- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: Testing signed images
Testing signed images
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am in the process of adding signed images to our board but I was left with questions on how to test that.
After getting a signed os_cntr_signed.bin image, it boots fine. On u-boot when I try ahab_status, I see SECO events (because I don't have my keys fused yet).
Initially I thought I could use u-boot fuse override for testing the fuse values I need to use, but that is not implemented. After searching on how to use fuse shadow registers, I found that it is not possible. Examples:
Initially If thought I could implement something like what is mentioned in the first link.
Based on that, how am I supposed to test secure boot keys / commands without permanently fusing the keys or bricking the board?
What is NXP advice on that?
For reference, we are using i.MX8X (imx8qxp).
Solved! Go to Solution.
Bio_TICFSL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
If not burning the SRK fuse, you may can use OPENSSL command to analyze the images with their key.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll try the openssl approach in the future. Another FAE we contacted also confirmed there is no way of testing on a imx8 board without fusing the keys. His suggestion in that case was to fuse (if we are fine with that) but not close the device.
Bio_TICFSL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
If not burning the SRK fuse, you may can use OPENSSL command to analyze the images with their key.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am interested in this topic!
I need to verify the os_cntr_signed.bin container coming out from a Yocto AHAB-signed build for imx93
If I do:
~/cst-4.0.0/linux64/bin/ahab_image_verifier os_cntr_signed.bin 0 0
I get:
Signature Block:
Version: 0
Length: 2648 bytes
Tag: 0x90
Certificate Offset: 0x0
SRK Table/Array Offset: 0x10
SRK Table:
Tag: 0xD7
Length: 2112 bytes
Version: 66
SRK Record:
Tag: 0xE1
Length: 527 bytes
Sign Algorithm: RSA
Hash Algorithm: SHA2_384
Key Size/Curve: RSA4096
SRK Flags: CA Flags
Modulus (N):
.....
Signature verification failed
This doesn't happen for imx-boot-imx93-var-som-aski-sd.bin-flash_singleboot_gdet
Signature Block:
Version: 0
Length: 400 bytes
Tag: 0x90
Certificate Offset: 0x0
SRK Table/Array Offset: 0x10
SRK Table:
Tag: 0xD7
Length: 308 bytes
Version: 66
SRK Record:
Tag: 0xE1
Length: 76 bytes
Sign Algorithm: ECDSA
Hash Algorithm: SHA2_256
Key Size/Curve: PRIME256V1
SRK Flags: None
X Coordinate: ....
Y Coordinate: ...
......
Signature verification successful
I am using a Digicert HSM for the signature
does anybody have a clue about the verification failed for os_cntr_signed ?
does anybody have a hint on how to verify the signature with openssl ?(just to exclude the issue is ahab_image_verifier itself)
