I'm trying to implement secure boot on iMX8MP EVK by following the "I.MX8MM Secure Boot using High Assurance Boot v4" (https://wiki.amarulasolutions.com/uboot/secure_boot/imx8mm_habv4.html) instructions and making the necessary adjustments, since I didn't find any other documentation relate to iMX8MP's secure boot process.
During this process I saw that the eFuses must be programmed with SRK hash. Is it possible to make both check secure boot and then safely return to normal operation? Will I need to reprogrammed the eFuses? Is it even possible?
Thank you in advance.
Don't quite catch your question. However, The SRK Hash should be programmed in the SoC SRK_HASH[255:0] fuses, which is the basis for the root of trust.
About documents, you can refer to uboot-imx/doc/imx/habv4/introduction_habv4.txt at lf_v2023.04 · nxp-imx/uboot-imx · GitHub and AN4581 (i.MX Secure Boot on HABv4 Supported Devices (nxp.com)) and i.MX 8MPlus(865) HAB (High Assurance Boot) - NXP Community
Regards
Harvey
Thank you Harvey for your quick response.
I read the documents you sent me and I found my answer - If the device is open I can use it for both secure boot and non secure boot. However, I run into another issue:
I followed the steps for making a secure boot image, flashed it into an SD card and boot the device. I entered the u-boot cli to check for "HAB events" using the hab_status command and saw no events. However, when I'm trying to manually authenticate the SPL/FIT Images using the hab_auth_img command I do get "HAB Events" (see attached file "hab_auth_img-spl.txt" and "hab_auth_img-fit.txt").
FYI - I'm trying to do this because I want to have a secure boot on a common setup and to better understand the whole process before I'm going to implement it in Falcon mode, because this is my next step.
Thank you in advance,
Nitzan.