Secure-Boot HABv4 verification using SRK fuses

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Secure-Boot HABv4 verification using SRK fuses

1,181 Views
pratik_manvar
Contributor III

Hi All,

We are using i.MX8MQ based custom board with NXP release Android-p9.0.0_2.0.0-ga.

To generate secure-boot enabled and signed u-boot image, we followed steps from docs availbale in uboot source at /doc/imx/habv4/guides/mx8m_mx8mm_secure_boot.txt and doc/imx/habv4/introduction_habv4.txt.

Initially for testing, we haven't programmed any SRK fuses or fuse to close the chip.

Even though, all the secure-boot verification using HABv4 scenarios are working fine.!

1. The signed u-boot image using CST tools (v3.1.0) is verified successfully without any HAB events or errors.

2. If we corrupt signed u-boot image or generate it with some wrong CSF data during signing using CST Tools, we are getting HAB events errros.

3. If we flash unsinged u-boot image, it shows us "Error: CSF header command not found" and HAB events are generated.

Note: For logs of above 3 scenarios, please see attached file (secureboot-scenarios.txt).

So, here my questions are,

1. How secure-boot verification happens without SRK fuses burnt?

2. what is the use of SRK fuses?

Please help us out to understand above scenarios.

Thank you.

Regards,

Pratik Manvar

0 Kudos
3 Replies

1,172 Views
Yuri
NXP Employee
NXP Employee

@pratik_manvar 

Hello,

   Please try using "hab_status" U-boot command.
Follow section 3.1.2 (Verifying images with HABv4) of i.MX Android ™ Security User's Guide (Rev. P9.0.0).

 

Regards,
Yuri.

0 Kudos

1,145 Views
pratik_manvar
Contributor III

Hi @Yuri 

Thanks for your quick reply.

Yes, we also referred i.MX Android ™ Security User's Guide and it also explains same steps for secure-boot HABv4 verification.

The "hab_status" command from u-boot also show same results (attached in first post), even though we haven't programmed any SRK fuses or fuse to close the chip.

So, what is the use of SRK fuses in secure-boot HABv4 verification?

Thanks,

Pratik Manvar

0 Kudos

1,094 Views
Yuri
NXP Employee
NXP Employee

@pratik_manvar 
Hello,

  For HAB 4.1.2 and newer the SRK is checked only if SRK  is not 0.
HAB checks SRK Hash in open mode. SRK Fuses = 0 leads to no
HAB events due to SRK hash check.

Regards,
Yuri.

0 Kudos