imx6 secure boot questions

kwroot · ‎09-02-2020

Hi everyone!

I have different questions about secure boot on imx6ull (that runs linux compiled with Yocto - release sumo).

According to the related guide (http://variwiki.com/index.php?title=High_Assurance_Boot&release=RELEASE_SUMO_V1.1_DART-6UL#Secure_th...) the paragraph 3.5 says that HAB does not consider the duration of the PKI. So if the PKI expires, what happens? is the system still bootable?
Is it possible/safe to burn efuses in an automatic way without enter manually in the uboot command line? maybe entering the fuse prog command in the bootcmd u-boot variable?
I'm wondering if there is some many-time-programmable memory to use for storing the PKI instead of efuses (in the case the PKI needs to be updated). So, is it possible to make secure boot without burning efuses?

Thank you all in advance!

Yuri · ‎09-02-2020

Hello,

1.
HAB on iMX doesn't verify the certificate period, so a signed image will continue
to boot on closed (locked) independent of certificate period set with CST tool.

2.
The i.MX fuses can be burned only once. So, the fuses are recommended to be burned
after / with system images transfer, using UUU (MFG tool).

3.
It impossible to make secure boot without burning efuses. SRK fuses contain SRK hashes,
which are verified by boot ROM.

Regards,
Yuri.

View solution in original post

Yuri · ‎09-02-2020

@kwroot

Hello,

1.
HAB on iMX doesn't verify the certificate period, so a signed image will continue
to boot on closed (locked) independent of certificate period set with CST tool.

2.
The i.MX fuses can be burned only once. So, the fuses are recommended to be burned
after / with system images transfer, using UUU (MFG tool).

3.
It impossible to make secure boot without burning efuses. SRK fuses contain SRK hashes,
which are verified by boot ROM.

Regards,
Yuri.