ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

MCUXpresso Secure Provisioning v8 HAB Setting ?

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 
解決済み
ソリューションへジャンプ

MCUXpresso Secure Provisioning v8 HAB Setting ?

ソリューションへジャンプ
‎07-18-2024 02:20 AM
452件の閲覧回数
seobi1111
Contributor III

hello.
I have a question while testing the Secure Jtag settings.

boot.png

 

 

 

 

Q1) Boot mode is currently set to Authenticated (HAB).  If you change it to Unsigned, a Fuse 0x960 missmatch error will occur when writing image. Can't I change it to Unsigned?

Q2) What is the difference between Authenticated (HAB) and Encrypted (HAB) ?

Q3) I am referring to MCUXpresso Secure Provisioning v8 User Guide(MCUXSPTUG). If I create a PKI Key and use "evkmimxrt1170_iled_blinky_cm7_QSPI_FLASH.s19"(PATH :  \nxp\MCUX_Provi_v8\bin\_internal\data\targets\MIMXRT1176\source_images), JTAG security will be applied well. After importing MCUXpresso SDK "evkmimxrt1170_iled_blinky_cm7", the code was modified to blink at a 100ms cycle. If you Build Image the "evkmimxrt1170_iled_blinky_cm7.axf" file with SPT and then Write Image, it works well. But JTAG(Segger J-Link Pro) doesn't connect. Is there any reason? If the application changes, is there anything I need to reset to set Jtag security settings?

 

The board I am using is RT1170-EVKB.

0 件の賞賛
返信
1 解決策

ソリューションへジャンプ
‎07-18-2024 03:50 AM
437件の閲覧回数
marek-trmac
NXP Employee
NXP Employee

Hi Yong Sub Ji,

Q2) Authenticated==signed. The application image is signed with the selected key from PKI management. The processor does not allow to run unsigned application anymore. The attacker cannot change the application, because he does not have the private key.

Encrypted: application image is encrypted. If attacker read the external flash, there is no meaningful code.

Q1) See authenticated above. Authenticated mode is set in fuses and this is irreversible operation. Before the irreversible operation is done by the tool, there is confirmation dialog so you should know, what fuses were affected.

Q3) SEC tool does not configure JTAG security. I cannot help here.

Regards,
Marek

元の投稿で解決策を見る

0 件の賞賛
返信
3 返答(返信)

ソリューションへジャンプ
‎07-18-2024 03:50 AM
438件の閲覧回数
marek-trmac
NXP Employee
NXP Employee

Hi Yong Sub Ji,

Q2) Authenticated==signed. The application image is signed with the selected key from PKI management. The processor does not allow to run unsigned application anymore. The attacker cannot change the application, because he does not have the private key.

Encrypted: application image is encrypted. If attacker read the external flash, there is no meaningful code.

Q1) See authenticated above. Authenticated mode is set in fuses and this is irreversible operation. Before the irreversible operation is done by the tool, there is confirmation dialog so you should know, what fuses were affected.

Q3) SEC tool does not configure JTAG security. I cannot help here.

Regards,
Marek
0 件の賞賛
返信

ソリューションへジャンプ
‎07-18-2024 06:00 PM
409件の閲覧回数
seobi1111
Contributor III

Hi marek.

Your reply was helpful. Thank You.

I have it set to Authenticated (HAB) on the EVB, so my understanding is that I can't change the boot mode anymore. (If I don't know which fuse was affected...)

Please check if my understanding is correct.

 

0 件の賞賛
返信

ソリューションへジャンプ
‎07-18-2024 11:16 PM
394件の閲覧回数
marek-trmac
NXP Employee
NXP Employee

Hi.

Yes, I confirm.

You can find fuses configuration on the Build view, see OTP configuration button. This will open configuration dialog with all fuses. The fuses, that must be set based on the selected configuration (Authenticated mode) are displayed blue and cannot be changed. The other fuses can be customized.

Regards,
Marek
0 件の賞賛
返信