I have closed my device and secured my device ,hab_status shows that Secure boot enabled.I have downloaded a signed u-boot.imx ,but why I can download a no signed boot.img .It's not secure.I think a signed u-boot.imx can't load a no signed boot.img.Can you help me.Thank you!
Solved! Go to Solution.
Hello,
Boot ROM does not allow to run unsigned U-boot; further responsibility for verifying and running applications
under U-boot belongs to the U-boot.
Regards,
Yuri.
Hello,
Boot ROM does not allow to run unsigned U-boot; further responsibility for verifying and running applications
under U-boot belongs to the U-boot.
Regards,
Yuri.
Hi,
You already boot up the board in a secure manner using a closed device + a signed u-boot => so this is secure!
The feature is called secure boot :smileyhappy: not "secure every app in every stage".
After you already boot up, you can use any other app to play with, even a non-signed u-boot.
How you started the 2nd u-boot?
In theory, if the device is closed the u-boot terminal is no longer available for the user. If still available, you can set boot_delay to 0.
To stop loading a 2nd u-boot via jtag, you can disable the JTAG programming a dedicated fuse for that.
Btw, for full a full secure chain of trust u-boot - Linux, please take a look also to this AN [1]. But again, even in Linux you can load a custom application. After the device is booting up in a secure manner, it's up to you to maintain the system in a secure state.
Best regards,
Marius