Hello, reading on the iMX8M Mini manual I could find FIELD_RETURN and FIELD_RETURN_LOCK registers :
Configure device for field return testing.
Fuse burning is protected by CSF command, with proper parameter passed.
I haven't understood if after using FIELD_RETURN capability on a secure boot enabled device returned from the field I can sign again and enable again secure boot capabilities.
If so, does it mean the hash of the keys burned on the fuses are still valid , so same keys can still be used ?
Or after using FIELD_RETURN device can only be used in open ( non secure ) mode ?
The entry to the Field-Return configuration on a secure enabled device requires specific steps to be performed. On certain devices, the field-return configuration operates differently than currently described in the Security Reference Manual. The FIELD_RETURN fuse is protected by the FIELD_RETURN_LOCK sticky bit in the OCOTP_CTRL fuse controller. This requires the OCOTP module clock to be enabled to set the sticky bit
Before leaving the boot ROM, the FIELD_RETURN_LOCK bit is set as long as the OCOTP clock has been enabled in initial bootloader either via DCD or plugin method), so that the FIELD_RETURN fuse cannot be burned.
If the OCOTP module clock is not enabled then the FIELD RETURN behavior does not operate as described. In addition, if the device is configured in Serial Downloader Mode (SDP) the OCOTP module clock is not enabled on certain devices hence the Field Return Mode functionality does not operate as described.
Ok, thank you,
but can I use the device again in secure mode after I enabled the FIELD_RETURN feature and retested/reflashed my device ?
Or does that mean that after that it will be then usable only in non secure mode and with JTAG enabled ?
I saw this in the doc for I.MX RT10 and I am pretty sure it applies to the imx8mm -- would someone from NXP confirm?
Field Return (SEC_CONFIG fuse = 1; FIELD_RETURN fuse = 1): — Intended for the secure products that have been returned by the end customer. Device should not be returned to the service (cannot return to the Closed state). — Signed code with specific commands in the HAB CSF are required to allow transition from Closed to Field return. ◦ Using HAB CSF unlock command including the device’s unique ID (CSF cannot be reused on another device), the field return sticky bit, which normally sets to block programming of the Field Return fuse, can be left clear. ◦ After successful execution of the HAB CSF with the unlock field return command, the Field Return fuse can be blown to allow for additional debugging or sending the device back to NXP for analysis.