- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
已解决! 转到解答。
Thanks for the answer. I will try this method. I use SDK for arm gcc. Now my example works fine without using encryption. Brief instruction:
1) Install arm gcc for cortex-m7
wget https://armkeil.blob.core.windows.net/developer/Files/downloads/gnu-rm/9-2019q4/gcc-arm-none-eabi-9-...
mkdir ~/opt
cp gcc-arm-none-eabi-9-2019-q4-major-x86_64-linux.tar.bz2 ~/opt
cd ~/opt
tar -xvf gcc-arm-none-eabi-9-2019-q4-major-x86_64-linux.tar.bz2
export ARMGCC_DIR=~/opt/gcc-arm-none-eabi-9-2019-q4-major
2) Build flexspi demo app (CMake 3.10 require)
cd SDK/boards/evkmimxrt1020/driver_examples/flexspi/nor/edma_transfer/armgcc
./build_all.sh
3) Generate bin file from elf
cd flexspi_nor_release
~/opt/gcc-arm-none-eabi-9-2019-q4-major/bin/arm-none-eabi-objcopy -O binary flexspi_nor_edma_transfer.elf flexspi_nor_edma_transfer.bin
4) Serial mode ON
Set board to serial mode and ON board. Check /dev/ttyACM0 is exist
5) Flash demo app to board
Load flashloader to memory
./sdphost -t 50000 -p /dev/ttyACM0,115200 write-file 0x20208000 ivt_flashloader.bin
Execute flashloader
./sdphost -t 50000 -p /dev/ttyACM0,115200 jump-address 0x20208400
Fill and configure memory for FLEXSPI NOR
./blhost -p /dev/ttyACM0,115200 fill-memory 0x2000 4 0xc0000007
./blhost -p /dev/ttyACM0,115200 configure-memory 0x9 0x2000
Erase memory region
./blhost -p /dev/ttyACM0,115200 flash-erase-region 0x60000000 0x10000
Write demo app
./blhost -p /dev/ttyACM0,115200 write-memory 0x60000000 flexspi_nor_edma_transfer.bin
This part work good.
After that I want to try bee encrypt:
6) Flash demo bee encrypt to board
Encrypt flexspi region from offset 0x1000 with size 0x3FF000 and AES KEY 0123456789abcdeffedcba9876543210
image_enc.exe hw_eng=bee ifile=flexspi_nor_edma_transfer.bin ofile=flexspi_nor_edma_transfer_bee_encrypted.bin base_addr=0x60000000 region0_key=0123456789abcdeffedcba9876543210 region0_arg=1,[0x60001000,0x3FF000,0] region0_lock=0 use_zero_key=1 is_boot_image=1
Remove padding 1K size
dd if=flexspi_nor_edma_transfer_bee_encrypted.bin of=flexspi_nor_edma_transfer_bee_encrypted_remove1K.bin skip=1 bs=1024 count=200
Generate encrypt sb file
elftosb -f kinetis -V -c program_imxrt1020_qspi_encrypt_sw_gp2.bd -o boot_image_encrypt.sb flexspi_nor_edma_transfer_bee_encrypted_remove1K.bin
Generate burn_fuse sb file
elftosb -f kinetis -V -c burn_fuse.bd -o burn_fuse.sb
Flash images
./sdphost -t 50000 -p /dev/ttyACM0,115200 write-file 0x20208000 ivt_flashloader.bin
./sdphost -t 50000 -p /dev/ttyACM0,115200 jump-address 0x20208400
./blhost -p /dev/ttyACM0,115200 receive-sb-file burn_fuse.sb
./blhost -p /dev/ttyACM0,115200 reset
./blhost -p /dev/ttyACM0,115200 receive-sb-file boot_image_encrypt.sb
As far as I understand, polyfuse will be programmed here, will it be possible to return to normal boot later if something goes wrong? In this example, zero keys are used, how do I use my keys? Is it possible to compile the image_enc utility for Linux, there are sources for it. The customer wants to program the boards in a minimal way, using their encryption keys. To do this, he needs a minimal set of utilities (now it is: sdphost, blhost, elftosb, image_enc.exe).
My burn_fuse.bd:
sources {
}
constants {
}
section (0) {
# program SW_GP2
load fuse 0x76543210 > 0x29;
load fuse 0xfedcba98 > 0x2a;
load fuse 0x89abcdef > 0x2b;
load fuse 0x01234567 > 0x2c;
# Program BEE_KEY0_SEL
load fuse 0x00003000 > 0x6;
}
load fuse 0x00003000 > 0x6 - Is that correct to use only region0? what does it mean?(may be have any datasheet for that)
program_imxrt1020_qspi_encrypt_sw_gp2.bd:
sources {
myBinFile = extern (0);
}
section (0) {
load 0xc0000007 > 0x2000;
enable flexspinor 0x2000;
erase 0x60000000..0x60010000;
load 0xf000000f > 0x3000;
enable flexspinor 0x3000;
load myBinFile > 0x60000400;
}
Is that correct bd file?
