode.

BTW, I checked the MCUBootUtility, I find RT1020 can't select the dual engine together, maybe it just can use one engine associated with user key.

pastedImage_3.png

2.  I'm not sure about the SNVS key? (we don't have battery backed NV ram).

  From the RT1020 OCOTP register, no OTMPK key, so maybe you can't use the SNVS key.

3.  download/flash using a stand alone factory programmer that runs on a PIC32.

This is really need to refer to the MCUBootutility, then use the blhost, sdphost tool to connect it, now I understand why you use these tool to do the operation.  This mode should still need to refer to 

Security Application Note AN12079

But, it seems this AN didn't describe it in details.

So, that's why I suggest to use the MCUbootutitily to do the research at first, as you know the MCUBootutility printf all the command.

4.  IMXRT1020RM.pdf  gives little information.

  Yes, this document is not specific for the secure, please refer to this document:

https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=IMXRT1050SRM&appType=moderated 

 Although it is for RT1050, but RT1020 also can refer to it, it is the secure reference manual.

5. The README.md document is useful but it is not published as a 1021 reference guide and I am not sure which encryption modes will work?

  Your question is comprehensible, because I also not very familiar with it, then I need to check it with the MCUBootutility tool author, he will be more familiar with it, today, he is very busy, then I will check it with him when he has time.

6. Can you please enquire and advise which mode will work for us and demonstrate this using the 1021 target hardware.

  From the undergoing situation, maybe you just can select the user key mode, because I didn't find the RT1021 SNVS key.

Anyway, if I check with the MCUBootUtility author, I will let you know the updated information.

Have a great day,
Kerry

 

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

 

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos

1,138 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi Tony Thurgood,

    So sorry for my later reply, because I apply for some RT1021 sample chips, and just got it these days.

   I also borrow and get one validation board which can change the RT chip from the other department today, so I will test it from tomorrow, and will give you updated information in the recent days.

  Please keep patient, thanks a lot for your understanding.

Best Regards,

kerry

0 Kudos

1,138 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi Tony Thurgood,

Do you update the information, I get the message, but I can't find the detail updated information.

Best Regards,

Kerry

0 Kudos

1,138 Views
t_thurgood
Contributor III

Hi Kerry,

Posted now.

The earlier edit to the board was to remove my personal information.

Best regards,

Tony

0 Kudos

1,138 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi Tony Thurgood,

   Thanks for your detail information.

   I post two pictures on my side, although it is MCUBootUtility2.0.0, but I think it is the same with MCUBootUtility2.1.0.

pastedImage_1.png

So you are moving /crts and /keys up one folder to /tools, it is the correct operation.

pastedImage_2.png

About your detail problem, I will find one board which can change the RT chip, and test the BEE function on my side.

But I don't have your external qspi, so I will use the qspi flash or hyperflash like the EVK board, I think the BEE function is the same, even use different the external memory.

After I test it, I will let you know the details.

Please keep patient.

If you have any updated information on your side, please also let me know.

Have a great day,
Kerry

 

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

 

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos

1,138 Views
t_thurgood
Contributor III

Hi Kerry,

We originally used the ISSI IS25LP064 qspi flash device, which is the part fitted to the iMXRT1020 eval board. So that would be a comparable solution.

Thanks for your assistance,

Tony

0 Kudos

1,138 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi Tony Thurgood

   You can read my HAB encrypted document at first:

RT1050 HAB Encrypted Image Generation and Analysis 

  I suggest you refer to 3.1 MCUBootUtility Configuration to check the RT Encrypted image, and use the MCUBootUtiltiy tool to download your firmware with BEE directly.

pastedImage_2.png

  This tool will be more easy to use!

    You can try it on your side.

BTW, this application note also useful to you, please check chapter:3.3. Encrypt XIP using elftosb

Security Application Note AN12079

If you still have questions about it, please kindly let me know.

  

Have a great day,
Kerry

 

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

 

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos

1,138 Views
john8
Contributor III

Hi Jay,

Your tool v2.2 is broken. It fails and then leaves the HAB closed with SRK fuses not burned properly.

You should have option to leave HAB open.

Your created sb file option also fails

It is a very useful tool but is buggy and incomplete - please fix it.

regards,

0 Kudos

1,138 Views
t_thurgood
Contributor III

I agree, the fuse burning needs to be much more controlled with the ability to review/add/remove the selection.

Questions for Kerry, Jay...

BEE Encrypted Image Boot

-------------------------------------

1. Looking at 0x460 Boot Cfg1 window for the i.MXRT1021 device, it shows bit0=Reserved/NA.

This is wrong, the IMXRT1020RM clearly shows bits[1:0] are SEC_CONFIG. (as John says above, this would be better left in the open position for dev).

2. The RM manual, section 8.2 says... "Encrypted XIP on Serial NOR via FlexSPI interface powered by BEE and DCP
controller" . The fuse for this is 0x450 Boot Cfg0 bit 0 = EncryptedXIP, but this is not blown. Should this be blown for BEE encryption?

