RT-1050 Flashloader in encrypted QSPI launching application in QSPI

greg_nowak · ‎02-28-2020

I have an RT-1050 with an external QSPI flash chip for holding my application and another external flash chip for holding multiple versions of firmware.

What I'd like to do is this:

Have the FlashLoader resident in QSPI flash as a second stage bootloader. I'd like the BootROM to launch the FlashLoader (load it from QSPI to RAM and run it), then I'd like the FlashLoader to validate a couple images in the 'data' Flash and copy one of those images to QSPI flash. I'm implementing a basic A/B partitioning scheme for OTA.

After that is complete I'd like FlashLoader to launch the application as XiP in the QSPI flash.

I need the Flashloader and the application image to be encrypted since they exist in external flash. RT-1050 provides the BEE so it can do on the fly AES decryption, so that's what I'd like to do.

I need the Flashloader to validate the image (signature validation using public key decryption) before launching.

I've read through a plethora of documents from NXP that all seem to indicate that what I want to do it possible.

However, the "Flashloader" source code provided by the SDK (MCUXpresso, Import SDK Examples, evkbimxrt1050_flashloader) is expected to be running out of RAM and does not do on the fly decryption or application signature checking. When I 'enable' these #defines in the code it no longer compiles because of QSPI dependencies and OTFAD libraries that are missing.

1. Does anyone out there have an example Flashloader that is encrypted and executes from QSPI flash?

2. Does anyone out there have an example Flashloader that runs an application that is encrypted and validated?

The examples I see from NXP seem to assume that Flashloader is only used in RAM in the factory one time and the end user application is encrypted, stored at the base of flash along with some configuration information, and the BootROM is what launches the end application. My end application is going to need to support "over the air" updates outside of the factory, so I need the 'second stage bootloader' (i.e. modified version of Flashloader) to be checking the application integrity every time it boots and copying images from data flash to QSPI flash. This means that I can't have the BootROM launch my end user application.

Thanks,

Greg

kerryzhou · ‎03-04-2020

Hi Gregory Nowak,

One of our colleagues already contact with me internally, maybe is your mentioned FAE.

I already tell him the "i.MX RT10XX OTA FW Update" application.

I have checked the application package, it contains the RT1050, the RT1050 can support multiple image in QSPI flash.

BTW, you also can check the RT1060 sdk at first :

SDK_2.7.0_EVK-MIMXRT1060\boards\evkmimxrt1060\bootloader_examples\ota_bootloader

This is also the ota bootloader, it is downloaded to the external flash.

Have a great day,
Kerry

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

元の投稿で解決策を見る

kerryzhou · ‎03-02-2020

Hi Gregory Nowak,

About your question:

1. Does anyone out there have an example Flashloader that is encrypted and executes from QSPI flash?

2. Does anyone out there have an example Flashloader that runs an application that is encrypted and validated?

As I know, the distributor Avnet side has the i.mx RT10XX secure OTA FW update application code and the ppt about it.

But I can't share it with you in the public community. So you can try to contact with your local Avnet distributor, check whether the DFAE can send you or not.

You can find the distributor from this link:

Distributor Network | NXP

BTW, you also can check the RT1060 SDK, OTA bootloader, maybe it also useful to you.

Have a great day,
Kerry

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

greg_nowak · ‎03-02-2020

Thank you!

I'll take a look at the RT-1060 Bootloader and put a request out to my local Avnet distributor to see if they can help me out.

I have a request in to my NXP FAE but so far the NXP FAE just told me to post the question here. Hopefully the Avnet one will be able to point me in the right direction.

Greg

kerryzhou · ‎03-02-2020

Hi Gregory Nowak,

Thanks for your updated information.

Do you already have the NXP FAE on your side?

If yes, please send email to him, you can try to apply for "i.MX RT10XX OTA FW Update" application and the sample code, you can check it with him, whether you need to assign the NDA or not, because I can't share it on the public community.

As I know, Avnet also has "i.MX RT10XX OTA FW Update".

Have a great day,
Kerry

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

greg_nowak · ‎03-03-2020

I have emailed my FAE and so far they have not been able to help, I think they are busy. They told me to post the question here.

I'm struggling because some posts online seem to indicate that the RT-1050 'cannot' support multiple images in QSPI flash, and only the RT-1060 supports the feature I'm looking for. However, I also see other posts where people say they've managed to get the RT-1050 to do what I want.

At this point I would suffice to have a copy of the Flashloader that can be encrypted and loaded from QSPI flash (not RAM copy only) and have the Flashloader able to validate and run an image also in QSPI flash. That would get me 90% of the way. I just can't seem to get the existing Flashloader provided with the RT-1050 SDK to compile when it has anything 'flash' related enabled. I believe my struggles revolve around MCUBoot being a generic application that works on many processors and the flags don't work as I'd expect.

Greg

kerryzhou · ‎03-04-2020

Hi Gregory Nowak,

One of our colleagues already contact with me internally, maybe is your mentioned FAE.

I already tell him the "i.MX RT10XX OTA FW Update" application.

I have checked the application package, it contains the RT1050, the RT1050 can support multiple image in QSPI flash.

BTW, you also can check the RT1060 sdk at first :

SDK_2.7.0_EVK-MIMXRT1060\boards\evkmimxrt1060\bootloader_examples\ota_bootloader

This is also the ota bootloader, it is downloaded to the external flash.

Have a great day,
Kerry

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

greg_nowak · ‎03-11-2020

Kerry,

I was acquired the OTA Bootloader from my FAE. It has the RT-1020, RT-1050 and RT-1060 for QSPI flash!

Thank you for your support.

Greg

kerryzhou · ‎03-11-2020

Hey Greg,

That's very good to hear you already get the OTA Bootloader.

Best Regards,

Kerry