HAB testing

Shealtiel · ‎05-28-2024

Q1. We are using IMXRT1020 NXP controller for secure bootloader, we got stuck in for further implementation of secure bootloader, as we received the security reference manual we cant able to progress on this, as per our understanding we need to write the SRK fuse values to enable HAB feature, which makes the ROM bootloader to authenticate the firmware which is signed by secure provisioning tool, here we dont know how to test the HAB using shadow registers, will the shadow register can configure via secure provisioning tool? if yes how can we configure and what registers should we configure to test HAB, this will be the great help if some explain the whole process.

Q2. we developed a secondary bootloader which will receive the application firmware from UART , can I use the HAB API's in my secondary bootloader to mimic the firmware authentication done by ROM bootloader ? if yes how can I use the HAB API's please help us on this.

diego_charles · ‎05-28-2024

Hi @Shealtiel

I hope to find you well.

The Secure Provisioning Tool does not support writing to shadow registers for RT devices. But you can use it to enable HAB by burning fuses ( your understanding is correct; you need to burn fuses to enable HAB ). With the SPT the process is very simple, and it is outlined in the 6.2.3.3 Booting encrypted (HAB) image chapter of the SPT user guide. As an additional tip once you burn HAB make sure to save your workspace in the SPT and do not generate again keys.

Yes, you can call HAB API to authenticate your application. Currently the only example of the HAB API to authenticate images that we have available is in the NXP SBL. The SBL contains HAB API headers and some function calls. Check the Semifunc folder. As additional information the keys used by the bootloader need to be reused for the secondary application.

Let me know if there is something else I could do for you.

Diego