Clarification of Boot Order when using HAB with a DCD present

philiph · ‎04-05-2019

I'm looking to develop a secure boot app on the I.MX8MMini EVK and have a question regarding the Boot ROM processing.

I understand that to enable Code Signing I need generate the certificate chain and set the hash in the SRK_HASH OTP area. The HAB code will then authenticate against my certs. I can use the hab_status to verify a clean, authenticated boot. This is covered in AN4581.

Now - I would like to avoid blowing fuses at all costs, so ....

Since the OTP area is covered by writable shadow registers, I'm thinking that i can use the DCD block to program the shadow SRK_HASH using registers OCOTP_HW_OCOTP_SRK[0-7] which would simulate me having programmed the real OTP value. However this will only work if the Boot ROM applies the DCD before it verifies the image signature.

So can you please clarify if the ROM boot order, does it ...

Apply the DCD configuration then HAB checks image signature and jumps to code or
HAB Verifies the image and THEN applies the DCD, then jumps to the entry point.

Thanks

Yuri · ‎04-07-2019

Hello,

I've sent Your some comments directly.

Have a great day,

Yuri

-------------------------------------------------------------------------------

Note:

- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored

Please open a new thread and refer to the closed one, if you have a related question at a later point in time.

Clarification of Boot Order when using HAB with a DCD present

Clarification of Boot Order when using HAB with a DCD present

i.MX 8M | i.MX 8M Mini | i.MX 8M Nano

Security