(Security) Where is the fused KEY value stored in memory map?

minsiklee · ‎09-21-2022

Hi all,

I'm currently developing a secure boot solution for one of our customers using i.MX8DXL

I have a question,

In which memory area is the KEY value fused by SECO API stored?
( KEY i.g : fuse Index 730~745 OEM SRK - SRK_HASH )
( API i.g : sc_misc_otp_fuse_write )

Thanks for your helps.

Best Regards,

Duncan

Harvey021 · ‎10-09-2022

Hi @minsiklee

Fuse reads and writes are done through SCAPI, you can download KIT and extract its respective API for more details.

L5.15.52_2.1.0_SCFWKIT-1.14.0 (nxp.com)

Regarding the procedure to read hash values (8DXL for example).

Retrieve the base address for shadow from SCFWKIT:

As known, offset ranges from 0x24A0, 0x24B0 ... 0x2590.

Then you can read them as below method.

Best regards

Harvey

View solution in original post

Harvey021 · ‎09-28-2022

Hi @minsiklee

I assume that you're going to fuse SRK_HASH values. more details can be seen in secure boot user guide using AHAB (mx8_mx8x_secure_boot.txt\guides\ahab\imx\doc - uboot-imx - i.MX U-Boot (codeaurora.org)).

- Program SRK_HASH[511:0] fuses:

  * On i.MX 8 QXP:

  => fuse prog 0 730 0xd436cc46
  => fuse prog 0 731 0x8ecccda9
  => fuse prog 0 732 0xb89e1601
  => fuse prog 0 733 0x5fada3db
  => fuse prog 0 734 0xd454114a
  => fuse prog 0 735 0xb6cd51f4
  => fuse prog 0 736 0x77384870
  => fuse prog 0 737 0xc50ee4b2
  => fuse prog 0 738 0xa27e5132
  => fuse prog 0 739 0xeba887cf
  => fuse prog 0 740 0x592c1e2b
  => fuse prog 0 741 0xbb501799
  => fuse prog 0 742 0xee702e07
  => fuse prog 0 743 0xcf8ce73e
  => fuse prog 0 744 0xfb55e2d5
  => fuse prog 0 745 0xeba6bbd2

Can you please tell what requirements you need about the physical address?

Best regards

Harvey

minsiklee · ‎09-29-2022

Hi, @Harvey021

Sorry for the late reply.

# Can you please tell what requirements you need about the physical address?

I want to know for the purpose of protecting the actual memory where the fuse SRK_HASH value is stored.

Therefore, I wonder as to which memory(SECO ROM? SCU ROM?)physical address is referenced to read the fused SRK_HASH value.

Also I already know that when i fuse SRK_HASH values, they are stored at index 730-745.
(The area will be at 0x24A0, 0x24B0 .. 0x2590)

Thanks for your reply.

Best Regards.

duncan.

Harvey021 · ‎10-09-2022

Hi @minsiklee

Fuse reads and writes are done through SCAPI, you can download KIT and extract its respective API for more details.

L5.15.52_2.1.0_SCFWKIT-1.14.0 (nxp.com)

Regarding the procedure to read hash values (8DXL for example).

Retrieve the base address for shadow from SCFWKIT:

As known, offset ranges from 0x24A0, 0x24B0 ... 0x2590.

Then you can read them as below method.

Best regards

Harvey

minsiklee · ‎10-10-2022

Hi Harvey.

It helped me to solve the problem.

Thank you again.

Best regards.

Duncan.

Harvey021 · ‎09-26-2022

Hi @minsiklee

The area will be at 0x24A0, 0x24B0 .. 0x2590.

Best regards

Harvey

minsiklee · ‎09-26-2022

Hi Harvey.

Thanks for answer.

I was asking where the key is actually stored at the physical address.

In which memory is it stored inside the i.MX8 chip?

Best regards

Duncan.

(Security) Where is the fused KEY value stored in memory map?

(Security) Where is the fused KEY value stored in memory map?

i.MX 8 Family | i.MX 8QuadMax (8QM) | 8QuadPlus

Security