ROM USB SDP recovery mechanism usage in closed i.MX7ULP devices

Yes

1 - Background:

The USB download mode feature provides a means to load a software image to the target using the Serial Download Protocol (SDP). This feature is available on i.MX 7ULP CA7 ROM and is also used as a recovery mechanism after all possible boot paths have been exhausted.

The image below is an example of serial downloader feature usage in SD/MMC Manufacture Mode, after failing all boot attempts the target enters in USB download mode enabling users to recover the device.

Fig 1. SD/MMC Manufacture Mode boot flow

2 - Issue Description:

The i.MX7ULP CA7 ROM code is forcing an SNVS Software violation prior to entering in USB recovery mode, this violation transitions the SNVS Security State Machine (SSM) from Trusted state to Soft fail state in HAB closed devices.

Only ROM USB SDP failover mechanism is impacted by this issue, users can still use the serial download boot mode by setting BOOT_MODE = b01 (Please be aware of WDOG2 timeout issue)

The following behaviors can be observed due to this issue.

2.1 - UUU boot failure and SNVS engine HAB event

The following UUU timeout error is observed when trying to load an image after a SNVS Software violation:

$ sudo ./uuu signed-uboot-sdp.imx
uuu (Universal Update Utility) for nxp imx chips -- libuuu_1.2.135-0-gacaf035
Success 0 Failure 1
1:12 1/ 2 [HID(W):LIBUSB_ERROR_TIMEOUT ] SDP: boot -f "signed-uboot-sdp.imx"

As the SNVS SSM state machine is transitioned to soft fail the HABv4 library won't allow the target to boot up. Users can confirm this behavior by parsing HAB persistent memory region using the hab_log_parser tool available in CST package:

------------+----+------+----+-------------------------------------------------
Event       |0xdb|0x002c|0x43| SRCE Field: 33 30 ee 1e
            |    |      |    |             STS = HAB_FAILURE (0x33)
            |    |      |    |             RSN = HAB_ENG_FAIL (0x30)
            |    |      |    |             CTX = HAB_CTX_EXIT (0xEE)
            |    |      |    |             ENG = HAB_ENG_SNVS (0x1e)
            |    |      |    | Evt Data (hex):
            |    |      |    | 00 00 00 00 80 00 b3 40 80 00 20 00 00 00 00 20
            |    |      |    | 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00
            |    |      |    | 00 00 00 00

This issue can be observed in both single and dual boot modes.

2.2 - CM4 failure to boot in the absence of valid CA7 image

The i.MX7ULP has two independents HABv4 libraries running in each core. Only CA7 ROM is able to transition the SSM but the CM4 ROM is still evaluating its state prior to boot the software image.

An invalid CA7 image in boot media (No IVT or HW disconnected) would immediately cause a CA7 boot failure triggering a software violation. As the violation may happen before CM4 authentication completes the CM4 HAB library won't allow the target to boot up.

Please note that this behavior can only happen in dual boot mode and may vary according to CM4 image and key length being used.

3 - Impacted Silicon:

All i.MX 7ULP B0 and B1 silicon revisions using SDP recovery feature are impacted by this issue. Users setting BOOT_MODE = b01 (Serial Downloader) are not impacted by this issue.

Please note that WDOG2 is enabled by default in i.MX7ULP B0 and B1 silicons, users should refer to the document below and understand the SDP boot limitations:

i.MX 7ULP Cannot boot a Closed device via SDP

4 - Workarounds:

No software workarounds were identified to address this issue. Users can still use the serial download feature by setting BOOT_MODE = b01.

This issue does not compromise the i.MX security.