- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Re: i.MX7D NAND secure boot
i.MX7D NAND secure boot
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
i.MX7D NAND secure boot
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yuri,
Thanks for this link.
Do you know whether secure boot supports on NAND flash too?
Our FAE donwload the same BSP (L4.9.11_1.0.0) without any patch and just enabled SECURE_BOOT flag as mentioned in AN4581.pdf, it can boot up from SD card or SPI flash no matter this boot image is signed or not.
PS. our EVK is a open device (We don't blow fuse to close it.)
But it's failed to boot up from flash (SECURE_BOOT is enabled and UBOOT_CONFIG = "nand") no matter this boot image is signed or not. (This EVK is reworked to boot from NAND flash. It can boot up if SECURE_BOOT is disabled.)
Do you have any advice for this symptom or is there any patch for this issue?
Regards,
Jordan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Finally, why it's hapenning and the fix is here (check the reply from Breno Matheus Lima from NXP):
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Yuri Muhin
> I.MX7 NAND boot (both secure and usual) is supported.
Is it possible to cross check this by someone from NXP (just to confirm that U-boot boots from NAND built with CONFIG_IMX_HAB=y)?
Both mainline and downstream U-boot (from NXP) are acting in the same on iMX7D + NAND based setups:
If CSF region is embedded (when CONFIG_IMX_HAB=y ) into the final U-boot imx binary, BootROM never boots it and goes to recovery mode. When `CSF` CMD is removed from imximage.cfg before creating final U-boot binary, the image starts booting.
There is already discussion about this in U-boot ML, but without any final conclusion U-Boot - nxp: HABv4 secure boot on iMX7 NAND broken
Thanks
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
What is exact part number of the i.MX7?
In particular, the following erratum may take place:
e11166: OCRAM: The first 4K of OCRAM (0x910000 - 0x910fff) is not available during boot time
Regards,
Yuri.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yuri,
What is exact part number of the i.MX7?
MCIMX7D5EVM10SD
In particular, the following erratum may take place:
e11166: OCRAM: The first 4K of OCRAM (0x910000 - 0x910fff) is not available during boot time
There was a reply in ML from Breno Matheus Lima from NXP, who has been working on this (in https://community.nxp.com/external-link.jspa?url=http%3A%2F%2Fu-boot.10912.n7.nabble.com%2Fnxp-HABv4... thread), that:
When booting from NAND the DCD table is not loaded in OCRAM so that
shouldn't be a problem. The DCD is loaded in OCRAM when booting via
USB OTG using the serial download protocol, you can have more details
in link below:
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jordan jordan_chen@sercomm.com,
So have you finally managed to get it working?
I'm currently playing on iMX7D NAND with mainline U-boot (U-Boot 2019.10-rc2) with CONFIG_SECURE_BOOT=y and facing the same issue, althought it's working when I try to boot it from eMMC (also CONFIG_SECURE_BOOT=y).
SRK values aren't fused and obviously the device isn't "closed", and I haven't concatenated CSF to the U-boot image (althought booting from eMMC works without any issues).
After going throught all details AN4581 doc I understood that BootROM should also boot U-boot image even if the image isn't properly signed if SRK isn't fused and device is in open state.
After disabling CONFIG_SECURE_BOOT (or even just removing CSF command from imximage.cfg) the image boots.
Any ideas?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Igor,
It's not workable for me too. But you can refer to following link for iMX7D NAND Secure Boot. Maybe you have to take care for the image start address which mentioned in "NOTE" of F.1. "Signing code downloadable with the manufacturing tool" in AN4581 if your device is Rev D.
iMX7D Plugin mode HAB (High Assurance Boot)
Regards,
Jordan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check this thread: https://lists.denx.de/pipermail/u-boot/2019-December/394443.html
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Please look at my comments below.
I.MX7 NAND boot (both secure and usual) is supported.
Note, in open mode any image (signed or unsigned) can be executed.
In close mode only signed images will executed.
Have a great day,
Yuri
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
