MCUXpresso Secure Provisioning v8 HAB Setting ?

seobi1111

hello.
I have a question while testing the Secure Jtag settings.

Q1) Boot mode is currently set to Authenticated (HAB). If you change it to Unsigned, a Fuse 0x960 missmatch error will occur when writing image. Can't I change it to Unsigned?

Q2) What is the difference between Authenticated (HAB) and Encrypted (HAB) ?

Q3) I am referring to MCUXpresso Secure Provisioning v8 User Guide(MCUXSPTUG). If I create a PKI Key and use "evkmimxrt1170_iled_blinky_cm7_QSPI_FLASH.s19"(PATH : \nxp\MCUX_Provi_v8\bin\_internal\data\targets\MIMXRT1176\source_images), JTAG security will be applied well. After importing MCUXpresso SDK "evkmimxrt1170_iled_blinky_cm7", the code was modified to blink at a 100ms cycle. If you Build Image the "evkmimxrt1170_iled_blinky_cm7.axf" file with SPT and then Write Image, it works well. But JTAG(Segger J-Link Pro) doesn't connect. Is there any reason? If the application changes, is there anything I need to reset to set Jtag security settings?

The board I am using is RT1170-EVKB.

marek-trmac

Hi Yong Sub Ji,

Q2) Authenticated==signed. The application image is signed with the selected key from PKI management. The processor does not allow to run unsigned application anymore. The attacker cannot change the application, because he does not have the private key.

Encrypted: application image is encrypted. If attacker read the external flash, there is no meaningful code.

Q1) See authenticated above. Authenticated mode is set in fuses and this is irreversible operation. Before the irreversible operation is done by the tool, there is confirmation dialog so you should know, what fuses were affected.

Q3) SEC tool does not configure JTAG security. I cannot help here.

Regards,
Marek

在原帖中查看解决方案

marek-trmac

Hi Yong Sub Ji,

Q2) Authenticated==signed. The application image is signed with the selected key from PKI management. The processor does not allow to run unsigned application anymore. The attacker cannot change the application, because he does not have the private key.

Encrypted: application image is encrypted. If attacker read the external flash, there is no meaningful code.

Q1) See authenticated above. Authenticated mode is set in fuses and this is irreversible operation. Before the irreversible operation is done by the tool, there is confirmation dialog so you should know, what fuses were affected.

Q3) SEC tool does not configure JTAG security. I cannot help here.

Regards,
Marek

seobi1111

Hi marek.

Your reply was helpful. Thank You.

I have it set to Authenticated (HAB) on the EVB, so my understanding is that I can't change the boot mode anymore. (If I don't know which fuse was affected...)

Please check if my understanding is correct.

marek-trmac

Hi.

Yes, I confirm.

You can find fuses configuration on the Build view, see OTP configuration button. This will open configuration dialog with all fuses. The fuses, that must be set based on the selected configuration (Authenticated mode) are displayed blue and cannot be changed. The other fuses can be customized.

Regards,
Marek