List of released/approved iMX8 seco binaries with verification hashes.

bill_pringlemeir · ‎01-24-2024

Different vendors (non NXP) provide seco binaries for the crypto processors. There are some in the Yocto projects for instance. For instance, a Zeus download gives me the following md5sum values.

cf8d6bbf93f0aa6e1049f1098a0f7e0f imx-seco-2.3.1.bin

57435cb051578d74336cad29dc9558d9 mx8qm-ahab-container.img
a376fe9d7782157f7a7f0fce734a23c4 mx8qx-ahab-container.img

But I end up with a 'C0' silicon version from the SOM vendor. mx8qxc0-ahab-container.img

ac6a3582d8d5f1ba9d4a5adb905717d8 mx8qxc0-ahab-container.img

The seco yocto package is 'imx-seco-2.3.1'; but is there some NXP resource to get the canonical binaries from an explanation of the silicon supported. I think the u-boot, yocto releases are synthetic and only a few actual releases exist. Or is there actual different code functionality built-in.

Some product require pedigree documentation of all software placed on a device. I appreciate NXP's proprietary information, but the lack of traceability for a secure processor code seems like many customers might expect this information.

My apologies if I missed it somewhere.

bill_pringlemeir · ‎01-25-2024

buildroot supplies a list of seco releases.

https://sources.buildroot.net/imx-seco/

I retreived these releases and the NXP variants.

buildroot $ find . -name mx8qxc0-ahab-container.img -exec md5sum {} \;
79ca77713fabab91cbd7cf882a85ffae ./imx-seco-5.9.0/firmware/seco/mx8qxc0-ahab-container.img
8af873ea140d65807570e83f364968cf ./imx-seco-3.7.5/firmware/seco/mx8qxc0-ahab-container.img
687f766ef0f8ab600cac57781e2230cf ./imx-seco-3.7.4/firmware/seco/mx8qxc0-ahab-container.img
ac6a3582d8d5f1ba9d4a5adb905717d8 ./imx-seco-3.6.3/firmware/seco/mx8qxc0-ahab-container.img
a87c9aa721ace85e541ffff078eb4f11 ./imx-seco-3.7.1/firmware/seco/mx8qxc0-ahab-container.img
buildroot $ $ find . -name mx8qxc0-ahab-container.img -exec sha1sum {} \;
1d3aca86492d181fb0be54b15409dda6322283cc ./imx-seco-5.9.0/firmware/seco/mx8qxc0-ahab-container.img
eca46b8a66dc8dc639dcd3c69520e009c935cd38 ./imx-seco-3.7.5/firmware/seco/mx8qxc0-ahab-container.img
55664fc8ea86eb6f6ce91152e23cb4a3be963f48 ./imx-seco-3.7.4/firmware/seco/mx8qxc0-ahab-container.img
53739a10dbc6e26654072fd1566c97850781df67 ./imx-seco-3.6.3/firmware/seco/mx8qxc0-ahab-container.img
dd234776daf8244ea43639fd89f582eee9fc750a ./imx-seco-3.7.1/firmware/seco/mx8qxc0-ahab-container.img

For the NXP, they are the same. Also, my SOM vendor was using the 3.6.3 version. The 2.3.1 does not contain the C0 silicon for QX versions.
I just verified that the primary packages are the same as buildroot.

$ for i in *.bin; do wget https://www.nxp.com/lgfiles/NMG/MAD/YOCTO/$i; done;

Also, this post indicate NDA only fips release 4.8.0.

https://community.nxp.com/t5/i-MX-Processors/Location-of-FIPS-140-SECO-firmware-version/td-p/1744976

Also the Yocto hashes do not agree as they are over different input sources (I also know I used SHA-160; but still the inputs sources are different).

I didn't take the time to figure out what Yocto is applying the hashes to. Definitely not the input to imx-mkimage.

在原帖中查看解决方案

bill_pringlemeir · ‎01-25-2024

buildroot supplies a list of seco releases.

https://sources.buildroot.net/imx-seco/

I retreived these releases and the NXP variants.

buildroot $ find . -name mx8qxc0-ahab-container.img -exec md5sum {} \;
79ca77713fabab91cbd7cf882a85ffae ./imx-seco-5.9.0/firmware/seco/mx8qxc0-ahab-container.img
8af873ea140d65807570e83f364968cf ./imx-seco-3.7.5/firmware/seco/mx8qxc0-ahab-container.img
687f766ef0f8ab600cac57781e2230cf ./imx-seco-3.7.4/firmware/seco/mx8qxc0-ahab-container.img
ac6a3582d8d5f1ba9d4a5adb905717d8 ./imx-seco-3.6.3/firmware/seco/mx8qxc0-ahab-container.img
a87c9aa721ace85e541ffff078eb4f11 ./imx-seco-3.7.1/firmware/seco/mx8qxc0-ahab-container.img
buildroot $ $ find . -name mx8qxc0-ahab-container.img -exec sha1sum {} \;
1d3aca86492d181fb0be54b15409dda6322283cc ./imx-seco-5.9.0/firmware/seco/mx8qxc0-ahab-container.img
eca46b8a66dc8dc639dcd3c69520e009c935cd38 ./imx-seco-3.7.5/firmware/seco/mx8qxc0-ahab-container.img
55664fc8ea86eb6f6ce91152e23cb4a3be963f48 ./imx-seco-3.7.4/firmware/seco/mx8qxc0-ahab-container.img
53739a10dbc6e26654072fd1566c97850781df67 ./imx-seco-3.6.3/firmware/seco/mx8qxc0-ahab-container.img
dd234776daf8244ea43639fd89f582eee9fc750a ./imx-seco-3.7.1/firmware/seco/mx8qxc0-ahab-container.img

For the NXP, they are the same. Also, my SOM vendor was using the 3.6.3 version. The 2.3.1 does not contain the C0 silicon for QX versions.
I just verified that the primary packages are the same as buildroot.

$ for i in *.bin; do wget https://www.nxp.com/lgfiles/NMG/MAD/YOCTO/$i; done;

Also, this post indicate NDA only fips release 4.8.0.

https://community.nxp.com/t5/i-MX-Processors/Location-of-FIPS-140-SECO-firmware-version/td-p/1744976

Also the Yocto hashes do not agree as they are over different input sources (I also know I used SHA-160; but still the inputs sources are different).

I didn't take the time to figure out what Yocto is applying the hashes to. Definitely not the input to imx-mkimage.

Harvey021 · ‎01-25-2024

As I know so far, there should not have such a list with verification hashes as expected. Generally, you can refer to each Linux release note (https://www.nxp.com/docs/en/release-note/IMX_LINUX_RELEASE_NOTES.pdf), and SCR (meta-imx/SCR-6.1.22-2.0.0.txt at mickledore-6.1.22-2.0.0 · nxp-imx/meta-imx · GitHub) and SECO_FW_release_note.pdf (from the download firmware). furthermore, check the recipe to verify the hash values.

Regards

Harvey

bill_pringlemeir · ‎01-25-2024

So, the Yocto is the channel for releases?

Thanks, I will look at this info.

This question looks related. https://community.nxp.com/t5/i-MX-Processors/Which-SECO-firmware-version-to-be-used-with-5-15-52-2-1...

List of released/approved iMX8 seco binaries with verification hashes.

List of released/approved iMX8 seco binaries with verification hashes.

i.MX 8 Family | i.MX 8QuadMax (8QM) | 8QuadPlus

Security