How to create a signed image for serial boot with MCUXpresso secure provisioning tool

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to create a signed image for serial boot with MCUXpresso secure provisioning tool

Jump to solution
3,231 Views
lorv
Contributor III

I have a setup with two rt600 processors, where only one has a flash connected.
I want to boot one processor from flash and then this processor sends the image via a serial connection to the other processor.

Both images need to be Authenticated. I have managed to create an image for the first processor, whihc boots form flash, with the SPTv6.0, however I don't see how an image bootable via serial could be created with the SPT.

Is there a different tool or a document which describes how to build an image like that?

0 Kudos
1 Solution
3,161 Views
lorv
Contributor III

Since the whole anwser to the question is split over several answers in this thread, I want to summarize it briefly.

The SPT does not support building images for serial boot. However one can select SD card as boot device and build the image this way.
Since serial boot and booting from SD card both load to image to RAM the generated image works for serial boot.

The image alone does not guarantee secure boot. The OTP configuration (respectifly their shadow register furing development) must be done correctly in order for the signature to be checked at boot.
One can use the SPT for this even though it does not support serial boot as follows:

Is there a way to use the SPT for this even though I don't write the image with the SPT?
  1. You have to have the workspace to be configured to "Development" life-cycle (on the toolbar). This you should already have, just for completeness.
  2. On Build tab in the "OTP Configuration" configure the fuses. You can check if the fuse can be written into the shadow register:
    lorv_0-1684324461623.png

     

  3. Click on the "Build" button, it is required intermediate step
  4. Go to Write tab and click on the label "write_image_win.bat" (On Linux/Mac it will be *.sh).
    lorv_1-1684324461467.png

     


    This will update all necessary files, including the write script and also the write_shadows.bat script that can be found in the gen_scripts\ folder
    lorv_2-1684324461395.png

     

  5. double check the content of the script.

In order to verify that the signature check actually works, flipping one bit in the image and tring to boot it is sufficient. If secure boot works the image is loaded over the serial interface but is not executed and the chip is locked up. To check wether the chip is really locked one can try to reupload the shadow register config. It should fail with the following error:

### Execute application, that will configure shadow registers ###
blhost -t 5000 -u 0x1FC9,0x0020 -j -- execute 0x00080159 0x00080000 0x00200000
{
"command": "execute",
"response": [],
"status": {
"description": "10006 (0x2716) Unsupported Command.",
"value": 10006
}
}
blhost failed
### RESULT of the script `Writing shadow registers`: FAILURE (return code = [2]ERROR)

Hope this saves someone else some time

Thank you Marek and Libor for your help!

 

View solution in original post

9 Replies
3,160 Views
marek-trmac
NXP Employee
NXP Employee

Hi David,

it is nice to hear your application is working now. We'd be more than happy if you send a short summary, how to enable Serial Boot via MCUXpresso Secure Provisioning tool into this thread. I suppose you built the bootable image in MCUXpresso Secure Provisioning tool (image executed in internal RAM) and then you just wrote the image into RAM and jump to the image start address (?)

Thank you and have a nice day

Regards,
Marek
0 Kudos
3,146 Views
lorv
Contributor III

Hi Marek,

I have written a summary already. It is the marked solution.

Once you have the OTP configured and a signed image which executes from RAM, you can load that image via serial boot and the bootloader automatically verifies the signature and if the check is successfull it jumps to the startaddress specified in the image and executes.

regards,

David

3,162 Views
lorv
Contributor III

Since the whole anwser to the question is split over several answers in this thread, I want to summarize it briefly.

The SPT does not support building images for serial boot. However one can select SD card as boot device and build the image this way.
Since serial boot and booting from SD card both load to image to RAM the generated image works for serial boot.

The image alone does not guarantee secure boot. The OTP configuration (respectifly their shadow register furing development) must be done correctly in order for the signature to be checked at boot.
One can use the SPT for this even though it does not support serial boot as follows:

Is there a way to use the SPT for this even though I don't write the image with the SPT?
  1. You have to have the workspace to be configured to "Development" life-cycle (on the toolbar). This you should already have, just for completeness.
  2. On Build tab in the "OTP Configuration" configure the fuses. You can check if the fuse can be written into the shadow register:
    lorv_0-1684324461623.png

     

  3. Click on the "Build" button, it is required intermediate step
  4. Go to Write tab and click on the label "write_image_win.bat" (On Linux/Mac it will be *.sh).
    lorv_1-1684324461467.png

     


    This will update all necessary files, including the write script and also the write_shadows.bat script that can be found in the gen_scripts\ folder
    lorv_2-1684324461395.png

     

  5. double check the content of the script.

