Is it possible to check secure boot and then safely return to normal operation on iMX8MP?

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

Is it possible to check secure boot and then safely return to normal operation on iMX8MP?

2,605 次查看
nitzant
Contributor I

I'm trying to implement secure boot on iMX8MP EVK by following the "I.MX8MM Secure Boot using High Assurance Boot v4" (https://wiki.amarulasolutions.com/uboot/secure_boot/imx8mm_habv4.html) instructions and making the necessary adjustments, since I didn't find any other documentation relate to iMX8MP's secure boot process.

During this process I saw that the eFuses must be programmed with SRK hash. Is it possible to make both check secure boot and then safely return to normal operation? Will I need to reprogrammed the eFuses? Is it even possible?

 

Thank you in advance.

0 项奖励
回复
2 回复数

2,547 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Don't quite catch your question. However, The SRK Hash should be programmed in the SoC SRK_HASH[255:0] fuses, which is the basis for the root of trust.

About documents, you can refer to uboot-imx/doc/imx/habv4/introduction_habv4.txt at lf_v2023.04 · nxp-imx/uboot-imx · GitHub and AN4581 (i.MX Secure Boot on HABv4 Supported Devices (nxp.com)) and i.MX 8MPlus(865) HAB (High Assurance Boot) - NXP Community 

 

Regards

Harvey

0 项奖励
回复

2,515 次查看
nitzant
Contributor I

Thank you Harvey for your quick response.

I read the documents you sent me and I found my answer - If the device is open I can use it for both secure boot and non secure boot. However, I run into another issue:

I followed the steps for making a secure boot image, flashed it into an SD card and boot the device. I entered the u-boot cli to check for "HAB events" using the hab_status command and saw no events. However, when I'm trying to manually authenticate the SPL/FIT Images using the hab_auth_img command I do get "HAB Events" (see attached file "hab_auth_img-spl.txt" and "hab_auth_img-fit.txt").

 

  1. How can I verify that the authentication ended successfully? I'm asking that because when the SoC SRK_HASH[255:0] fuses weren't programmed, I didn't get "HAB Event" in hab_status. However, It is still the case after I programmed them. Also, I have no logs from the SPL authentication by the BOOT-ROM - Can I trust the "No HAB Events Found" message in hab_status when entering u-boot cli during boot?
  2. I understood that I can't authenticate the FIT image using hab_auth_img command since it has multiple line in its .csf file. Can I authenticate them one by one (u-boot-nodtb.bin, u-boot.dtb & bl31.bin) using the fit.csf file?

 

FYI - I'm trying to do this because I want to have a secure boot on a common setup and to better understand the whole process before I'm going to implement it in Falcon mode, because this is my next step.

 

Thank you in advance,

Nitzan.

0 项奖励
回复