- NXP Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- Vigiles
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- i.MX7 secure boot UUU upgrade
i.MX7 secure boot UUU upgrade
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have succesfully compiled u-boot for our custom board, which is using i.MX7D rev1.3. I can flash it correctly using UUU tool and everything is working correctly, including upgrades.
Now, I need to enable secure boot, so I have signed u-boot using cst and burned SRK_HASH fuses to the device. Device is closed (SEC_CONFIG[1] fuse is burned).
When I flash signed u-boot binary (u-boot.imx.secured) to the device and restart board, I get no HAB events and device boots correctly:
Secure boot enabled
HAB Configuration: 0xcc, HAB State: 0x99
No HAB Events Found!
But when I try to reflash it using same image, UUU just hangs and board does nothing:
H:\Work\1.4.72>uuu -b emmc u-boot.imx.secured
uuu (Universal Update Utility) for nxp imx chips -- libuuu_1.4.72-0-g8e9e189
Success 0 Failure 0
2:1 1/ 1 [=================100%=================] SDP: boot -f u-boot.imx.secured
I tried the same on other non closed board, so I can repeat the process and when I try to reflash it, it works, but hab_status returns HAB event, when run it in u-boot loaded from UUU:
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x00 0x91 0x10 0x00
0x00 0x00 0x01 0xbc
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
So I suppose, that event causes secured board to not accept u-boot loaded from UUU.
Do I need to somehow sign u-boot specially for upgrading of secured boards? I found, that for older i.MX6 chips, there must be some DCD address in header modification, but looks like it should not be problem for newer chips, including i.MX7D.
Thanks in advance!
Michal Špánik
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Igor,
I have read that article before, but it implies, that i.MX7 processor shouldnt need DCD modification. However HAB event displayed on non secured processor implies, that problem is with address 0x00 0x91 0x10 0x00. When I look into my u-boot.imx.log, I see
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 499808 Bytes = 488.09 KiB = 0.48 MiB
Load Address: 877ff420
Entry Point: 87800000
HAB Blocks: 0x877ff400 0x00000000 0x00077c00
DCD Blocks: 0x0000002c 0x00910000 0x000001bcSo that HAB event address indeed is DCD block address! I tried to run their script, but it takes wrong DCD address directly from binary. When I override it manually from 0x877ff000 to 0x00910000 (it is hardcoded in u-boot from CONFIG_IMX_DCD_ADDR variable), u-boot works from UUU, when loaded with custom script, as described in article.
If anyone in future needs the same thing, scripts are attached.
UUU command to run the script:
uuu -brun emmcSecured.txt <signed u-boot file with DCD modified> <DCD address> <signed u-boot to be flashed to emmc with normal DCD>
Thansks for your help!
Michal Špánik
igorpadykov
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Michal
for uuu programming secure images one can look at sect.How to sign an SPL image for SDP (II)
https://docs.foundries.io/76/reference-manual/security/secure-boot-imx.html
Best regards
igor
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Igor,
I have read that article before, but it implies, that i.MX7 processor shouldnt need DCD modification. However HAB event displayed on non secured processor implies, that problem is with address 0x00 0x91 0x10 0x00. When I look into my u-boot.imx.log, I see
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 499808 Bytes = 488.09 KiB = 0.48 MiB
Load Address: 877ff420
Entry Point: 87800000
HAB Blocks: 0x877ff400 0x00000000 0x00077c00
DCD Blocks: 0x0000002c 0x00910000 0x000001bcSo that HAB event address indeed is DCD block address! I tried to run their script, but it takes wrong DCD address directly from binary. When I override it manually from 0x877ff000 to 0x00910000 (it is hardcoded in u-boot from CONFIG_IMX_DCD_ADDR variable), u-boot works from UUU, when loaded with custom script, as described in article.
If anyone in future needs the same thing, scripts are attached.
UUU command to run the script:
uuu -brun emmcSecured.txt <signed u-boot file with DCD modified> <DCD address> <signed u-boot to be flashed to emmc with normal DCD>
Thansks for your help!
Michal Špánik
