i.MX 8M Secure Boot Procedure and OTP customization

ashoksowndar · ‎01-23-2020

Hi Experts,

I am currently working in i.MX 8M based SOM and built a BSP for the same using Yocto Project. Now I want to add Secure Booting feature but most of the documents are confusing and misleading. Please provide step by step procedure or document to enable Secure Boot feature in both SOM and U-Boot.

And also in one forum I have read that certificates in SOM are stored in One Time Programmable (OTP) memory location of SOM. If its the case, it will not be helpful for my requirement because, in the development stage I may have to change the certificates multiple times. Is there any way that certificates in SOM can be flashed multiple time.

Thanks and Regards,

Ashok

Yuri · ‎01-26-2020

Hello,

The base documents regarding HAB4 and i.MX8M secure boot are as following:

App Note “Secure Boot on i.MX 50, i.MX 53, i.MX 6 and i.MX 7Series using HABv4 (AN4581)”

in general is applied for i.MX 8M too.

< https://www.nxp.com/files-static/32bit/doc/app_note/AN4581.pdf >

“Security Reference Manual for i.MX 8M Dual/8M QuadLite/8M Quad”

< https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=IMX8MDQLQSRM&appType=moderated >

U-boot documentation.

< https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/introduction_habv4.txt?h=imx... >

Note, under HAB4 only the SRK hash is burned to fuses. The keys (include CSF and IMG keys, which are used to validate their respective data) are provided via CSF. So, it is possible to use different keys with different images, assuming, that

all keys are signed by SRK.

Have a great day,

Yuri.

-------------------------------------------------------------------------------

Note:

- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored

Please open a new thread and refer to the closed one, if you have a related question at a later point in time.

View solution in original post

Yuri · ‎01-26-2020

Hello,

The base documents regarding HAB4 and i.MX8M secure boot are as following:

App Note “Secure Boot on i.MX 50, i.MX 53, i.MX 6 and i.MX 7Series using HABv4 (AN4581)”

in general is applied for i.MX 8M too.

< https://www.nxp.com/files-static/32bit/doc/app_note/AN4581.pdf >

“Security Reference Manual for i.MX 8M Dual/8M QuadLite/8M Quad”

< https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=IMX8MDQLQSRM&appType=moderated >

U-boot documentation.

< https://source.codeaurora.org/external/imx/uboot-imx/tree/doc/imx/habv4/introduction_habv4.txt?h=imx... >

Note, under HAB4 only the SRK hash is burned to fuses. The keys (include CSF and IMG keys, which are used to validate their respective data) are provided via CSF. So, it is possible to use different keys with different images, assuming, that

all keys are signed by SRK.

Have a great day,

Yuri.

-------------------------------------------------------------------------------

Note:

- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored

Please open a new thread and refer to the closed one, if you have a related question at a later point in time.

i.MX 8M Secure Boot Procedure and OTP customization

i.MX 8M Secure Boot Procedure and OTP customization

i.MX 8M | i.MX 8M Mini | i.MX 8M Nano

Linux

Security

Yocto Project