Thanks for the answer. I will try this method. I use SDK for arm gcc. Now my example works fine without using encryption. Brief instruction:
1) Install arm gcc for cortex-m7
wget https://armkeil.blob.core.windows.net/developer/Files/downloads/gnu-rm/9-2019q4/gcc-arm-none-eabi-9-...
mkdir ~/opt
cp gcc-arm-none-eabi-9-2019-q4-major-x86_64-linux.tar.bz2 ~/opt
cd ~/opt
tar -xvf gcc-arm-none-eabi-9-2019-q4-major-x86_64-linux.tar.bz2
export ARMGCC_DIR=~/opt/gcc-arm-none-eabi-9-2019-q4-major
2) Build flexspi demo app (CMake 3.10 require)
cd SDK/boards/evkmimxrt1020/driver_examples/flexspi/nor/edma_transfer/armgcc
./build_all.sh
3) Generate bin file from elf
cd flexspi_nor_release
~/opt/gcc-arm-none-eabi-9-2019-q4-major/bin/arm-none-eabi-objcopy -O binary flexspi_nor_edma_transfer.elf flexspi_nor_edma_transfer.bin
4) Serial mode ON
Set board to serial mode and ON board. Check /dev/ttyACM0 is exist
5) Flash demo app to board
Load flashloader to memory
./sdphost -t 50000 -p /dev/ttyACM0,115200 write-file 0x20208000 ivt_flashloader.bin
Execute flashloader
./sdphost -t 50000 -p /dev/ttyACM0,115200 jump-address 0x20208400
Fill and configure memory for FLEXSPI NOR
./blhost -p /dev/ttyACM0,115200 fill-memory 0x2000 4 0xc0000007
./blhost -p /dev/ttyACM0,115200 configure-memory 0x9 0x2000
Erase memory region
./blhost -p /dev/ttyACM0,115200 flash-erase-region 0x60000000 0x10000
Write demo app
./blhost -p /dev/ttyACM0,115200 write-memory 0x60000000 flexspi_nor_edma_transfer.bin
This part work good.
After that I want to try bee encrypt:
6) Flash demo bee encrypt to board
Encrypt flexspi region from offset 0x1000 with size 0x3FF000 and AES KEY 0123456789abcdeffedcba9876543210
image_enc.exe hw_eng=bee ifile=flexspi_nor_edma_transfer.bin ofile=flexspi_nor_edma_transfer_bee_encrypted.bin base_addr=0x60000000 region0_key=0123456789abcdeffedcba9876543210 region0_arg=1,[0x60001000,0x3FF000,0] region0_lock=0 use_zero_key=1 is_boot_image=1
Remove padding 1K size
dd if=flexspi_nor_edma_transfer_bee_encrypted.bin of=flexspi_nor_edma_transfer_bee_encrypted_remove1K.bin skip=1 bs=1024 count=200
Generate encrypt sb file
elftosb -f kinetis -V -c program_imxrt1020_qspi_encrypt_sw_gp2.bd -o boot_image_encrypt.sb flexspi_nor_edma_transfer_bee_encrypted_remove1K.bin
Generate burn_fuse sb file
elftosb -f kinetis -V -c burn_fuse.bd -o burn_fuse.sb
Flash images
./sdphost -t 50000 -p /dev/ttyACM0,115200 write-file 0x20208000 ivt_flashloader.bin
./sdphost -t 50000 -p /dev/ttyACM0,115200 jump-address 0x20208400
./blhost -p /dev/ttyACM0,115200 receive-sb-file burn_fuse.sb
./blhost -p /dev/ttyACM0,115200 reset
./blhost -p /dev/ttyACM0,115200 receive-sb-file boot_image_encrypt.sb
As far as I understand, polyfuse will be programmed here, will it be possible to return to normal boot later if something goes wrong? In this example, zero keys are used, how do I use my keys? Is it possible to compile the image_enc utility for Linux, there are sources for it. The customer wants to program the boards in a minimal way, using their encryption keys. To do this, he needs a minimal set of utilities (now it is: sdphost, blhost, elftosb, image_enc.exe).
