How to fully secure an IMX8M device

TomHarvey · ‎04-07-2025

Hi all,

I am currently trying to fully secure an IMX8M device. I have programmed the SRK_HASH and am currently able to perform a high assurance boot with a signed bootloader and image.

In the AN4581 it lists the following fuses that must be programmed to fully secure the device:

• SRK_LOCK: Lock for SRK_HASH[255:0] fuses.
• DIR_BT_DIS: Disable direct external memory boot.
• SJC_DISABLE: Disable the secure JTAG controller module.
• JTAG_SMODE: Set JTAG security mode to no debug mode 0x11.
• JTAG_HEO: Disallows HAB JTAG enabling.
• BOOT_CFG_LOCK: Lock on BOOT related fuses.

I have worked out the the word, bank and fuse values by reading IMX8MDQLQRM and IMX8MDQLQSRM for the SRK_LOCK, BOOT_CFG_LOCK and SEC_CONFIG: (Please let me know if these are correct).

SRK_LOCK

fuse prog 0 0 0x100

BOOT_CFG_LOCK

fuse prog 0 0 0xC

SEC_CONFIG

fuse prog 1 3 0x2000000

For DIR_BT_DIS the technical specification states that:

"The DIR_BT_DIS eFuse must be programmed prior to shipping
a device in a security enabled configuration. If the this eFuse is
not blown, the system is not secure."

So I assume that this does not need to be programmed.

For SJC_DISABLE and JTAG_SMODE I cannot find the mappings in the technical specification and have come across a forum post that details the following:

Fuse addr	Fuse name	Num bits	Fuse function	Setting	Used by
0x470[21]	SJC_DISABLE	1	Disable/Enable the Secure JTAG Controller module. This fuse is used to create highest JTAG security level, where JTAG is totally blocked.	0 - Secure JTAG Controller is enabled 1 - Secure JTAG Controller is disabled	SJC
0x470[23:22]	JTAG_SMODE[1:0]	2	JTAG Security Mode. Controls the security mode of the JTAG debug interface	00 - JTAG enable mode 01 - Secure JTAG mode 11 - No debug mode	SJC

https://community.nxp.com/t5/i-MX-Processors/DIR-BT-DIS-and-others/m-p/1212354

And i can't see a mention of JTAG_HEO.

I would like to understand the following to fully secure the device:

Does DIR_BT_DIS need to be programmed? If so what values?
For SJC_DISABLE and JTAG_SMODE are the values shown in the table above 0x470[21] and 0x470[23:22] correct?
Do i need to program JTAG_HEO if so what is its fuse mapping?
Is there anything additional i need to program to fully secure the device. For instance do i need to program fuses such as FIELD_RETURN?

Please may someone send the the relevant information or documents detailing this.

Kind regards,

Tom

Harvey021 · ‎04-08-2025

Hi,

Will reply back to you in system email as some fuse information can't be discussed publicly.

Regards

Harvey

kirankumar007 · ‎10-23-2025

Hi,

I.MX8MP EVK JTAG Detection issue.

Default image eMMC booted stopped at Uboot using putty.

After uboot Read following data received in Putty Terminal,

0x470[21] SJC_DISABLE is = 0x1

0x470[23:22] JTAG_SMODE[1:0][1:0] = 0x11

In data sheet

JTAG_SMODE[1:0] = 0x11 means [11 - No debug mode]

From these how to get back in to Debug JTAG mode????

Please guide us

emmanuel_madrigal · ‎04-09-2025

Hi Harvey,

Would it be possible for you to send me this information as well?

Regards,

Emmanuel

Harvey021 · ‎04-10-2025

Hi @emmanuel_madrigal

As some information is under NDA, suggest to raise a ticket with Confidential assistance

Regards

Harvey