In order to verify that the signature check actually works, flipping one bit in the image and tring to boot it is sufficient. If secure boot works the image is loaded over the serial interface but is not executed and the chip is locked up. To check wether the chip is really locked one can try to reupload the shadow register config. It should fail with the following error:

### Execute application, that will configure shadow registers ###
blhost -t 5000 -u 0x1FC9,0x0020 -j -- execute 0x00080159 0x00080000 0x00200000
{
"command": "execute",
"response": [],
"status": {
"description": "10006 (0x2716) Unsupported Command.",
"value": 10006
}
}
blhost failed
### RESULT of the script `Writing shadow registers`: FAILURE (return code = [2]ERROR)

Hope this saves someone else some time

Thank you Marek and Libor for your help!

 

3,219 Views
marek-trmac
NXP Employee
NXP Employee

Hi David,

MCUXpresso Secure Provisioning GUI tool does not support all security settings, the tool supports only most typical use cases. Unfortunately booting via serial is not supported.

I also do not have any practical experience with serial boot, but I suppose the image will be executed from RAM, so you can build the image executed from RAM (select SD card as boot device) and then use serial boot to upload the bootable image to the RAM.

You should be able to find related information in reference manual for RT6xx processor.

Regards,
Marek
0 Kudos
3,215 Views
lorv
Contributor III

thank for your answer.

selecting SD card as boot device kind of worked. I could build an image and was able to boot it via serial boot.  However I think the image was not authenticated, because the OTP, respectivly the shadow register were not setup to authenticated the image.

How can I configure the shadow registers to authenticate the serial boot image? Is there a way to use the SPT for this even though I don't write the image with the SPT?

regards

0 Kudos
3,201 Views
liborukropec
NXP Employee
NXP Employee

Hello David,

Is there a way to use the SPT for this even though I don't write the image with the SPT?
  1. You have to have the workspace to be configured to "Development" life-cycle (on the toolbar). This you should already have, just for completeness.
  2. On Build tab in the "OTP Configuration" configure the fuses. You can check if the fuse can be written into the shadow register:
    liborukropec_0-1684253886992.png
  3. Click on the "Build" button, it is required intermediate step
  4. Go to Write tab and click on the label "write_image_win.bat" (On Linux/Mac it will be *.sh).
    liborukropec_1-1684253966218.png
    This will update all necessary files, including the write script and also the write_shadows.bat script that can be found in the gen_scripts\ folder
    liborukropec_2-1684253988032.png
  5. double check the content of the script.

Regards,
Libor

3,182 Views
lorv
Contributor III

thanks for your answer, this is very helpful!

I was able to write the shadow registers with the generated script and it executes successfully.

I then loaded a signed image via serial boot and it booted. So far so good.
To verify that secure boot works, I then loaded a different image, signed with a different ROT key and it booted as well.

I am confused by this. I have only used a sofreset (reset button SW3 on the mimxrt685-evk) between loading the two images and it is my understanding, that the shadow registers are not cleared by this. secure boot is enabled in the OTP config, so the second image should not have booted.

Do you know where I went wrong?

0 Kudos
3,171 Views
marek-trmac
NXP Employee
NXP Employee

Hi David,

I tried similar use case, I used signed image located in external flash, executed in internal RAM. I used SEC tool to build and write the image.

If I wrote the same image signed with different keys, it was rejected, the image was not started, and processor remains in ISP mode.

Looking to documentation, Fig 186. Top-level boot process, the image authentication is same for "Serial Boot" and "FlexSPI boot".

After your failure, can you try switch your processor to ISP mode using soft reset and try to upload the shadow registers again? If the processor is secured (using shadow registers), it should fail with the following error:

### Execute application, that will configure shadow registers ###
blhost -t 5000 -u 0x1FC9,0x0020 -j -- execute 0x00080159 0x00080000 0x00200000
{
"command": "execute",
"response": [],
"status": {
"description": "10006 (0x2716) Unsupported Command.",
"value": 10006
}
}
blhost failed
### RESULT of the script `Writing shadow registers`: FAILURE (return code = [2]ERROR)

 

Regards,
Marek
3,168 Views
lorv
Contributor III

Hi Marek,

I have tried your suggestion and an additian step and was able to verify that secure boot actually works.

In my first approach, where two images were booted with different keys and both booted, I used ROT1 and ROT2 of the same PKI. I guess for this to work I would have had to rewoke one of the keys.

Next I tried with ROT1 of two different PKI's. The one with from the PKI were the OTP config was made booted and the other one already faild during loading the image via UART. I guess the bootloader rejected the image right away since the PKI did not match, without even checking the signature.

Then I tried again with the image with the right key and signature but I corrupted the image by flipping 1 bit in the image to verify that the signature is checked. The whole image was transfered via UART but the image did not boot.

I then tried to reupload the shadow registers like you suggested and it failed with the same value: "10006"

Thank you very much for your help!