FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Is it possible to check secure boot and then safely return to normal operation on iMX8MP?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is it possible to check secure boot and then safely return to normal operation on iMX8MP?

‎01-25-2024 04:58 AM
2,844 Views
nitzant
Contributor I

I'm trying to implement secure boot on iMX8MP EVK by following the "I.MX8MM Secure Boot using High Assurance Boot v4" (https://wiki.amarulasolutions.com/uboot/secure_boot/imx8mm_habv4.html) instructions and making the necessary adjustments, since I didn't find any other documentation relate to iMX8MP's secure boot process.

During this process I saw that the eFuses must be programmed with SRK hash. Is it possible to make both check secure boot and then safely return to normal operation? Will I need to reprogrammed the eFuses? Is it even possible?

 

Thank you in advance.

0 Kudos
Reply
2 Replies

‎01-30-2024 12:08 AM
2,786 Views
Harvey021
NXP TechSupport
NXP TechSupport

Don't quite catch your question. However, The SRK Hash should be programmed in the SoC SRK_HASH[255:0] fuses, which is the basis for the root of trust.

About documents, you can refer to uboot-imx/doc/imx/habv4/introduction_habv4.txt at lf_v2023.04 · nxp-imx/uboot-imx · GitHub and AN4581 (i.MX Secure Boot on HABv4 Supported Devices (nxp.com)) and i.MX 8MPlus(865) HAB (High Assurance Boot) - NXP Community 

 

Regards

Harvey

0 Kudos
Reply

‎02-08-2024 08:57 AM
2,754 Views
nitzant
Contributor I

Thank you Harvey for your quick response.

I read the documents you sent me and I found my answer - If the device is open I can use it for both secure boot and non secure boot. However, I run into another issue:

I followed the steps for making a secure boot image, flashed it into an SD card and boot the device. I entered the u-boot cli to check for "HAB events" using the hab_status command and saw no events. However, when I'm trying to manually authenticate the SPL/FIT Images using the hab_auth_img command I do get "HAB Events" (see attached file "hab_auth_img-spl.txt" and "hab_auth_img-fit.txt").

 

  1. How can I verify that the authentication ended successfully? I'm asking that because when the SoC SRK_HASH[255:0] fuses weren't programmed, I didn't get "HAB Event" in hab_status. However, It is still the case after I programmed them. Also, I have no logs from the SPL authentication by the BOOT-ROM - Can I trust the "No HAB Events Found" message in hab_status when entering u-boot cli during boot?
  2. I understood that I can't authenticate the FIT image using hab_auth_img command since it has multiple line in its .csf file. Can I authenticate them one by one (u-boot-nodtb.bin, u-boot.dtb & bl31.bin) using the fit.csf file?

 

FYI - I'm trying to do this because I want to have a secure boot on a common setup and to better understand the whole process before I'm going to implement it in Falcon mode, because this is my next step.

 

Thank you in advance,

Nitzan.

Preview file
5 KB
Preview file
2 KB
Preview file
3 KB
Preview file
3 KB
0 Kudos
Reply