Is fuse can be programmed multiple time in imx93 before close the hardware?

vikki · ‎06-26-2024

Hi,

I am new to crypto and secure booting. I am trying secure booting in imx93. My question is, Is fusing the hardware can be done multiple times until I close the hardware (before using ahab_close tool in uboot to close the hardware)?

If not, In development stage how can I verify that current Image is following secure boot till development reaching to production level? Is there any other method is available to validate secure boot without fusing ? I have followed doc/imx/ahab/guides (nxp uboot) for imx93.

JorgeCas · ‎06-26-2024

Hello,

Once a fuse is burned, it is NOT possible to change it.

During development, users should check the events before the device is closed. Once an image is signed with a signature that does not generate events during loading, the signed image should be able to boot on a closed device without issues. This should be the goal for development, since trying to debug on a closed platform requires the use of JTAG or the USB serial download protocol to acquire the event debug information.

You can take a look on the next application notes for more information:

Secure Boot on AHAB Supported Devices

Edgelock Secure Enclave (ELE) API Reference Guide

i.MX Encrypted Boot on AHAB-Enabled Devices

Best regards.

vikki · ‎07-27-2024

thanks for the reply.

I have manually signed image as mentioned in u-boot/doc/imx/ahab but without programming the fuse. Currently i am getting following event [single boot image without m33 container]

u-boot=> ahab_status
Lifecycle: 0x00000008, OEM Open

0x0287fad6
IPC = MU APD (0x2)
CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)
IND = ELE_BAD_KEY_HASH_FAILURE_IND (0xFA)
STA = ELE_SUCCESS_IND (0xD6)

0x0287fad6
IPC = MU APD (0x2)
CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)
IND = ELE_BAD_KEY_HASH_FAILURE_IND (0xFA)
STA = ELE_SUCCESS_IND (0xD6)
u-boot=>

It looks like event due to missing HASH fuse programming. And hope It will disappear if i program fuses (which i will not do now). Is my understanding is correct? please correct me if i am wrong
note:
before signing the error was "ELE_NO_AUTHENTICATION_FAILURE_IND (0xEE)"

oliben

Hello @vikki ,

I think that, although @JorgeCas's answer is correct, it is missing some information that would have been helpful to me, and I assume, to you as well.
I signed my AHAB container following this guide and deployed it to my SoM using uuu, and got the same output out of ahab_status:

> ahab_status
Lifecycle: 0x00000008, OEM Open


0x0287fad6
IPC = MU APD (0x2)
CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)
IND = ELE_BAD_KEY_HASH_FAILURE_IND (0xFA)
STA = ELE_SUCCESS_IND (0xD6)

0x0287fad6
IPC = MU APD (0x2)
CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)
IND = ELE_BAD_KEY_HASH_FAILURE_IND (0xFA)
STA = ELE_SUCCESS_IND (0xD6)

I believe that your interpretation of the ELE_BAD_KEY_HASH_FAILURE_IND is correct: the ELE cannot confirm that the Key hash is correct, because the SRKs's SHA256 hash has not been flashed to the fuses yet.

I went on to flash the fuses using nxpele and the .bcf script generated by nxpimage.

((.venv) )$ nxpele -p /dev/ttyUSB0 \
                   -d uboot_serial \
                   -f mimx9352 \
                   -t 1 \
                   -v \
                   batch ahab_output/ahab_oem0_srk0_hash_nxpele.bcf

Once this was done, booting the very same AHAB container as previously shows no events:

> ahab_status
 Lifecycle: 0x00000008, OEM Open


         No Events Found!
>

So I think the following sentence is very slightly incorrect:

If you are getting HAB events before close the device, something was wrong in your process

The correct version would, in my opinion, be:

If you are getting HAB events before close the device, after flashing the fuses something was wrong in your process

JorgeCas · ‎08-26-2024

Hello,

If you are getting HAB events before close the device, something was wrong in your process. The device should be closed once you are able to boot without any HAB event.

Please check if you missed something.

Best regards.