Your README.md says...

"All operations are correct. Set Boot Mode to 2'b10(Internal Boot mode) via SW7 DIP switch on the board, and sets BT_CFG[1] to 1'b1 (Encrypted XIP is enabled). The rest remains all 0s. You can see that the BEE encrypted image is executed normally."

But please note, some customers are building products with these MCUs and have long discarded EVB development.

0 Kudos

1,138 Views
t_thurgood
Contributor III

Hi Kerry,

Thank you for the info.

I have the MCU Bootloader application, but using this has some issues.

I have set my MCU target, initial Boot Device parameters, input srec file etc.

Downloaded the flashloader and connected ok (Blue).

“Dev Unsigned Image Boot” and click “Generate unsigned Bootable Image”

Says.. “iMX bootable image generated successfully”

I click “Load Unsigned Image”

Nothing appears to happen.

I tried “All-In_One-Action” and it stalls…

Executing: C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\tools\blhost2_3\win\blhost -t 50000 -p COM3,115200 -j -- get-property 1 0

toolStatus: 1

commandOutput: {

"command" : "ping",

"response" : [],

"status" : {

"description" : "10500 (0x2904) No response received for ping command.",

"value" : 10500

}

}

C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\tools\elftosb4\win>"C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\tools\elftosb4\win\elftosb.exe" -f imx -V -c "C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\gen\bd_file\imx_application_gen.bd" -o "C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\gen\bootable_image\ivt_hermes_extracted_dcd_unsigned.bin" "C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\gen\user_file\hermes_extracted.srec"

Section: 0x0

iMX bootable image generated successfully

C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\tools\elftosb4\win>"C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\tools\elftosb4\win\elftosb.exe" -f imx -V -c "C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\gen\bd_file\imx_application_gen.bd" -o "C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\gen\bootable_image\ivt_hermes_extracted_dcd_unsigned.bin" "C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\gen\user_file\hermes_extracted.srec"

Section: 0x0

iMX bootable image generated successfully

C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\tools\elftosb4\win>"C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\tools\elftosb4\win\elftosb.exe" -f kinetis -V -c "C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\gen\bd_file\imx_application_sb_gen.bd" -o "C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\gen\sb_image\hermes_extracted_unsigned_flexspinor_ISSI_IS25LPxxxA_IS25WPxxxA.sb" "C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\gen\bootable_image\ivt_hermes_extracted_dcd_unsigned_nopadding.bin"

Boot Section 0x00000000:

FILL | adr=0x20202000 | len=0x00000004 | ptn=0xc0000106

FILL | adr=0x20202004 | len=0x00000004 | ptn=0x00000000

ENA | adr=0x20202000 | cnt=0x00000004 | flg=0x0900

ERAS | adr=0x60000000 | cnt=0x00026000 | flg=0x0000

FILL | adr=0x20203000 | len=0x00000004 | ptn=0xf000000f

ENA | adr=0x20203000 | cnt=0x00000004 | flg=0x0900

LOAD | adr=0x60001000 | len=0x000247b9 | crc=0x805fdccf | flg=0x0000

ERAS | adr=0x60000000 | cnt=0x00026000 | flg=0x0000

FILL | adr=0x20203000 | len=0x00000004 | ptn=0xf000000f

ENA | adr=0x20203000 | cnt=0x00000004 | flg=0x0900

LOAD | adr=0x60001000 | len=0x000247b9 | crc=0x6fc44859 | flg=0x0000

==============================================================================

If I choose “BEE Encrypted Image Boot” and “Generate Certificate, SRK”.

I get a path not found…

WindowsError: The directory name is invalid: 'C:
.....
NXP-MCUBootUtility-master
tools
cst
keys'

This is because the CST tool path is…

C:\.....\NXP-MCUBootUtility-master\tools\cst\release\keys

I can get around this by removing the “release” folder, but why doesn’t the BootUtility know where its own tool folders are located?

Now the SRKs/Certs are generated and the image compiled successfully.

“Load Encrypted Image”….

Executing: C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\tools\sdphost\win\sdphost -t 50000 -p COM3,115200 -j -- jump-address 539001344

toolStatus: 0

commandOutput: {

"command" : "jump-address",

"response" : [],

"status" : {

"description" : "1450735702 (0x56787856) HAB disabled.",

"value" : 1450735702

}

}

Executing: C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\tools\blhost2_3\win\blhost -t 50000 -p COM3,115200 -j -- get-property 1 0

toolStatus: 1

commandOutput: {

"command" : "ping",

"response" : [],

"status" : {

"description" : "10500 (0x2904) No response received for ping command.",

"value" : 10500

}

}

Executing: C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\tools\blhost2_3\win\blhost -t 50000 -p COM3,115200 -j -- get-property 1 0

toolStatus: 1

commandOutput: {

"command" : "ping",

"response" : [],

"status" : {

"description" : "10500 (0x2904) No response received for ping command.",

"value" : 10500

}

}

Executing: C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\tools\blhost2_3\win\blhost -t 50000 -p COM3,115200 -j -- get-property 1 0

