FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

IMX6 secure boot has failed after SRK_HASH reprogramming

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

IMX6 secure boot has failed after SRK_HASH reprogramming

Jump to solution
‎09-12-2021 11:13 PM
1,138 Views
hamedhpm
Contributor II

Hi,

I have tested secure boot and encrypted boot on IMX6Q. They were working fine.

The SRK_HASH(bank 3, word 0 up-to 7) and SEC_CONFIG(bank 0, word6) have programmed. (SEC_CONFIG = 1)

After some days, I have programmed a new value into bank 3 word 5. It was OK, and the past value remained.

But, when I shout down the system, it wasn't booted from EMMC or SD card. 

 

U-boot commands:

------------------------------------------------------------------------------------------------

=> fuse prog -y 3 5 0x0f405eff
Programming bank 3 word 0x00000005 to 0x0f405eff...
=> fuse read 3 5 1
Reading bank 3:

Word 0x00000005: 0f405efd

------------------------------------------------------------------------------------------------

 

So we can change the SRK burned fuse value, right? 

I can't understand the role of SRK_LOCK. 

 

Best regards

Labels (1)
Labels
0 Kudos
Reply
1 Solution

Jump to solution
‎09-13-2021 12:39 AM
1,101 Views
Yuri
NXP Employee
NXP Employee

@hamedhpm 
Hello,
  
     Please look at my comments.

 1. 
    i.MX6 fuses can be burned once. I mean it is not possible to clear the fuses.

2.
   Even if  some bits can be additional programmed ( 0 ->1 ), let me remind -
the SRK fuses contain hash of all SRKs, but not the SRK themselves.

3.
   if SRK was modified, the image (keys) should be signed again.

 

Regards,
Yuri.

View solution in original post

0 Kudos
Reply
5 Replies

Jump to solution
‎09-13-2021 12:39 AM
1,102 Views
Yuri
NXP Employee
NXP Employee

@hamedhpm 
Hello,
  
     Please look at my comments.

 1. 
    i.MX6 fuses can be burned once. I mean it is not possible to clear the fuses.

2.
   Even if  some bits can be additional programmed ( 0 ->1 ), let me remind -
the SRK fuses contain hash of all SRKs, but not the SRK themselves.

3.
   if SRK was modified, the image (keys) should be signed again.

 

Regards,
Yuri.

0 Kudos
Reply

Jump to solution
‎09-13-2021 01:14 AM
1,097 Views
hamedhpm
Contributor II

Thanks for your reply.

Is there any solution for booting? Such as hard reset.

0 Kudos
Reply

Jump to solution
‎09-13-2021 10:09 PM
1,063 Views
Yuri
NXP Employee
NXP Employee

@hamedhpm 
Hello,

   You can try to revoke the key.
Use Appendix B (SRK revocation on i.MX 6 & 7 series) of app note AN4581
(i.MX Secure Boot on HABv4 Supported Devices) for more details.

https://www.nxp.com/webapp/Download?colCode=AN4581

 

Regards,
Yuri.

0 Kudos
Reply

Jump to solution
‎09-26-2021 12:49 AM
1,038 Views
hamedhpm
Contributor II

Hello,

I have tried revoking the key. It was not useful for me.

Is the processor has bricked? 

Is there any solution for a hard reset? 

Reply

Jump to solution
‎09-26-2021 08:56 PM
1,024 Views
Yuri
NXP Employee
NXP Employee

@hamedhpm 
Hello,

   I am afraid, the revoking is the only solution

Regards,
Yuri.

0 Kudos
Reply