FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

i.MX Security Reference Design Clarification Questions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

i.MX Security Reference Design Clarification Questions

Jump to solution
3 weeks ago
1,199 Views
moose
Contributor IV

Hello,

We implemented the security reference design described in section 10.9 of i.MX Linux User's Guide. Our custom board is based on the imx8mn_evk machine, and the image complies and boots successfully. However, we have questions based on the security-related messages we see during boot (see attached screenshot):

  1. Does "No HAB Events Found!" message mean a successful image authentication?
  2. Does the meta-secure-boot layer automatically program the SRK tabe hash fuse, or do we need to do this ourselves?
  3. We think we have to program the SRK hash fuse ourselves, but if that is the case, how come we got a successful authentication (assuming "No HAB Events Found!" means successful authentication)?
  4. We tried to read the SRK hash fuse (fuse 0x580 [256 bits]) to verify, but we always read zeros using uboot `fuse read` command. Is there a way to read this fuse?

Thank you,

Preview file
58 KB
0 Kudos
Reply
1 Solution

Jump to solution
2 weeks ago
270 Views
moose
Contributor IV

After some troubleshooting, the answers are summarized below:

  1. Yes
  2. No
  3. Because HAB 4.1.2 and higher only perform a hash check if SRK keys are not zeros. In this case, the SRK fuse was not programmed, defaulting to zero and, therefore, bypassing the hash check. This is only supported by the table posted below from @Harvey021. I can't find it in AN4581, but it matches what we are experiencing. @Harvey021, could you post the source of that table?
  4. A reset is required to read the fuse; otherwise, it reads zero.

The combination of 3 and 4 made us doubt if we had a proper image before closing the device. We really wanted to see an intentional authentication failure. The only way to do this is to program the fuse and then generate an image with a different SRK table. Then, you will get the authentication failure messages as shown below.

moose_0-1713452190205.png

 

 

View solution in original post

0 Kudos
Reply
8 Replies

Jump to solution
3 weeks ago
1,149 Views
Harvey021
NXP TechSupport
NXP TechSupport

Hi, 

HAB (some versions and open device) won't compare SRK table against fuses when fuses are 0's. That is correct, we have to burn SRK hash. 

Without burning SRK hash, we will not get complete authentication. I think that the reference from Linux User guide mainly focus on the image signing with automation with Yocto build.

 

Regards

Harvey

0 Kudos
Reply

Jump to solution
3 weeks ago
1,136 Views
moose
Contributor IV

This response confirms that the meta-secure-boot layer provided in the security reference design dose not program the SRK fuse and we would have to do it ourselves. Based on this clarification how come we are passing authentication when the fuse is all zero?

The statement “HAB (some versions and open device) won't compare SRK table against fuses when fuses are 0's.” does not agree with the statement “All HAB functions are executed as for a closed device.” mentioned in section 6.1.2.5 in imx8mn reference manual. Can you clarify?

No answers were given to questions 1 and 4. Could you please provide answers. 

thank you.

0 Kudos
Reply

Jump to solution
2 weeks ago
1,084 Views
Harvey021
NXP TechSupport
NXP TechSupport

Q1, correct. 

Q4, zeros means that there are no fuses hash burned.

 

Regards

Harvey

0 Kudos
Reply

Jump to solution
2 weeks ago
1,082 Views
moose
Contributor IV

Please answer, "Based on this clarification, how come we are passing authentication when the fuse is all zero?"

Also, we attempted to program the fuse using uboot fuse commands, but we are still reading zeros.

0 Kudos
Reply

Jump to solution
2 weeks ago
1,054 Views
Harvey021
NXP TechSupport
NXP TechSupport

Please refer to the AN4581.

Harvey021_1-1713311792096.png

 

Regards

Harvey

0 Kudos
Reply

Jump to solution
2 weeks ago
998 Views
moose
Contributor IV

@Harvey021, where did you get the table you copied (5.5.1)? This was not included in AN4581.We are familiar with AN4581, but it does not provide answers to our issue.

Have you attempted secure boot on imx8mn EVK? Were you able to read back the SRK fuse after programming, or did you get zeros as well? 

0 Kudos
Reply

Jump to solution
2 weeks ago
953 Views
Harvey021
NXP TechSupport
NXP TechSupport

AN4581:

i.MX Secure Boot on HABv4 Supported Devices (nxp.com)

Or search "AN4581" from nxp.com

 

Have you reset the board before read it?  Please share more details about how you program SRK fuse hashs.

 

Regards

Harvey

0 Kudos
Reply

Jump to solution
2 weeks ago
271 Views
moose
Contributor IV

After some troubleshooting, the answers are summarized below:

  1. Yes
  2. No
  3. Because HAB 4.1.2 and higher only perform a hash check if SRK keys are not zeros. In this case, the SRK fuse was not programmed, defaulting to zero and, therefore, bypassing the hash check. This is only supported by the table posted below from @Harvey021. I can't find it in AN4581, but it matches what we are experiencing. @Harvey021, could you post the source of that table?
  4. A reset is required to read the fuse; otherwise, it reads zero.

The combination of 3 and 4 made us doubt if we had a proper image before closing the device. We really wanted to see an intentional authentication failure. The only way to do this is to program the fuse and then generate an image with a different SRK table. Then, you will get the authentication failure messages as shown below.

moose_0-1713452190205.png

 

 

0 Kudos
Reply