https://community.nxp.com/t5/i-MX-Processors/Secure-Boot-HABv4-verification-using-SRK-fuses/m-p/1156964#M162313 <P>Hi&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/1941">@Yuri</a>&nbsp;</P><P>Thanks for your quick reply.</P><P>Yes, we also referred&nbsp;<SPAN>i.MX Android ™ Security User's Guide and it also explains same steps for secure-boot HABv4 verification.</SPAN></P><P><SPAN>The "hab_status" command from u-boot also show same results (attached in first post), even though&nbsp;<STRONG>we haven't programmed any SRK fuses or fuse to close the chip.</STRONG></SPAN></P><P>So,&nbsp;<STRONG>what is the use of SRK fuses in secure-boot HABv4 verification?</STRONG></P><P>Thanks,</P><P>Pratik Manvar</P> Tue, 22 Sep 2020 14:11:35 GMT pratik_manvar 2020-09-22T14:11:35Z https://community.nxp.com/t5/i-MX-Processors/Secure-Boot-HABv4-verification-using-SRK-fuses/m-p/1156771#M162273 <P>Hi All,</P><P>We are using i.MX8MQ based custom board with NXP release Android-p9.0.0_2.0.0-ga.</P><P>To generate secure-boot enabled and signed u-boot image, we followed steps from docs availbale in uboot source at /doc/imx/habv4/guides/mx8m_mx8mm_secure_boot.txt and doc/imx/habv4/introduction_habv4.txt.</P><P><STRONG>Initially for testing, we haven't programmed any SRK fuses or fuse to close the chip. </STRONG></P><P><STRONG>Even though, all the secure-boot verification using&nbsp;HABv4 scenarios are working fine.! </STRONG></P><P>1. The signed u-boot image using CST tools (v3.1.0) is verified successfully without any HAB events or errors.</P><P>2. If we corrupt signed u-boot image or generate it with some wrong CSF data during signing using CST Tools, we are getting HAB events errros.</P><P>3. If we flash unsinged u-boot image, it shows us "Error: CSF header command not found" and HAB events are generated.</P><P><STRONG>Note:</STRONG> For logs of above 3 scenarios, please see attached file (secureboot-scenarios.txt).</P><P>So, here my questions are,</P><P><STRONG>1. How secure-boot verification happens without SRK fuses burnt? </STRONG></P><P><STRONG>2. what is the use of SRK fuses? </STRONG></P><P>Please help us out to understand above scenarios.</P><P>Thank you.</P><P>Regards,</P><P>Pratik Manvar</P> Tue, 22 Sep 2020 10:19:56 GMT https://community.nxp.com/t5/i-MX-Processors/Secure-Boot-HABv4-verification-using-SRK-fuses/m-p/1156771#M162273 pratik_manvar 2020-09-22T10:19:56Z https://community.nxp.com/t5/i-MX-Processors/Secure-Boot-HABv4-verification-using-SRK-fuses/m-p/1156833#M162286 <P><a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/177024">@pratik_manvar</a>&nbsp;</P> <P>Hello,</P> <P>&nbsp;&nbsp; Please try using "hab_status" U-boot command.<BR />Follow section 3.1.2 (Verifying images with HABv4) of i.MX Android ™ Security User's Guide (Rev. P9.0.0).</P> <P>&nbsp;</P> <P>Regards,<BR />Yuri.</P> Tue, 22 Sep 2020 09:24:47 GMT https://community.nxp.com/t5/i-MX-Processors/Secure-Boot-HABv4-verification-using-SRK-fuses/m-p/1156833#M162286 Yuri 2020-09-22T09:24:47Z https://community.nxp.com/t5/i-MX-Processors/Secure-Boot-HABv4-verification-using-SRK-fuses/m-p/1156964#M162313 <P>Hi&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/1941">@Yuri</a>&nbsp;</P><P>Thanks for your quick reply.</P><P>Yes, we also referred&nbsp;<SPAN>i.MX Android ™ Security User's Guide and it also explains same steps for secure-boot HABv4 verification.</SPAN></P><P><SPAN>The "hab_status" command from u-boot also show same results (attached in first post), even though&nbsp;<STRONG>we haven't programmed any SRK fuses or fuse to close the chip.</STRONG></SPAN></P><P>So,&nbsp;<STRONG>what is the use of SRK fuses in secure-boot HABv4 verification?</STRONG></P><P>Thanks,</P><P>Pratik Manvar</P> Tue, 22 Sep 2020 14:11:35 GMT https://community.nxp.com/t5/i-MX-Processors/Secure-Boot-HABv4-verification-using-SRK-fuses/m-p/1156964#M162313 pratik_manvar 2020-09-22T14:11:35Z https://community.nxp.com/t5/i-MX-Processors/Secure-Boot-HABv4-verification-using-SRK-fuses/m-p/1168812#M163575 <P><a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/177024">@pratik_manvar</a>&nbsp;<BR />Hello,<BR /><BR /></P> <P>&nbsp; For HAB 4.1.2 and newer the SRK is checked only if SRK&nbsp; is not 0.<BR />HAB checks SRK Hash in open mode. SRK Fuses = 0 leads to no<BR />HAB events due to SRK hash check.</P> <P>Regards,<BR />Yuri.</P> Fri, 16 Oct 2020 09:55:53 GMT https://community.nxp.com/t5/i-MX-Processors/Secure-Boot-HABv4-verification-using-SRK-fuses/m-p/1168812#M163575 Yuri 2020-10-16T09:55:53Z