i.MX7D NAND secure boot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.MX7D NAND secure boot

1,626 Views
jordan_chen
Contributor II

Hi Yuri,

     Thanks for this link.

Do you know whether secure boot supports on NAND flash too?

     Our FAE donwload the same BSP (L4.9.11_1.0.0) without any patch and just enabled SECURE_BOOT flag as mentioned in AN4581.pdf, it can boot up from SD card or SPI flash no matter this boot image is signed or not.

PS. our EVK is a open device (We don't blow fuse to close it.)

      But it's failed to boot up from flash (SECURE_BOOT is enabled and UBOOT_CONFIG = "nand") no matter this boot image is signed or not. (This EVK is reworked to boot from NAND flash. It can boot up if SECURE_BOOT is disabled.)

Do you have any advice for this symptom or is there any patch for this issue?

Regards,

Jordan

0 Kudos
8 Replies

1,384 Views
igor_opaniuk
Contributor I

Finally, why it's hapenning and the fix is here (check the reply from Breno Matheus Lima from NXP):

[PATCH v1] colibri_imx7: disable HAB and CAAM support 

0 Kudos

1,384 Views
igor_opaniuk
Contributor I

Hi,
Yuri Muhin
 

 I.MX7 NAND boot (both secure and usual) is supported.

Is it possible to cross check this by someone from NXP (just to confirm that U-boot boots from NAND built with CONFIG_IMX_HAB=y)?
Both mainline and downstream U-boot (from NXP) are acting in the same on iMX7D + NAND based setups:
If CSF region is embedded (when CONFIG_IMX_HAB=y ) into the final U-boot imx binary, BootROM never boots it and goes to recovery mode. When `CSF` CMD is removed from imximage.cfg before creating final U-boot binary, the image starts booting. 

There is already discussion about this in U-boot ML, but without any final conclusion U-Boot - nxp: HABv4 secure boot on iMX7 NAND broken 


Thanks

0 Kudos

1,384 Views
Yuri
NXP Employee
NXP Employee

Hello,

  What is exact part number of the i.MX7?

In particular, the following erratum may take place: 

e11166: OCRAM: The first 4K of OCRAM (0x910000 - 0x910fff) is not available during boot time 

Regards,

Yuri.

0 Kudos

1,384 Views
igor_opaniuk
Contributor I

Hi Yuri,

What is exact part number of the i.MX7?

MCIMX7D5EVM10SD

In particular, the following erratum may take place: 

e11166: OCRAM: The first 4K of OCRAM (0x910000 - 0x910fff) is not available during boot time 

There was a reply in ML from Breno Matheus Lima from NXP, who has been working on this (in https://community.nxp.com/external-link.jspa?url=http%3A%2F%2Fu-boot.10912.n7.nabble.com%2Fnxp-HABv4...  thread), that:

When booting from NAND the DCD table is not loaded in OCRAM so that
shouldn't be a problem. The DCD is loaded in OCRAM when booting via
USB OTG using the serial download protocol, you can have more details
in link below:

https://github.com/NXPmicro/mfgtools/wiki/UUU-default-support-protocol-list#habv4-closed-chip-suppor...

Thanks

0 Kudos

1,384 Views
igor_opaniuk
Contributor I

Hi Jordan jordan_chen@sercomm.com,

So have you finally managed to get it working?

I'm currently playing on iMX7D NAND with mainline U-boot (U-Boot 2019.10-rc2) with CONFIG_SECURE_BOOT=y and facing the same issue, althought it's working when I try to boot it from eMMC (also CONFIG_SECURE_BOOT=y).

SRK values aren't fused and obviously the device isn't "closed", and I haven't concatenated CSF to the U-boot image (althought booting from eMMC works without any issues).
After going throught all details AN4581 doc I understood that BootROM should also boot U-boot image even if the image isn't properly signed if SRK isn't fused and device is in open state.

After disabling CONFIG_SECURE_BOOT (or even just removing CSF command from imximage.cfg) the image boots.

Any ideas?

Thanks

0 Kudos

1,384 Views
jordan_chen
Contributor II

Hi Igor,

     It's not workable for me too. But you can refer to following link for iMX7D NAND Secure Boot. Maybe you have to take care for the image start address which mentioned in "NOTE" of F.1. "Signing code downloadable with the manufacturing tool" in AN4581 if your device is Rev D.

 iMX7D Plugin mode HAB (High Assurance Boot) 

Regards,

Jordan

0 Kudos

1,384 Views
igor_opaniuk
Contributor I
0 Kudos

1,384 Views
Yuri
NXP Employee
NXP Employee

Hello,

   Please look at my comments below.

 I.MX7 NAND boot (both secure and usual) is supported.

Note, in open mode any image (signed or unsigned) can be executed. 

In close mode only signed images will executed.


Have a great day,
Yuri

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos