- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Is it possible to check secure boot and then safely return to normal operation on iMX8MP?
Is it possible to check secure boot and then safely return to normal operation on iMX8MP?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Is it possible to check secure boot and then safely return to normal operation on iMX8MP?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to implement secure boot on iMX8MP EVK by following the "I.MX8MM Secure Boot using High Assurance Boot v4" (https://wiki.amarulasolutions.com/uboot/secure_boot/imx8mm_habv4.html) instructions and making the necessary adjustments, since I didn't find any other documentation relate to iMX8MP's secure boot process.
During this process I saw that the eFuses must be programmed with SRK hash. Is it possible to make both check secure boot and then safely return to normal operation? Will I need to reprogrammed the eFuses? Is it even possible?
Thank you in advance.
Harvey021
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't quite catch your question. However, The SRK Hash should be programmed in the SoC SRK_HASH[255:0] fuses, which is the basis for the root of trust.
About documents, you can refer to uboot-imx/doc/imx/habv4/introduction_habv4.txt at lf_v2023.04 · nxp-imx/uboot-imx · GitHub and AN4581 (i.MX Secure Boot on HABv4 Supported Devices (nxp.com)) and i.MX 8MPlus(865) HAB (High Assurance Boot) - NXP Community
Regards
Harvey
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Harvey for your quick response.
I read the documents you sent me and I found my answer - If the device is open I can use it for both secure boot and non secure boot. However, I run into another issue:
I followed the steps for making a secure boot image, flashed it into an SD card and boot the device. I entered the u-boot cli to check for "HAB events" using the hab_status command and saw no events. However, when I'm trying to manually authenticate the SPL/FIT Images using the hab_auth_img command I do get "HAB Events" (see attached file "hab_auth_img-spl.txt" and "hab_auth_img-fit.txt").
- How can I verify that the authentication ended successfully? I'm asking that because when the SoC SRK_HASH[255:0] fuses weren't programmed, I didn't get "HAB Event" in hab_status. However, It is still the case after I programmed them. Also, I have no logs from the SPL authentication by the BOOT-ROM - Can I trust the "No HAB Events Found" message in hab_status when entering u-boot cli during boot?
- I understood that I can't authenticate the FIT image using hab_auth_img command since it has multiple line in its .csf file. Can I authenticate them one by one (u-boot-nodtb.bin, u-boot.dtb & bl31.bin) using the fit.csf file?
FYI - I'm trying to do this because I want to have a secure boot on a common setup and to better understand the whole process before I'm going to implement it in Falcon mode, because this is my next step.
Thank you in advance,
Nitzan.
