https://community.nxp.com/t5/i-MX-Processors/imx6-secure-boot-questions/m-p/1134084#M160991 <P>Hi everyone!</P><P>I have different questions about secure boot on imx6ull (that runs linux compiled with Yocto - release sumo).</P><OL><LI>According to the related guide (<A href="http://variwiki.com/index.php?title=High_Assurance_Boot&amp;release=RELEASE_SUMO_V1.1_DART-6UL#Secure_the_device" target="_blank">http://variwiki.com/index.php?title=High_Assurance_Boot&amp;release=RELEASE_SUMO_V1.1_DART-6UL#Secure_the_device</A>) the paragraph 3.5 says that <EM>HAB does not consider the duration of the PKI</EM>. So if the PKI expires, what happens? is the system still bootable?</LI><LI>Is it possible/safe to burn efuses in an automatic way without enter manually in the uboot command line? maybe entering the<STRONG> fuse prog command</STRONG> in the <STRONG>bootcmd</STRONG> u-boot variable?</LI><LI>I'm wondering if there is some many-time-programmable memory to use for storing the PKI instead of efuses (in the case the PKI needs to be updated). So, is it possible to make secure boot without burning efuses?</LI></OL><P>Thank you all in advance!</P> Wed, 02 Sep 2020 10:03:01 GMT kwroot 2020-09-02T10:03:01Z https://community.nxp.com/t5/i-MX-Processors/imx6-secure-boot-questions/m-p/1134084#M160991 <P>Hi everyone!</P><P>I have different questions about secure boot on imx6ull (that runs linux compiled with Yocto - release sumo).</P><OL><LI>According to the related guide (<A href="http://variwiki.com/index.php?title=High_Assurance_Boot&amp;release=RELEASE_SUMO_V1.1_DART-6UL#Secure_the_device" target="_blank">http://variwiki.com/index.php?title=High_Assurance_Boot&amp;release=RELEASE_SUMO_V1.1_DART-6UL#Secure_the_device</A>) the paragraph 3.5 says that <EM>HAB does not consider the duration of the PKI</EM>. So if the PKI expires, what happens? is the system still bootable?</LI><LI>Is it possible/safe to burn efuses in an automatic way without enter manually in the uboot command line? maybe entering the<STRONG> fuse prog command</STRONG> in the <STRONG>bootcmd</STRONG> u-boot variable?</LI><LI>I'm wondering if there is some many-time-programmable memory to use for storing the PKI instead of efuses (in the case the PKI needs to be updated). So, is it possible to make secure boot without burning efuses?</LI></OL><P>Thank you all in advance!</P> Wed, 02 Sep 2020 10:03:01 GMT https://community.nxp.com/t5/i-MX-Processors/imx6-secure-boot-questions/m-p/1134084#M160991 kwroot 2020-09-02T10:03:01Z https://community.nxp.com/t5/i-MX-Processors/imx6-secure-boot-questions/m-p/1134193#M161001 <P><a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/177425">@kwroot</a>&nbsp;</P> <P>Hello,</P> <P class=""><SPAN class="">&nbsp;1.<BR />&nbsp;&nbsp;&nbsp;&nbsp; HAB on iMX doesn't verify the certificate period, so a signed image will continue <BR /></SPAN><SPAN class="">to boot on closed (locked) independent of certificate period set with CST tool.<BR /><BR />2.<BR />&nbsp;&nbsp;&nbsp; The i.MX fuses can be burned only once. So, the fuses are recommended to be burned <BR />after / with system images transfer, using UUU (MFG tool). <BR /><BR />3.<BR />&nbsp; It impossible to make secure boot without burning efuses. SRK fuses contain SRK hashes,<BR />which are verified by boot ROM.<BR /></SPAN></P> <P class="">&nbsp;</P> <P>Regards,<BR />Yuri.</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 02 Sep 2020 12:08:00 GMT https://community.nxp.com/t5/i-MX-Processors/imx6-secure-boot-questions/m-p/1134193#M161001 Yuri 2020-09-02T12:08:00Z