- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
Is it possible to check secure boot and then safely return to normal operation on iMX8MP?
I'm trying to implement secure boot on iMX8MP EVK by following the "I.MX8MM Secure Boot using High Assurance Boot v4" (https://wiki.amarulasolutions.com/uboot/secure_boot/imx8mm_habv4.html) instructions and making the necessary adjustments, since I didn't find any other documentation relate to iMX8MP's secure boot process.
During this process I saw that the eFuses must be programmed with SRK hash. Is it possible to make both check secure boot and then safely return to normal operation? Will I need to reprogrammed the eFuses? Is it even possible?
Thank you in advance.
Don't quite catch your question. However, The SRK Hash should be programmed in the SoC SRK_HASH[255:0] fuses, which is the basis for the root of trust.
About documents, you can refer to uboot-imx/doc/imx/habv4/introduction_habv4.txt at lf_v2023.04 · nxp-imx/uboot-imx · GitHub and AN4581 (i.MX Secure Boot on HABv4 Supported Devices (nxp.com)) and i.MX 8MPlus(865) HAB (High Assurance Boot) - NXP Community
Regards
Harvey
Thank you Harvey for your quick response.
I read the documents you sent me and I found my answer - If the device is open I can use it for both secure boot and non secure boot. However, I run into another issue:
I followed the steps for making a secure boot image, flashed it into an SD card and boot the device. I entered the u-boot cli to check for "HAB events" using the hab_status command and saw no events. However, when I'm trying to manually authenticate the SPL/FIT Images using the hab_auth_img command I do get "HAB Events" (see attached file "hab_auth_img-spl.txt" and "hab_auth_img-fit.txt").
- How can I verify that the authentication ended successfully? I'm asking that because when the SoC SRK_HASH[255:0] fuses weren't programmed, I didn't get "HAB Event" in hab_status. However, It is still the case after I programmed them. Also, I have no logs from the SPL authentication by the BOOT-ROM - Can I trust the "No HAB Events Found" message in hab_status when entering u-boot cli during boot?
- I understood that I can't authenticate the FIT image using hab_auth_img command since it has multiple line in its .csf file. Can I authenticate them one by one (u-boot-nodtb.bin, u-boot.dtb & bl31.bin) using the fit.csf file?
FYI - I'm trying to do this because I want to have a secure boot on a common setup and to better understand the whole process before I'm going to implement it in Falcon mode, because this is my next step.
Thank you in advance,
Nitzan.
