FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

MCUXpresso Secure Provisioning v8 HAB Setting ?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

MCUXpresso Secure Provisioning v8 HAB Setting ?

Jump to solution
3 weeks ago
214 Views
seobi1111
Contributor III

hello.
I have a question while testing the Secure Jtag settings.

boot.png

 

 

 

 

Q1) Boot mode is currently set to Authenticated (HAB).  If you change it to Unsigned, a Fuse 0x960 missmatch error will occur when writing image. Can't I change it to Unsigned?

Q2) What is the difference between Authenticated (HAB) and Encrypted (HAB) ?

Q3) I am referring to MCUXpresso Secure Provisioning v8 User Guide(MCUXSPTUG). If I create a PKI Key and use "evkmimxrt1170_iled_blinky_cm7_QSPI_FLASH.s19"(PATH :  \nxp\MCUX_Provi_v8\bin\_internal\data\targets\MIMXRT1176\source_images), JTAG security will be applied well. After importing MCUXpresso SDK "evkmimxrt1170_iled_blinky_cm7", the code was modified to blink at a 100ms cycle. If you Build Image the "evkmimxrt1170_iled_blinky_cm7.axf" file with SPT and then Write Image, it works well. But JTAG(Segger J-Link Pro) doesn't connect. Is there any reason? If the application changes, is there anything I need to reset to set Jtag security settings?

 

The board I am using is RT1170-EVKB.

0 Kudos
Reply
1 Solution

Jump to solution
3 weeks ago
199 Views
marek-trmac
NXP Employee
NXP Employee

Hi Yong Sub Ji,

Q2) Authenticated==signed. The application image is signed with the selected key from PKI management. The processor does not allow to run unsigned application anymore. The attacker cannot change the application, because he does not have the private key.

Encrypted: application image is encrypted. If attacker read the external flash, there is no meaningful code.

Q1) See authenticated above. Authenticated mode is set in fuses and this is irreversible operation. Before the irreversible operation is done by the tool, there is confirmation dialog so you should know, what fuses were affected.

Q3) SEC tool does not configure JTAG security. I cannot help here.

Regards,
Marek

View solution in original post

0 Kudos
Reply
3 Replies

Jump to solution
3 weeks ago
200 Views
marek-trmac
NXP Employee
NXP Employee

Hi Yong Sub Ji,

Q2) Authenticated==signed. The application image is signed with the selected key from PKI management. The processor does not allow to run unsigned application anymore. The attacker cannot change the application, because he does not have the private key.

Encrypted: application image is encrypted. If attacker read the external flash, there is no meaningful code.

Q1) See authenticated above. Authenticated mode is set in fuses and this is irreversible operation. Before the irreversible operation is done by the tool, there is confirmation dialog so you should know, what fuses were affected.

Q3) SEC tool does not configure JTAG security. I cannot help here.

Regards,
Marek
0 Kudos
Reply

Jump to solution
3 weeks ago
171 Views
seobi1111
Contributor III

Hi marek.

Your reply was helpful. Thank You.

I have it set to Authenticated (HAB) on the EVB, so my understanding is that I can't change the boot mode anymore. (If I don't know which fuse was affected...)

Please check if my understanding is correct.

 

0 Kudos
Reply

Jump to solution
3 weeks ago
156 Views
marek-trmac
NXP Employee
NXP Employee

Hi.

Yes, I confirm.

You can find fuses configuration on the Build view, see OTP configuration button. This will open configuration dialog with all fuses. The fuses, that must be set based on the selected configuration (Authenticated mode) are displayed blue and cannot be changed. The other fuses can be customized.

Regards,
Marek
0 Kudos
Reply