i.MX Security Reference Design Clarification Questions

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决

i.MX Security Reference Design Clarification Questions

跳至解决方案
5,105 次查看
moose
Contributor IV

Hello,

We implemented the security reference design described in section 10.9 of i.MX Linux User's Guide. Our custom board is based on the imx8mn_evk machine, and the image complies and boots successfully. However, we have questions based on the security-related messages we see during boot (see attached screenshot):

  1. Does "No HAB Events Found!" message mean a successful image authentication?
  2. Does the meta-secure-boot layer automatically program the SRK tabe hash fuse, or do we need to do this ourselves?
  3. We think we have to program the SRK hash fuse ourselves, but if that is the case, how come we got a successful authentication (assuming "No HAB Events Found!" means successful authentication)?
  4. We tried to read the SRK hash fuse (fuse 0x580 [256 bits]) to verify, but we always read zeros using uboot `fuse read` command. Is there a way to read this fuse?

Thank you,

0 项奖励
回复
1 解答
4,176 次查看
moose
Contributor IV

After some troubleshooting, the answers are summarized below:

  1. Yes
  2. No
  3. Because HAB 4.1.2 and higher only perform a hash check if SRK keys are not zeros. In this case, the SRK fuse was not programmed, defaulting to zero and, therefore, bypassing the hash check. This is only supported by the table posted below from @Harvey021. I can't find it in AN4581, but it matches what we are experiencing. @Harvey021, could you post the source of that table?
  4. A reset is required to read the fuse; otherwise, it reads zero.

The combination of 3 and 4 made us doubt if we had a proper image before closing the device. We really wanted to see an intentional authentication failure. The only way to do this is to program the fuse and then generate an image with a different SRK table. Then, you will get the authentication failure messages as shown below.

moose_0-1713452190205.png

 

 

在原帖中查看解决方案

0 项奖励
回复
8 回复数
5,055 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Hi, 

HAB (some versions and open device) won't compare SRK table against fuses when fuses are 0's. That is correct, we have to burn SRK hash. 

Without burning SRK hash, we will not get complete authentication. I think that the reference from Linux User guide mainly focus on the image signing with automation with Yocto build.

 

Regards

Harvey

0 项奖励
回复
5,042 次查看
moose
Contributor IV

This response confirms that the meta-secure-boot layer provided in the security reference design dose not program the SRK fuse and we would have to do it ourselves. Based on this clarification how come we are passing authentication when the fuse is all zero?

The statement “HAB (some versions and open device) won't compare SRK table against fuses when fuses are 0's.” does not agree with the statement “All HAB functions are executed as for a closed device.” mentioned in section 6.1.2.5 in imx8mn reference manual. Can you clarify?

No answers were given to questions 1 and 4. Could you please provide answers. 

thank you.

0 项奖励
回复
4,990 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Q1, correct. 

Q4, zeros means that there are no fuses hash burned.

 

Regards

Harvey

0 项奖励
回复
4,988 次查看
moose
Contributor IV

Please answer, "Based on this clarification, how come we are passing authentication when the fuse is all zero?"

Also, we attempted to program the fuse using uboot fuse commands, but we are still reading zeros.

0 项奖励
回复
4,960 次查看
Harvey021
NXP TechSupport
NXP TechSupport

Please refer to the AN4581.

Harvey021_1-1713311792096.png

 

Regards

Harvey

0 项奖励
回复
4,904 次查看
moose
Contributor IV

@Harvey021, where did you get the table you copied (5.5.1)? This was not included in AN4581.We are familiar with AN4581, but it does not provide answers to our issue.

Have you attempted secure boot on imx8mn EVK? Were you able to read back the SRK fuse after programming, or did you get zeros as well? 

0 项奖励
回复
4,859 次查看
Harvey021
NXP TechSupport
NXP TechSupport

AN4581:

i.MX Secure Boot on HABv4 Supported Devices (nxp.com)

Or search "AN4581" from nxp.com

 

Have you reset the board before read it?  Please share more details about how you program SRK fuse hashs.

 

Regards

Harvey

0 项奖励
回复
4,177 次查看
moose
Contributor IV

After some troubleshooting, the answers are summarized below:

  1. Yes
  2. No
  3. Because HAB 4.1.2 and higher only perform a hash check if SRK keys are not zeros. In this case, the SRK fuse was not programmed, defaulting to zero and, therefore, bypassing the hash check. This is only supported by the table posted below from @Harvey021. I can't find it in AN4581, but it matches what we are experiencing. @Harvey021, could you post the source of that table?
  4. A reset is required to read the fuse; otherwise, it reads zero.

The combination of 3 and 4 made us doubt if we had a proper image before closing the device. We really wanted to see an intentional authentication failure. The only way to do this is to program the fuse and then generate an image with a different SRK table. Then, you will get the authentication failure messages as shown below.

moose_0-1713452190205.png

 

 

0 项奖励
回复