IMX6 secure boot has failed after SRK_HASH reprogramming

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IMX6 secure boot has failed after SRK_HASH reprogramming

Jump to solution
1,617 Views
hamedhpm
Contributor II

Hi,

I have tested secure boot and encrypted boot on IMX6Q. They were working fine.

The SRK_HASH(bank 3, word 0 up-to 7) and SEC_CONFIG(bank 0, word6) have programmed. (SEC_CONFIG = 1)

After some days, I have programmed a new value into bank 3 word 5. It was OK, and the past value remained.

But, when I shout down the system, it wasn't booted from EMMC or SD card. 

 

U-boot commands:

------------------------------------------------------------------------------------------------

=> fuse prog -y 3 5 0x0f405eff
Programming bank 3 word 0x00000005 to 0x0f405eff...
=> fuse read 3 5 1
Reading bank 3:

Word 0x00000005: 0f405efd

------------------------------------------------------------------------------------------------

 

So we can change the SRK burned fuse value, right? 

I can't understand the role of SRK_LOCK. 

 

Best regards

Labels (1)
0 Kudos
Reply
1 Solution
1,580 Views
Yuri
NXP Employee
NXP Employee

@hamedhpm 
Hello,
  
     Please look at my comments.

 1. 
    i.MX6 fuses can be burned once. I mean it is not possible to clear the fuses.

2.
   Even if  some bits can be additional programmed ( 0 ->1 ), let me remind -
the SRK fuses contain hash of all SRKs, but not the SRK themselves.

3.
   if SRK was modified, the image (keys) should be signed again.

 

Regards,
Yuri.

View solution in original post

0 Kudos
Reply
5 Replies
1,581 Views
Yuri
NXP Employee
NXP Employee

@hamedhpm 
Hello,
  
     Please look at my comments.

 1. 
    i.MX6 fuses can be burned once. I mean it is not possible to clear the fuses.

2.
   Even if  some bits can be additional programmed ( 0 ->1 ), let me remind -
the SRK fuses contain hash of all SRKs, but not the SRK themselves.

3.
   if SRK was modified, the image (keys) should be signed again.

 

Regards,
Yuri.

0 Kudos
Reply
1,576 Views
hamedhpm
Contributor II

Thanks for your reply.

Is there any solution for booting? Such as hard reset.

0 Kudos
Reply
1,542 Views
Yuri
NXP Employee
NXP Employee

@hamedhpm 
Hello,

   You can try to revoke the key.
Use Appendix B (SRK revocation on i.MX 6 & 7 series) of app note AN4581
(
i.MX Secure Boot on HABv4 Supported Devices) for more details.

https://www.nxp.com/webapp/Download?colCode=AN4581

 

Regards,
Yuri.

0 Kudos
Reply
1,517 Views
hamedhpm
Contributor II

Hello,

I have tried revoking the key. It was not useful for me.

Is the processor has bricked? 

Is there any solution for a hard reset? 

1,503 Views
Yuri
NXP Employee
NXP Employee

@hamedhpm 
Hello,

   I am afraid, the revoking is the only solution

Regards,
Yuri.

0 Kudos
Reply