(Security) Where is the fused KEY value stored in memory map?

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决

(Security) Where is the fused KEY value stored in memory map?

跳至解决方案
2,716 次查看
minsiklee
Contributor IV

Hi all,

I'm currently developing a secure boot solution for one of our customers using i.MX8DXL

I have a question, 

In which memory area is the KEY value fused by SECO API stored?
( KEY i.g : fuse Index 730~745 OEM SRK - SRK_HASH )
( API i.g : sc_misc_otp_fuse_write )

L_duncan_0-1663822793934.png

Thanks for your helps.

Best Regards,

Duncan

 

0 项奖励
回复
1 解答
2,635 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Hi @minsiklee 

Fuse reads and writes are done through SCAPI, you can download KIT and extract its respective API for more details.

L5.15.52_2.1.0_SCFWKIT-1.14.0 (nxp.com)

Regarding the procedure to read hash values (8DXL for example).

Retrieve the base address for shadow from SCFWKIT: 

Harvey021_0-1665306209074.png

As known, offset ranges from 0x24A0, 0x24B0 ... 0x2590.

Then you can read them as below method.

Harvey021_1-1665306505457.png

Best regards

Harvey

 

在原帖中查看解决方案

0 项奖励
回复
6 回复数
2,685 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Hi @minsiklee 

I assume that you're going to fuse SRK_HASH values. more details can be seen in secure boot user guide using AHAB (mx8_mx8x_secure_boot.txt\guides\ahab\imx\doc - uboot-imx - i.MX U-Boot (codeaurora.org)). 

- Program SRK_HASH[511:0] fuses:

  * On i.MX 8 QXP:

  => fuse prog 0 730 0xd436cc46
  => fuse prog 0 731 0x8ecccda9
  => fuse prog 0 732 0xb89e1601
  => fuse prog 0 733 0x5fada3db
  => fuse prog 0 734 0xd454114a
  => fuse prog 0 735 0xb6cd51f4
  => fuse prog 0 736 0x77384870
  => fuse prog 0 737 0xc50ee4b2
  => fuse prog 0 738 0xa27e5132
  => fuse prog 0 739 0xeba887cf
  => fuse prog 0 740 0x592c1e2b
  => fuse prog 0 741 0xbb501799
  => fuse prog 0 742 0xee702e07
  => fuse prog 0 743 0xcf8ce73e
  => fuse prog 0 744 0xfb55e2d5
  => fuse prog 0 745 0xeba6bbd2

Can you please tell what requirements you need about the physical address? 

 

Best regards

Harvey

0 项奖励
回复
2,673 次查看
minsiklee
Contributor IV

Hi, @Harvey021 

Sorry for the late reply.

 

# Can you please tell what requirements you need about the physical address? 

I want to know for the purpose of protecting the actual memory where the fuse SRK_HASH value is stored.

Therefore, I wonder as to which memory(SECO ROM? SCU ROM?)physical address is referenced to read the fused SRK_HASH value.

Also I already know that when i fuse SRK_HASH values, they are stored at index 730-745.
(The area will be at 0x24A0, 0x24B0 .. 0x2590)  

L_duncan_0-1664501823272.png

Thanks for your reply.

Best Regards.

duncan.

 

 

 

0 项奖励
回复
2,636 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Hi @minsiklee 

Fuse reads and writes are done through SCAPI, you can download KIT and extract its respective API for more details.

L5.15.52_2.1.0_SCFWKIT-1.14.0 (nxp.com)

Regarding the procedure to read hash values (8DXL for example).

Retrieve the base address for shadow from SCFWKIT: 

Harvey021_0-1665306209074.png

As known, offset ranges from 0x24A0, 0x24B0 ... 0x2590.

Then you can read them as below method.

Harvey021_1-1665306505457.png

Best regards

Harvey

 

0 项奖励
回复
2,616 次查看
minsiklee
Contributor IV

Hi Harvey.

 

It helped me to solve the problem.

Thank you again.

 

Best regards.

Duncan.

0 项奖励
回复
2,700 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Hi @minsiklee 

The area will be at 0x24A0, 0x24B0 .. 0x2590. 

Best regards

Harvey

0 项奖励
回复
2,695 次查看
minsiklee
Contributor IV

Hi Harvey.

Thanks for answer.

I was asking where the key is actually stored at the physical address. 

In which memory is it stored inside the i.MX8 chip?

Best regards

Duncan.

0 项奖励
回复