I am reading AN4581 Secure Boot on i.MX50, i.MX53, and i.MX 6 Series using HABv4, Rev. 1, 10/2015, on Appendix A. SRK Revocation on i.MX 6 Series the following is stated:
(...) However, in the Closed configuration, HAB, by default, sets the SRK_REVOKE_LOCK sticky bit in the OCOTP controller to write protect this eFuse field. To instruct HAB not to lock the SRK_REVOKE field requires the use of the Unlock CSF command, with the command flag indicating to unlock the SRK_REVOKE field. Including this command in a CSF signature allows the SRK0 fuse to be blown by a trusted bootloader or runtime image. Below is an example CSF command that unlocks the SRK_REVOKE eFuse field, allowing U-Boot or a later stage to burn the fuse.
I built a signed U-Boot with the following CSF description file:
[Header]
Version = 4.0
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
File = "SRK_table.bin"
Source index = 3
[Install CSFK]
File = "CSF4_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
Engine = CAAM
Features = RNG
[Install Key]
Verification index = 0
Target index = 2
File = "IMG4_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
Verification index = 2
Blocks = 0x177FF400 0 0x60C00 "u-boot-pad.imx"
And I have able to burn the SRK_REVOKE field, and revoke the key index 2. Notice that the following block:
[Unlock]
Engine = OCOTP
Features = SRK Revoke
is *not* present the CSF description file I used.
I was expecting not to be able to program the SRK_REVOKE field. Could you explain this behaviour?
I have tried this same thing in the i.MX6UL and the behavior is the expected one:
Is this then a known issue in the i.MX6?
Hello,
Sorry, but the information you are requesting is treated as confidential info at this time
and requires a signed NDA (Non-Disclosure Agreement). Naturally, we cannot discuss this
with you in public anyway, this requires to be handled as a Service Request (SR).
Have a great day,
Yuri
-------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-------------------------------------------------------------------------------
Hi Yuri,
do you have any update on this?
Hello,
Is Your system really in the Closed configuration ?
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Hi Yuri,
thanks for your answer. Yes, my device is in closed configuration. I have programmed the SEC_CONFIG[2] OTP bit. 'hab_status returns:
=> hab_status
Secure boot enabled
HAB Configuration: 0xcc, HAB State: 0x99
No HAB Events Found!