FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Secure Boot Mode

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

Secure Boot Mode

Jump to solution
‎06-11-2024 05:27 PM
2,234 Views
pilotnite
Contributor III

Hello,

I am currently in the development phase and would like to test secure boot mode. I have been reading the guide [here](https://github.com/nxp-imx/uboot-imx/blob/lf_v2023.04/doc/imx/ahab/introduction_ahab.txt).

During development, there will be lots of trial and error. According to [this section](https://github.com/nxp-imx/uboot-imx/blob/lf_v2023.04/doc/imx/ahab/guides/mx8ulp_9x_secure_boot.txt#...) on reading the fuses, it does not mention whether I can run in emulation mode without burning the fuses permanently and potentially bricking the board.

Has anyone implemented secure boot mode during the development phase with the i.MX93? What is the correct procedure to follow without risking bricking the board?

Any help would be highly appreciated.

Cheers,
Nitesh

0 Kudos
Reply
1 Solution

Jump to solution
‎06-13-2024 01:10 AM
2,206 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi, 

Don't close device before signing image verification passed and the SRK fuse should be fused when in production. otherwise, any images can run on the device.

 

Regards

Harvey

View solution in original post

0 Kudos
Reply
3 Replies

Jump to solution
‎06-13-2024 01:10 AM
2,207 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi, 

Don't close device before signing image verification passed and the SRK fuse should be fused when in production. otherwise, any images can run on the device.

 

Regards

Harvey

0 Kudos
Reply

Jump to solution
‎06-13-2024 05:50 PM
2,199 Views
pilotnite
Contributor III

@Harvey021 

Hi Harvey,

Thank you for your response.

I have a few more questions regarding the SRK fuse:

  1. What exactly happens when the SRK fuse is burned?
  2. Once the SRK fuse is burned, can I still re-flash the unit using the same certificates and keys?
  3. Will I be able to perform OTA updates to the filesystem or update the bootloader after the SRK fuse is burned?

Your clarification on these points would be greatly appreciated.

Best regards,
Nitesh

0 Kudos
Reply

Jump to solution
‎06-13-2024 11:01 PM
2,182 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi,

SRK fuse helps the root of trust established if SRK table in signed image verify successfully against SRK fuse in Fuse box. 

Regards

Harvey

 

0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-1885567%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ESecure%20Boot%20Mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1885567%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI%20am%20currently%20in%20the%20development%20phase%20and%20would%20like%20to%20test%20secure%20boot%20mode.%20I%20have%20been%20reading%20the%20guide%20%5Bhere%5D(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fnxp-imx%2Fuboot-imx%2Fblob%2Flf_v2023.04%2Fdoc%2Fimx%2Fahab%2Fintroduction_ahab.txt%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fnxp-imx%2Fuboot-imx%2Fblob%2Flf_v2023.04%2Fdoc%2Fimx%2Fahab%2Fintroduction_ahab.txt%3C%2FA%3E).%3C%2FP%3E%3CP%3EDuring%20development%2C%20there%20will%20be%20lots%20of%20trial%20and%20error.%20According%20to%20%5Bthis%20section%5D(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fnxp-imx%2Fuboot-imx%2Fblob%2Flf_v2023.04%2Fdoc%2Fimx%2Fahab%2Fguides%2Fmx8ulp_9x_secure_boot.txt%23L395%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fnxp-imx%2Fuboot-imx%2Fblob%2Flf_v2023.04%2Fdoc%2Fimx%2Fahab%2Fguides%2Fmx8ulp_9x_secure_boot.txt%23L395%3C%2FA%3E)%20on%20reading%20the%20fuses%2C%20it%20does%20not%20mention%20whether%20I%20can%20run%20in%20emulation%20mode%20without%20burning%20the%20fuses%20permanently%20and%20potentially%20bricking%20the%20board.%3C%2FP%3E%3CP%3EHas%20anyone%20implemented%20secure%20boot%20mode%20during%20the%20development%20phase%20with%20the%20i.MX93%3F%20What%20is%20the%20correct%20procedure%20to%20follow%20without%20risking%20bricking%20the%20board%3F%3C%2FP%3E%3CP%3EAny%20help%20would%20be%20highly%20appreciated.%3C%2FP%3E%3CP%3ECheers%2C%3CBR%20%2F%3ENitesh%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1885567%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CLINGO-LABEL%3Ei.MX%208%20Family%20%7C%20i.MX%208QuadMax%20(8QM)%20%7C%208QuadPlus%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EYocto%20Project%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1887560%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ERe%3A%20Secure%20Boot%20Mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1887560%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3ESRK%20fuse%20helps%20the%20root%20of%20trust%20established%20if%20SRK%20table%20in%20signed%20image%20verify%20successfully%20against%20SRK%20fuse%20in%20Fuse%20box.%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3EHarvey%3C%2FP%3E%0A%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1887394%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ERe%3A%20Secure%20Boot%20Mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1887394%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F192970%22%20target%3D%22_blank%22%3E%40Harvey021%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Harvey%2C%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20response.%3C%2FP%3E%3CP%3EI%20have%20a%20few%20more%20questions%20regarding%20the%20SRK%20fuse%3A%3C%2FP%3E%3COL%3E%3CLI%3EWhat%20exactly%20happens%20when%20the%20SRK%20fuse%20is%20burned%3F%3C%2FLI%3E%3CLI%3EOnce%20the%20SRK%20fuse%20is%20burned%2C%20can%20I%20still%20re-flash%20the%20unit%20using%20the%20same%20certificates%20and%20keys%3F%3C%2FLI%3E%3CLI%3EWill%20I%20be%20able%20to%20perform%20OTA%20updates%20to%20the%20filesystem%20or%20update%20the%20bootloader%20after%20the%20SRK%20fuse%20is%20burned%3F%3C%2FLI%3E%3C%2FOL%3E%3CP%3EYour%20clarification%20on%20these%20points%20would%20be%20greatly%20appreciated.%3C%2FP%3E%3CP%3EBest%20regards%2C%3CBR%20%2F%3ENitesh%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1886759%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ERe%3A%20Secure%20Boot%20Mode%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1886759%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDon't%20close%20device%20before%20signing%20image%20verification%20passed%20and%20the%20SRK%20fuse%20should%20be%20fused%20when%20in%20production.%20otherwise%2C%20any%20images%20can%20run%20on%20the%20device.%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3EHarvey%3C%2FP%3E%3C%2FLINGO-BODY%3E