NXP's Secure boot variant for i.MX8M

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

NXP's Secure boot variant for i.MX8M

Jump to solution
2,434 Views
saikumarmails
Contributor II

Hi All, it is going to be a bit long question as I'm putting the questions and observations I had.

I'm using i.MX8M EVK and trying to enable the secure boot feature on the same. After doing some study & searching I didn't find specific details on which variant of secure boot the i.MX8M EVK supports? (is it HAB version 4? or AHAB?).

The reason for this question is none the application notes I'm referring (AN4581, AN12263 & AN12312) have details about i.MX8M (specifically). When one of my teammate reached out to the NXP support they replied AN12312 applies to i.MX8M but no where does that document list i.MX8M.

Also, when referring the u-boot code base introduction_ahab.txt\ahab\imx\doc - uboot-imx - i.MX U-Boot  - the introduction text file under AHAB only lists i.MX8/8x and introduction_habv4.txt\habv4\imx\doc - uboot-imx - i.MX U-Boot  - the introduction text file under HAB4 refers to i.MX 8M & i.MX 8MM.

The above reasons caused confusion to my understanding about the variant of secure boot supported for i.MX8M.

Below are the questions I had

1. What does the boot ROM of i.MX8M (i.MX8M EVK) gets programmed/shipped with? (Is it HAB4 or AHAB?) Is there a chance that i.MX8M supports both? If yes, how to check the variant of the secure boot for an i.MX processor?

2. When we enable secure boot in u-boot configuration file for i.MX8M in yocto, which APIs they try to access from boot ROM?

3. Lastly and importantly, is there a way to verify signed Linux Image from u-boot's command line without programming the fuses (using the shadow registers etc.,)? as I am a first time fuse programmer and don't want to brick the board with out verifying the functionality first. Any work around or help is highly appreciated.

Thanks for the patience to make it to the end.

 

i.mx 8m u-boot‌  secureboot‌ imx8m‌

0 Kudos
1 Solution
2,078 Views
igorpadykov
NXP Employee
NXP Employee

Hi Venkatasai

>1. What does the boot ROM of i.MX8M (i.MX8M EVK) gets programmed/shipped with?

>(Is it HAB4 or AHAB?) Is there a chance that i.MX8M supports both?

for i.MX8M supported only HAB4, so old app notes are applicable to it. Also one can check

habv4\imx\doc - uboot-imx - i.MX U-Boot 

For other questions one can refer to Security Reference Manual for i.MX 8M Dual/8M QuadLite/8M Quad

Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

View solution in original post

4 Replies
2,079 Views
igorpadykov
NXP Employee
NXP Employee

Hi Venkatasai

>1. What does the boot ROM of i.MX8M (i.MX8M EVK) gets programmed/shipped with?

>(Is it HAB4 or AHAB?) Is there a chance that i.MX8M supports both?

for i.MX8M supported only HAB4, so old app notes are applicable to it. Also one can check

habv4\imx\doc - uboot-imx - i.MX U-Boot 

For other questions one can refer to Security Reference Manual for i.MX 8M Dual/8M QuadLite/8M Quad

Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

2,078 Views
saikumarmails
Contributor II

Hi igorpadykov,

            Thanks for the confirmation and references, they were helpful and using them I could get the u-boot's sign verified by boot ROM.

I also did some searching for the question#3 in the SRM and couldn't find any. could you help me with some more info? I think this way we could be confident before programming the fuses.

3. Lastly and importantly, is there a way to verify signed Linux Image from u-boot's command line without programming the fuses (using the shadow registers etc.,)? as I am a first time fuse programmer and don't want to brick the board with out verifying the functionality first. Any work around or help is highly appreciated.

Thanks in advance.

0 Kudos
2,078 Views
saikumarmails
Contributor II

Hi igorpadykov‌,

   Can you please respond to my question#3 above?

Thanks

0 Kudos
2,078 Views
igorpadykov
NXP Employee
NXP Employee

Hi Venkatasai

>   Can you please respond to my question#3 above?

Answer:

old app notes are applicable to it:

habv4\imx\doc - uboot-imx - i.MX U-Boot 

Encrypted Boot on HABv4 and CAAM Enabled Devices

https://boundarydevices.com/high-assurance-boot-hab-dummies/ 

Best regards
igor

0 Kudos