- NXP Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- Vigiles
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- List of released/approved iMX8 seco binaries with verification hashes.
List of released/approved iMX8 seco binaries with verification hashes.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Different vendors (non NXP) provide seco binaries for the crypto processors. There are some in the Yocto projects for instance. For instance, a Zeus download gives me the following md5sum values.
cf8d6bbf93f0aa6e1049f1098a0f7e0f imx-seco-2.3.1.bin
57435cb051578d74336cad29dc9558d9 mx8qm-ahab-container.img
a376fe9d7782157f7a7f0fce734a23c4 mx8qx-ahab-container.img
But I end up with a 'C0' silicon version from the SOM vendor. mx8qxc0-ahab-container.img
ac6a3582d8d5f1ba9d4a5adb905717d8 mx8qxc0-ahab-container.img
The seco yocto package is 'imx-seco-2.3.1'; but is there some NXP resource to get the canonical binaries from an explanation of the silicon supported. I think the u-boot, yocto releases are synthetic and only a few actual releases exist. Or is there actual different code functionality built-in.
Some product require pedigree documentation of all software placed on a device. I appreciate NXP's proprietary information, but the lack of traceability for a secure processor code seems like many customers might expect this information.
My apologies if I missed it somewhere.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
buildroot supplies a list of seco releases.
https://sources.buildroot.net/imx-seco/
I retreived these releases and the NXP variants.
buildroot $ find . -name mx8qxc0-ahab-container.img -exec md5sum {} \;
79ca77713fabab91cbd7cf882a85ffae ./imx-seco-5.9.0/firmware/seco/mx8qxc0-ahab-container.img
8af873ea140d65807570e83f364968cf ./imx-seco-3.7.5/firmware/seco/mx8qxc0-ahab-container.img
687f766ef0f8ab600cac57781e2230cf ./imx-seco-3.7.4/firmware/seco/mx8qxc0-ahab-container.img
ac6a3582d8d5f1ba9d4a5adb905717d8 ./imx-seco-3.6.3/firmware/seco/mx8qxc0-ahab-container.img
a87c9aa721ace85e541ffff078eb4f11 ./imx-seco-3.7.1/firmware/seco/mx8qxc0-ahab-container.imgbuildroot $ $ find . -name mx8qxc0-ahab-container.img -exec sha1sum {} \;
1d3aca86492d181fb0be54b15409dda6322283cc ./imx-seco-5.9.0/firmware/seco/mx8qxc0-ahab-container.img
eca46b8a66dc8dc639dcd3c69520e009c935cd38 ./imx-seco-3.7.5/firmware/seco/mx8qxc0-ahab-container.img
55664fc8ea86eb6f6ce91152e23cb4a3be963f48 ./imx-seco-3.7.4/firmware/seco/mx8qxc0-ahab-container.img
53739a10dbc6e26654072fd1566c97850781df67 ./imx-seco-3.6.3/firmware/seco/mx8qxc0-ahab-container.img
dd234776daf8244ea43639fd89f582eee9fc750a ./imx-seco-3.7.1/firmware/seco/mx8qxc0-ahab-container.img
For the NXP, they are the same. Also, my SOM vendor was using the 3.6.3 version. The 2.3.1 does not contain the C0 silicon for QX versions.
I just verified that the primary packages are the same as buildroot.
$ for i in *.bin; do wget https://www.nxp.com/lgfiles/NMG/MAD/YOCTO/$i; done;
Also, this post indicate NDA only fips release 4.8.0.
https://community.nxp.com/t5/i-MX-Processors/Location-of-FIPS-140-SECO-firmware-version/td-p/1744976
Also the Yocto hashes do not agree as they are over different input sources (I also know I used SHA-160; but still the inputs sources are different).
I didn't take the time to figure out what Yocto is applying the hashes to. Definitely not the input to imx-mkimage.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
buildroot supplies a list of seco releases.
https://sources.buildroot.net/imx-seco/
I retreived these releases and the NXP variants.
buildroot $ find . -name mx8qxc0-ahab-container.img -exec md5sum {} \;
79ca77713fabab91cbd7cf882a85ffae ./imx-seco-5.9.0/firmware/seco/mx8qxc0-ahab-container.img
8af873ea140d65807570e83f364968cf ./imx-seco-3.7.5/firmware/seco/mx8qxc0-ahab-container.img
687f766ef0f8ab600cac57781e2230cf ./imx-seco-3.7.4/firmware/seco/mx8qxc0-ahab-container.img
ac6a3582d8d5f1ba9d4a5adb905717d8 ./imx-seco-3.6.3/firmware/seco/mx8qxc0-ahab-container.img
a87c9aa721ace85e541ffff078eb4f11 ./imx-seco-3.7.1/firmware/seco/mx8qxc0-ahab-container.imgbuildroot $ $ find . -name mx8qxc0-ahab-container.img -exec sha1sum {} \;
1d3aca86492d181fb0be54b15409dda6322283cc ./imx-seco-5.9.0/firmware/seco/mx8qxc0-ahab-container.img
eca46b8a66dc8dc639dcd3c69520e009c935cd38 ./imx-seco-3.7.5/firmware/seco/mx8qxc0-ahab-container.img
55664fc8ea86eb6f6ce91152e23cb4a3be963f48 ./imx-seco-3.7.4/firmware/seco/mx8qxc0-ahab-container.img
53739a10dbc6e26654072fd1566c97850781df67 ./imx-seco-3.6.3/firmware/seco/mx8qxc0-ahab-container.img
dd234776daf8244ea43639fd89f582eee9fc750a ./imx-seco-3.7.1/firmware/seco/mx8qxc0-ahab-container.img
For the NXP, they are the same. Also, my SOM vendor was using the 3.6.3 version. The 2.3.1 does not contain the C0 silicon for QX versions.
I just verified that the primary packages are the same as buildroot.
$ for i in *.bin; do wget https://www.nxp.com/lgfiles/NMG/MAD/YOCTO/$i; done;
Also, this post indicate NDA only fips release 4.8.0.
https://community.nxp.com/t5/i-MX-Processors/Location-of-FIPS-140-SECO-firmware-version/td-p/1744976
Also the Yocto hashes do not agree as they are over different input sources (I also know I used SHA-160; but still the inputs sources are different).
I didn't take the time to figure out what Yocto is applying the hashes to. Definitely not the input to imx-mkimage.
Harvey021
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I know so far, there should not have such a list with verification hashes as expected. Generally, you can refer to each Linux release note (https://www.nxp.com/docs/en/release-note/IMX_LINUX_RELEASE_NOTES.pdf), and SCR (meta-imx/SCR-6.1.22-2.0.0.txt at mickledore-6.1.22-2.0.0 · nxp-imx/meta-imx · GitHub) and SECO_FW_release_note.pdf (from the download firmware). furthermore, check the recipe to verify the hash values.
Regards
Harvey
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, the Yocto is the channel for releases?
Thanks, I will look at this info.
This question looks related. https://community.nxp.com/t5/i-MX-Processors/Which-SECO-firmware-version-to-be-used-with-5-15-52-2-1...