toolStatus: 1

commandOutput: {

"command" : "ping",

"response" : [],

"status" : {

"description" : "10500 (0x2904) No response received for ping command.",

"value" : 10500

}

}

Executing: C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\tools\blhost2_3\win\blhost -t 50000 -p COM3,115200 -j -- get-property 1 0

toolStatus: 1

commandOutput: {

"command" : "ping",

"response" : [],

"status" : {

"description" : "10500 (0x2904) No response received for ping command.",

"value" : 10500

}

}

Executing: C:\Users\T.Thurgood\Hub2\another_bootoader\NXP-MCUBootUtility-master\NXP-MCUBootUtility-master\tools\blhost2_3\win\blhost -t 50000 -p COM3,115200 -j -- get-property 1 0

toolStatus: 1

commandOutput: {

"command" : "ping",

"response" : [],

"status" : {

"description" : "10500 (0x2904) No response received for ping command.",

"value" : 10500

}

}

Traceback (most recent call last):

File "main.py", line 213, in callbackFlashImage

File "_main\RTyyyy_main.py", line 556, in RTyyyy_callbackFlashImage

File "_main\RTyyyy_main.py", line 533, in RTyyyydoFlashImage

File "run\RTyyyy_runcore.py", line 1227, in RTyyyy_flashBootableImage

File "run\RTyyyy_runcore.py", line 1123, in _genDestEncAppFileWithoutCfgBlock

File "ntpath.py", line 180, in split

File "ntpath.py", line 115, in splitdrive

TypeError: object of type 'NoneType' has no len()

Please advise how I can use the BootLoader to download unsigned and encrypted images.

Best regards,

Tony

0 Kudos

1,138 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi Tony Thurgood,

  Thanks for your updated information.

   In fact, if you are using the MCUBootUtility, you just need to use your app firmware file and click “BEE Encrypted Image Boot”, you said, when you meet the path not found problem, can you show me a picture about it:

WindowsError:  The directory name is invalid: 'C:
.....
NXP-MCUBootUtility-master
tools
cst
keys'

I need to check more details, when you connect the chip, can you connect it in the serial download mode with UART or the HID?

Do you follow my document, copy your generated cst file and key like the following:

1Copy the configured cst folder to folder:

NXP-MCUBootUtility-2.0.0\tools

Delete the original cst folder.

2Copy SRK_1_2_3_4_fuse.bin and SRK_1_2_3_4_table.bin to folder:

 NXP-MCUBootUtility-2.0.0\gen\hab_cert

This is very important!

I don't know, whether you already burn the SRK fuse or not, can you connect the MCUBootUtility tool, if you already connect it, you can read all the fuse map, then send me the readout picture.

Do you have any new RT1020 chip? Can you also test my generated cst and key? Because I am not sure your generate cst files is correct or not.

You can share more details with me, when I have time, I will also find a RT1021 validation board to test the BEE on my side. I have tested the RT1060/50 BEE mode on my side, it works OK, I also use the MCUBootUtility tool download the code.

 BTW, do you set the BOOT_CFG1[0] =1 on you rboard?

Have a great day,
Kerry

 

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

 

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos

1,138 Views
t_thurgood
Contributor III

Hi Kerry,

Thank you for your response and information.

Firstly I am using our proven board that has iMXRT1021 + MC25L3233F external qspi NOR flash. At this stage we have not blown any fuses and we are using serial port to do the initial download (elftosb + SDPHost + Blhost).

All of this is working with no problems. I had to set "StatusReg1[6] QE" to get the Macronix flash device to work, (the Eval Issi flash didn't need this).

So now we want to use OTF/BEE encryption. I was able to generate all the necessary SRKs/Certs manually using the CST tool, but building/downloading the bd image failed (as mentioned above).

As you suggested, I tried using the MCUBootUtility with serial port (we don't have USB stack support on our board).

First problem is the path failure when generating the SRL/Cert, please see attached png snapshot...

mcu_boot_util_cst.png 

I overcame this problem by moving /crts and /keys up one folder to /tools. The SRKs now build.

2Copy SRK_1_2_3_4_fuse.bin and SRK_1_2_3_4_table.bin to folder:

 NXP-MCUBootUtility-2.0.0\gen\hab_cert

This is very important!

I'm not sure why; the "Generate Certificate,SRK" action does put the SRKs in the /gen/hab_cert folder. Please note, I am using v2.1.0, maybe there has been a change?...

mcu_boot_util_cst_2.png

I now generate the boot image which is successful.

Then "Load Encrypted Image" ...at this stage I haven't blown any fuses.

This fails with... 

"StatusMemoryCumulativeWrite 10203 Failed to write to unerased memory range."

Which implies that flash hasn't been erased correctly?

That and other errors are shown here...

mcu_boot_util_cst_3.png

The .py scripts have run into a problem?

best regards,

Tony

0 Kudos