- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- i.MX6 HAB secure boot fuse problem
i.MX6 HAB secure boot fuse problem
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
i.MX6 HAB secure boot fuse problem
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to finalize setting up secure boot on our custom board with i.MX6.
I have generated certificates with hab4_pki_tree.sh and built a signed U-boot. Attached the CSF source.
Programmed the SRK hash fuses from U-boot, hab_status returned "No HAB events".
Tried to modify a single byte in the U-boot image, hab_status returned events (failure).
Reverted to good U-boot image, and closed the configuration (burn SEC_CONFIG[1] fuse):
=> fuse prog 0 6 0x02
Then I tried to reset, and board does not boot now.
And just to ensure the signed U-boot has the CSF pointer set:
$ dd if=./u-boot_csf.imx bs=4 count=12 2>/dev/null | hexdump -v -e '/4 "%04_ax: "' -e '/4 "%08X" "\n"'
0000: 402000D1
0004: 17800000
0008: 00000000
000c: 177FF42C
0010: 177FF420
0014: 177FF400
0018: 1784F000
001c: 00000000
0020: 177FF000
0024: 00052000
0028: 00000000
002c: 401003D2
This is the second board i "brick", the first one I burned a lot of different fuses regarding disabling JTAG etc. at the same time, so I was not sure what caused the board not to boot. I write "brick" in quotes because I hope by making a new signed U-boot I will be able to resurrect the boards. However, since U-boot is in SPI flash, I need to use a programmer to change U-boot, so not as easy as changing an SD-card.
I welcome any suggestions for how to proceed.
Best regards,
Mikkel Holm Olsen
Original Attachment has been moved to: u-boot.csf.zip
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
First, please check carefully if all actions for HAB boot are implemented
in Your case, using documentation in the following thread
https://community.freescale.com/servlet/JiveServlet/download/325535-1-259256/secure_boot_on_imx6.pdf
HAB on Nitrogen_6X IMX6Q board
In particular - if SRK fuses are burned correctly.
Also, You may try to load the signed U-boot (in order to check fuses, environment) via
the MFG. Please take a look at Appendix E (Freescale manufacturing tool) of the recent
release of app note AN4581 (Secure Boot on i.MX50, i.MX53, and i.MX 6 Series using HABv4).
https://cache.freescale.com/files/32bit/doc/app_note/AN4581.pdf
Have a great day,
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yuri,
Yes, I have been very thorough regarding the SRK fuses, ensuring the correct byte order. Also, after burning the SRK fuses, before closing configuration, I get no HAB events when using signed U-boot. Modifying a single byte in U-boot image created HAB events. Then reverted back to good U-boot (checked no HAB events), before closing the configuration.
On a third board I made a new attempt, this time with 2048-bit certificates, and following the exact same procedure I was able to make it work.
Are there any reports of HAB4 on i.MX6 not working correctly with 4096-bit certificates? Is there anything I could change in my CSF, that would make this work (maybe the "Engine = Any")?
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Key length in bits for PKI tree of 4096 is supported.
Engine = CAAM
Regards,
Yuri.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi YuriMuhin_ng,
Thanks, it does fix the issue, but this information should appear in the documentation! Nowhere is written that you can have a different behavior between close and open configuration. Also there's no mention of a different Engine parameter when using 4096 key.
I consider it a bug that there's no HAB event reported when open and the close configuration fails.
Regards,
Gary
