- NXP Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- Vigiles
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: What does SECURED/UNSECURED in the "blhost get-property 17" response mean for RT685
What does SECURED/UNSECURED in the "blhost get-property 17" response mean for RT685
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We would like to confirm that the BOOT_CFG[0] is SECURE_BOOT_EN (bits 21:20) is set to Enabled. I assume this means that the RT685 is secured.
In my experimentation I wrote the OTP fuses for BOOT_CFG[0], MASTER_KEY, and RKTH.
See following batch file that writes the OPT fuses: (I read back the values of the OTP with the Secure Provisioning Tool to confirm values were written correctly)
@echo ### Burn fuse: BOOT_CFG[0] ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x60 00900005 lock
if errorlevel 1 exit 2
@echo ### Burn fuse: OTP_MASTER_KEY[31:0] ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x70 62469820 lock
if errorlevel 1 exit 2
@echo ### Burn fuse: OTP_MASTER_KEY[63:32] ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x71 763D5D72 lock
if errorlevel 1 exit 2
@echo ### Burn fuse: OTP_MASTER_KEY[95:64] ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x72 A4EF6715 lock
if errorlevel 1 exit 2
@echo ### Burn fuse: OTP_MASTER_KEY[127:96] ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x73 BB0D28CB lock
if errorlevel 1 exit 2
@echo ### Burn fuse: OTP_MASTER_KEY[159:128] ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x74 269855E1 lock
if errorlevel 1 exit 2
@echo ### Burn fuse: OTP_MASTER_KEY[191:160] ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x75 74880D07 lock
if errorlevel 1 exit 2
@echo ### Burn fuse: OTP_MASTER_KEY[223:192] ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x76 1FBAB14D lock
if errorlevel 1 exit 2
@echo ### Burn fuse: OTP_MASTER_KEY[255:224] ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x77 085C7C51 lock
if errorlevel 1 exit 2
@echo ### Burn fuse: RKTH_255_224 ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x78 D99DB08E lock
if errorlevel 1 exit 2
@echo ### Burn fuse: RKTH_223_192 ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x79 DEF7EBB2 lock
if errorlevel 1 exit 2
@echo ### Burn fuse: RKTH_191_160 ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x7a E238EE04 lock
if errorlevel 1 exit 2
@echo ### Burn fuse: RKTH_159_128 ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x7b 178B0CBF lock
if errorlevel 1 exit 2
@echo ### Burn fuse: RKTH_127_96 ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x7c B91F5F62 lock
if errorlevel 1 exit 2
@echo ### Burn fuse: RKTH_95_64 ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x7d 5DAFD6D4 lock
if errorlevel 1 exit 2
@echo ### Burn fuse: RKTH_63_32 ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x7e FAF305E0 lock
if errorlevel 1 exit 2
@echo ### Burn fuse: RKTH_31_0 ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x7f 811167FF lock
if errorlevel 1 exit 2
After writing the fuses and then a secure (Signed) firmware release, I then run the following batch file:
call "%blhost%" %blhost_connect% -- get-property 17
And the output is:
Inject command 'get-property'
Response status = 0 (0x0) Success.
Response word 1 = 1520786085 (0x5aa55aa5)
Security State = UNSECURE
I would expect the Security State would be SECURE, but that is not the case. Is this Security State based only on OTP word? If so, what OTP words need to be burned? If not, what other configuration is the Security State based on?
Thanks for your help.
Solved! Go to Solution.
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@scott-kooy
Hello,
The SECURE_BOOT_EN fuse means, that the Secure boot ROM will perform boot.
Secure boot provides guarantee that unauthorized code cannot be executed / booted.
The Security State concerns the ARM TrustZone configuration.
https://www.nxp.com/docs/en/application-note/AN12839.pdf
Regards,
Yuri.
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@scott-kooy
Hello,
The SECURE_BOOT_EN fuse means, that the Secure boot ROM will perform boot.
Secure boot provides guarantee that unauthorized code cannot be executed / booted.
The Security State concerns the ARM TrustZone configuration.
https://www.nxp.com/docs/en/application-note/AN12839.pdf
Regards,
Yuri.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you say that Security State concerns the Trustzone. Does this mean that Security State=SECURE which is returned by "blhost get-property 17" if the Trustzone is enabled? ( BOOT_CFG[0], bits 14:13 is 2'b11 or 2'b10)? Also will "blhost get-property 17" return SECURE if we set those bits in the shadow registers? If not, what OTP word values are required to return SECURE?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was asking the wrong question here. I thought that if the SECURE_BOOT_EN bin was set that "blhost get-property 17" would return SECURED, but I was wrong. I found out that I instead need to do "blhost read-efuse-once 0x60" to get the BOOT_CFG[0] which contains the SECURE_BOOT_EN bit. Thanks.
