帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Why SRK in eFuse OTP not works?

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决
跳至解决方案

Why SRK in eFuse OTP not works?

跳至解决方案
‎11-16-2020 09:39 PM
1,963 次查看
dlliweihua
Contributor III

Hello, NXP experts,

I'm implementing AHBA secure boot on i.MX8DXP and using CST tools(cst-3.3.1) to sign image.

I burned SRK into the fuse OTP, row index from 730 to 745.

According to my understanding, if the used SRK to sign image does not match the SRK in the SRK fuse, the startup verification will fail, but now  the image can still boot normally.

Is it my understanding wrong or is there something missing?

Thanks.

Best Regards,

liweihua

0 项奖励
回复
1 解答

跳至解决方案
‎11-17-2020 02:00 AM
1,933 次查看
Yuri
NXP Employee
NXP Employee

@dlliweihua
Hi,
  
    when device is not  closed, AHAB verifies the image, but, in case of errors,
it allows further code running. Of course  such boot is not safe.

  To review possible events:  power on the board, and run the following command
on the SCFW terminal:

>$ seco events

在原帖中查看解决方案

回复
4 回复数

跳至解决方案
‎11-17-2020 02:04 AM
1,931 次查看
dlliweihua
Contributor III

@Yuri 

Thanks a lot!

That's ok!

 

0 项奖励
回复

跳至解决方案
‎11-16-2020 10:34 PM
1,955 次查看
Yuri
NXP Employee
NXP Employee

@dlliweihua 
Hello,

  If i.MX8 is not closed, only (SECO) events are generated if an error takes place.
Image execution is not prevented.

Verify SECO events
-------------------------

If the fuses have been written properly, there should be no SECO events after
boot. To validate this, power on the board, and run the following command on
the SCFW terminal:

  >$ seco events

 

After the device successfully boots a signed image without generating any
SECO security events, it is safe to close the device.

 

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/ahab/guides/mx8_mx8x_secure_boot.t...

 

Regards,
Yuri.

回复

跳至解决方案
‎11-16-2020 11:19 PM
1,951 次查看
dlliweihua
Contributor III

@Yuri 

Hi,

Thanks for your rapid reply.

Do you mean when device is not OEM closed,

if the SRK used to sign boot image is different from the one in fuse OTP,

the device can still booted but the boot is not safe?

My boot loader is ipl, then how to verify seco event?

Best Regards,

liweihua

0 项奖励
回复

跳至解决方案
‎11-17-2020 02:00 AM
1,934 次查看
Yuri
NXP Employee
NXP Employee

@dlliweihua
Hi,
  
    when device is not  closed, AHAB verifies the image, but, in case of errors,
it allows further code running. Of course  such boot is not safe.

  To review possible events:  power on the board, and run the following command
on the SCFW terminal:

>$ seco events

回复