- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Linux app/lib/script that checks CSF signature
Linux app/lib/script that checks CSF signature
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Linux app/lib/script that checks CSF signature
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To do a firmware upgrade, I would like to verify the CSF signature in user space prior to installing the new firmware. It seems a user space app can read the SRK fuses and duplicate the signing algorithm using OpenSSL. Is there an app/lib/script already available that does this? If not, what is the algorithm the CST tool uses for creating the CSF signature? One could also use this to test the cst tool itself without using the iMX platform.
b36401
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please refer chapter 1.7 OCOTP_CTRL of Security Reference Manual for i.MX 6 Families of Applications Processors regarding to fuses scan protection.
Have a great day,
Victor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure what you mean, but it seems you are implying that the SRK hash cannot be read from user space as you are referring to the fuses scan protection and not the availability of a user space app/lib/script that can check the CSF signature. I am evaluating the SabreSD i.MX6SX platform and I can run the following commands to read from the eFuse shadow cache:
root@imx6sxgen4:/sys/fsl_otp# cat HW_OCOTP_SRK0
0x0
root@imx6sxgen4:/sys/fsl_otp# cat HW_OCOTP_LOCK
0x20820002
From the Security doc it does mention "Scan protection", but this seems to be from the perspective of JTAG scanning. Some fuses are (and should be) read protected such as HW_OCOTP_OTPMK0 (master key):
root@imx6sxgen4:/sys/fsl_otp# cat HW_OCOTP_OTPMK0
0xbadabada
But the SRK hash is not something that needs to be confidential so I would expect it to be readable. The reference manual (6/2016) seems to support this from section 44.5.25 Shadow Register form OTP Bank3 Word0 (SRK Hash) (OCOTP_SRK0):
Shadow register for the hash of the Super Root Key word0 (Copy of OTP Bank 3, word 0 (ADDR =0x1C)). These bits become read-only after the HW_OCOTP_LOCK_SRK bit is set.
So it seems it is still readable even when the SRK is locked (as expected). Granted, the device does not have the SEC_CONFIG bit set so I’m not sure if the behavior of reading the SRK shadow registers using sysfs changes under these conditions. Are you saying that HW_OCOTP_SRK0..7 cannot be read, or more specifically cannot be read after SEC_CONFIG bit is set? If yes, why?
