How to reconfigure ZMK when tamper events occur

TammyTsai · ‎08-18-2023

Hi NXP team,

I enable secure boot support on i.MX6UL based custom board and use software programming mechanism to program the ZMK value.

No HAB event is found during the boot process.

After that, I program the SEC_CONFIG[1] fuse bit to close the device.

ZMK is automatically zeroized and ZMK-WSL is set to 1 when the security violation is triggered.

The signed U-Boot image and the signed Linux Kernel image can no longer be burned to the device using UUU in either internal boot mode or serial download mode.

How do I clear the ZMK-WSL with a "system reset"?

I found a similar "unlock ZMK_WSL" issue in the forum.

For closed devices, Unlock SNVS ZMK WRITE command should be added in the CSF file.

In CSF file, after [Authenticate CSF], before [Authenticate Data], add below command.

[Unlock]
Engine = SNVS
Features = ZMK WRITE

Do I only need to add unlock command to be able to reconfigure ZMK?

Should this unlock command be added in the CSF file for U-Boot and the CSF file for Linux Kernel?

The burning procedure is locked in the following figure.

Is there any way to burn images to the device again after recovering tamper events?

I have attached my current U-Boot CSF file, zImage CSF file, and UUU script.

Please check the attachment to confirm if there are any wrong steps.

It's appreciated if you could give me some suggestions to resolve this issue.

TammyTsai · ‎08-24-2023

Hi @Harvey021 ,

I have an issue that I can't download the signed image to the custom board once the device is closed. (no tamper occurs)

Solving this issue is the first priority.

For, closed mode, should I refer to HABv4 closed chip support in the UUU user guide and perform the below steps?

Add Authentication Block for DCD
Clear DCD pointer
Use the cleardcd option in UUU script

Best Regards,

Tammy

Harvey021 · ‎08-24-2023

Hi

"For the i.MX devices supporting the skip DCD command (i.MX7D, i.MX6UL/ULL, i.MX8MQ and i.MX7ULP), there is no need to do any modification, UUU tool can download the binary directly".

You can take a try. Be sure that your signed image is correct, like works in open device.

Best regards

Harvey

TammyTsai · ‎08-25-2023

Hi @Harvey021 ,

My detailed procedure on i.MX6UL based custom board is as follows.

Check SEC_CONFIG[1] fuse in the open device.

Here is the U-Boot message for the open device.

Verify HAB events.

The device successfully boots without generating any HAB events.

Check tamper status.

Check SEC_CONFIG[1] fuse after closing the device.

Here is the U-Boot message for the closed device.

The device can work in closed mode, but kernel has some error message as shown below.

I can't download the same signed image to the custom board again when the device is closed.

What might cause CAAM job ring error and the signed image download problem?

Please help me to resolve these problems.

Thanks & Regards,

Tammy

ramprakash08 · ‎08-22-2023

Hi,

Yes, you are correct. The unlock SNVS ZMK WRITE command only needs to be added in the U-Boot CSF file. This command will allow the ZMK to be reconfigured.

Regards

TammyTsai · ‎08-21-2023

Hi @Harvey021 ,

Does the unlock SNVS ZMK WRITE command only need to be added in the U-Boot CSF file?

You mean that I should execute "uuu -d uuu_nand.auto" command, right?

Harvey021 · ‎08-22-2023

Yes, should be no need for kernel csf.

If uuu burn in closed device with SDP problem, can have a try -d.

Best regards

Harvey

TammyTsai · ‎08-22-2023

Hi @Harvey021 ,

UUU still fails to burn U-Boot image in closed device.

The closed device is unable to download an image in internal boot mode and serial downloader.

Does the closed device enable to burned images again when it has been tampered with?

Best Regards,

Tammy

Harvey021 · ‎08-21-2023

Hi @TammyTsai

Try reconfigure ZMK and unlock command in first csf.

Try parameter -d to burn image with uuu.

Best regards

Harvey