FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Why SRK in eFuse OTP not works?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

Why SRK in eFuse OTP not works?

Jump to solution
‎11-16-2020 09:39 PM
892 Views
dlliweihua
Contributor III

Hello, NXP experts,

I'm implementing AHBA secure boot on i.MX8DXP and using CST tools(cst-3.3.1) to sign image.

I burned SRK into the fuse OTP, row index from 730 to 745.

According to my understanding, if the used SRK to sign image does not match the SRK in the SRK fuse, the startup verification will fail, but now  the image can still boot normally.

Is it my understanding wrong or is there something missing?

Thanks.

Best Regards,

liweihua

0 Kudos
Reply
1 Solution

Jump to solution
‎11-17-2020 02:00 AM
862 Views
Yuri
NXP Employee
NXP Employee

@dlliweihua
Hi,
  
    when device is not  closed, AHAB verifies the image, but, in case of errors,
it allows further code running. Of course  such boot is not safe.

  To review possible events:  power on the board, and run the following command
on the SCFW terminal:

>$ seco events

View solution in original post

Reply
4 Replies

Jump to solution
‎11-17-2020 02:04 AM
860 Views
dlliweihua
Contributor III

@Yuri 

Thanks a lot!

That's ok!

 

0 Kudos
Reply

Jump to solution
‎11-16-2020 10:34 PM
884 Views
Yuri
NXP Employee
NXP Employee

@dlliweihua 
Hello,

  If i.MX8 is not closed, only (SECO) events are generated if an error takes place.
Image execution is not prevented.

Verify SECO events
-------------------------

If the fuses have been written properly, there should be no SECO events after
boot. To validate this, power on the board, and run the following command on
the SCFW terminal:

  >$ seco events

 

After the device successfully boots a signed image without generating any
SECO security events, it is safe to close the device.

 

https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/ahab/guides/mx8_mx8x_secure_boot.t...

 

Regards,
Yuri.

Reply

Jump to solution
‎11-16-2020 11:19 PM
880 Views
dlliweihua
Contributor III

@Yuri 

Hi,

Thanks for your rapid reply.

Do you mean when device is not OEM closed,

if the SRK used to sign boot image is different from the one in fuse OTP,

the device can still booted but the boot is not safe?

My boot loader is ipl, then how to verify seco event?

Best Regards,

liweihua

0 Kudos
Reply

Jump to solution
‎11-17-2020 02:00 AM
863 Views
Yuri
NXP Employee
NXP Employee

@dlliweihua
Hi,
  
    when device is not  closed, AHAB verifies the image, but, in case of errors,
it allows further code running. Of course  such boot is not safe.

  To review possible events:  power on the board, and run the following command
on the SCFW terminal:

>$ seco events

Reply