Secure boot i.mx7D

llliu · ‎07-16-2018

I have closed my device and secured my device ,hab_status shows that Secure boot enabled.I have downloaded a signed u-boot.imx ,but why I can download a no signed boot.img .It's not secure.I think a signed u-boot.imx can't load a no signed boot.img.Can you help me.Thank you!

Yuri · ‎07-18-2018

Hello,

Boot ROM does not allow to run unsigned U-boot; further responsibility for verifying and running applications

under U-boot belongs to the U-boot.

Regards,

Yuri.

View solution in original post

Yuri · ‎07-18-2018

Hello,

Boot ROM does not allow to run unsigned U-boot; further responsibility for verifying and running applications

under U-boot belongs to the U-boot.

Regards,

Yuri.

marius_grigoras · ‎07-16-2018

Hi,

You already boot up the board in a secure manner using a closed device + a signed u-boot => so this is secure!

The feature is called secure boot :smileyhappy: not "secure every app in every stage".

After you already boot up, you can use any other app to play with, even a non-signed u-boot.

How you started the 2nd u-boot?

In theory, if the device is closed the u-boot terminal is no longer available for the user. If still available, you can set boot_delay to 0.

To stop loading a 2nd u-boot via jtag, you can disable the JTAG programming a dedicated fuse for that.

Btw, for full a full secure chain of trust u-boot - Linux, please take a look also to this AN [1]. But again, even in Linux you can load a custom application. After the device is booting up in a secure manner, it's up to you to maintain the system in a secure state.

Best regards,

Marius

[1] https://www.nxp.com/docs/en/application-note/AN4581.pdf