ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

i.MX8MQ EVK: Secure boot with rollback prevention

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

i.MX8MQ EVK: Secure boot with rollback prevention

‎06-29-2020 02:35 AM
2,709件の閲覧回数
goescy
Contributor II

Hi all

I have an i.MX8MQ EVK with an extended secure boot all the way up to a custom uImage. Now I want to add a rollback prevention mechanism for our custom uImage. For this, I currently assume the proper location to be in u-boot after our uImage was authenticated. I assume that our rollback prevention mechanism will have to work against the SNVS Secure Monotonic Counter registers. My questions are now as follows:

  1. Where within u-boot is the proper place for this rollback prevention mechanism to be implemented?
  2. Does someone have some sample code on how to access the SNVS Secure Monotonic counter registers on an i.MX8MQ EVK?

Many thanks for your help.

Cyrill

0 件の賞賛
返信
3 返答(返信)

‎07-07-2020 05:05 AM
2,591件の閲覧回数
goescy
Contributor II

Hi all

I'm still working on this. Meanwhile, I tried to access the SNVS registers from the interactive U-Boot command line interface. Looking at the SNVS_HP Command Register (HPCOMR), I see field 31 as set and with this assume I should be able to access privileged registers:

u-boot=> md.l 0x30370004 1
30370004: 80002100

Then looking at the SNVS_LP Lock Register (LPLR), I see field 4 as not set and with this assume I should have write access to the monotonic counter and MC_ENV bit:

u-boot=> md.l 0x30370034 1
30370034: 00000000

Then looking at the SNVS_LP Control Register (LPCR) I see field 2 (MC_ENV) as not set and with this assume that the monotonic counter is disabled or invalid:

u-boot=> md.l 0x30370038 1
30370038: 00000020

Now I tried to enable the monotonic counter by setting this MC_ENV field of the LPCR register as follows:

u-boot=> mw.l 0x30370038 0x00000024

However, this has no effect:

u-boot=> md.l 0x30370038 1         
30370038: 00000020

What am I missing?

Many thanks,

Cyrill

0 件の賞賛
返信

‎07-27-2020 02:04 AM
2,591件の閲覧回数
goescy
Contributor II

Hi all

I'm still working on this. I would like to summarize my previous question as follows: booting the i.MX8MQ EVK and interrupting u-boot to get into the interactive u-boot CLI, why is it not possible to write the MC_ENV field of the LPCR register (from within the u-boot CLI) to enable the monotonic counter even though the HPCOMR register indicates that access to privileged registers is enabled and the LPLR register indicates that I should have access to the MC_ENV field of the LPCR register?

Many thanks for your help.

Cyrill

0 件の賞賛
返信

‎07-31-2020 02:02 PM
2,591件の閲覧回数
jamesbone
NXP TechSupport
NXP TechSupport

reason may be insufficient permissions which are handled in atf

imx8mq\imx\plat - imx-atf - i.MX ARM Trusted firmware 

0 件の賞賛
返信