My burn_fuse.bd:
sources {
}
constants {
}
section (0) {
# program SW_GP2
load fuse 0x76543210 > 0x29;
load fuse 0xfedcba98 > 0x2a;
load fuse 0x89abcdef > 0x2b;
load fuse 0x01234567 > 0x2c;
# Program BEE_KEY0_SEL
load fuse 0x00003000 > 0x6;
}
load fuse 0x00003000 > 0x6 - Is that correct to use only region0? what does it mean?(may be have any datasheet for that)
program_imxrt1020_qspi_encrypt_sw_gp2.bd:
sources {
myBinFile = extern (0);
}
section (0) {
load 0xc0000007 > 0x2000;
enable flexspinor 0x2000;
erase 0x60000000..0x60010000;
load 0xf000000f > 0x3000;
enable flexspinor 0x3000;
load myBinFile > 0x60000400;
}
Is that correct bd file?
Try, it works all fine by mine instruction. I think one key aes will be enough for the customer(i don't use SRK hash yet - maybe later). image_enc build from source code, use mbetdtls github for dependency. All work's fine, thanks.
Encrypt images with AES CTR: it seems like it works. But data in encrypted.bin file not changed after 0x1000 offset. Write only enc_region_hdr to offset 0x400. I change aes key many times, data was not changed after 0x1000 offset, source code in flex not encrypt by image_enc utility.....
1) I try to use AES ECB. Data changed, but nothing work:
./image_enc ifile=flexspi_nor_edma_transfer.bin ofile=flexspi_nor_edma_transfer_bee_encrypted.bin base_addr=0x60000000 region0_key=0123456789abcdeffedcba9876543210 region0_arg=0,[0x60001000,0x3FF000,0] region0_lock=0 use_zero_key=1 is_boot_image=1
Remove padding 1K size
dd if=flexspi_nor_edma_transfer_bee_encrypted.bin of=flexspi_nor_edma_transfer_bee_encrypted_remove1K.bin skip=1 bs=1024 count=200
Generate encrypt sb file
./elftosb -f kinetis -V -c program_imxrt1020_qspi_encrypt_sw_gp2.bd -o boot_image_encrypt.sb flexspi_nor_edma_transfer_bee_encrypted_remove1K.bin
./sdphost -t 50000 -p /dev/ttyACM0,115200 write-file 0x20208000 ivt_flashloader.bin
./sdphost -t 50000 -p /dev/ttyACM0,115200 jump-address 0x20208400
./blhost -p /dev/ttyACM0,115200 receive-sb-file burn_fuse.sb
./blhost -p /dev/ttyACM0,115200 receive-sb-file boot_image_encrypt.sb - NOT WORK AFTER LOAD BOARD FROM FLEXSPI.
2)I try to use AES CTR :
./image_enc ifile=flexspi_nor_edma_transfer.bin ofile=flexspi_nor_edma_transfer_bee_encrypted.bin base_addr=0x60000000 region0_key=0123456789abcdeffedcba9876543210 region0_arg=1,[0x60001000,0x3FF000,0] region0_lock=0 use_zero_key=1 is_boot_image=1
Remove padding 1K size
dd if=flexspi_nor_edma_transfer_bee_encrypted.bin of=flexspi_nor_edma_transfer_bee_encrypted_remove1K.bin skip=1 bs=1024 count=200
Generate encrypt sb file
./elftosb -f kinetis -V -c program_imxrt1020_qspi_encrypt_sw_gp2.bd -o boot_image_encrypt.sb flexspi_nor_edma_transfer_bee_encrypted_remove1K.bin
./sdphost -t 50000 -p /dev/ttyACM0,115200 write-file 0x20208000 ivt_flashloader.bin
./sdphost -t 50000 -p /dev/ttyACM0,115200 jump-address 0x20208400
./blhost -p /dev/ttyACM0,115200 receive-sb-file burn_fuse.sb
./blhost -p /dev/ttyACM0,115200 receive-sb-file boot_image_encrypt.sb - WORK AFTER LOAD BOARD FROM FLEXSPI.
The only difference is that I am using the parameter AES mode for image_enc...burn_fuse.bd and program_imxrt1020_qspi_encrypt_sw_gp2.bd used the same(AES key and params for region0 used the same). Why AES CTR work with this parameters, but AES ECB don't work? Why AES CTR mode do not encrypt data in region, only write enc_region hdr to offset 0x400? I tried change aes key in AES CTR mode, but change only header at offset 0x400, data do not changed....
The customer needs a simple option, encrypt the source code with an AES algorithm, place the keys in the OTP
jeremyzhou
Hi,
Thank you for your interest in NXP Semiconductor products and for the opportunity to serve you.
To provide the fastest possible support, I'd highly recommend you use the MCUXpresso Secure Provisioning tool instead of NXP-MCUBootUtility on Linux OS.
Have a great day,
TIC
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
