FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

imx8 secure boot questions.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

imx8 secure boot questions.

Jump to solution
‎03-11-2021 03:44 AM
3,800 Views
yang_wang-wy
Contributor III

Hello Sir,

I have some questions about the secure boot want to make clear with your support based on IMX8 NXP processor.

1. When we use the cst tool generate a srk_1234_fuse.bin means all the 4 pairs keys generated and we have 4 single pem public key. I want to say that if `srk_1234_fuse.bin`all the value must be download in one time or could be separate 4 keys like we have 4 pem files? or I could ask if every verification process will use all the srk_1234_fuse.bin value or just 1/4 ?

2. If I must follow the sequence use the 1st pem file when sign the image? May I use the 2nd pem file sign the image first time? What is the rules about which one is working? How to let the first key to be dropped?

3. If I set the secure boot as `OEM_CLOSED` status means that I have start the full function of secure boot, I want to ask in this status that if the unsigned or wrong signed firmware will be download but not booting or directly can not be downloaded?

4. What is the difference in B0 and C0 in secure boot topic? Is there only the offset changed? (from 0x8000 to 0x0)? Because I have the B0 and C0 CPU modules but looks all the documents are related with the B0, But C0 is the tomorrow.

Many thanks for your help about the below questions.

Tags (2)
0 Kudos
Reply
1 Solution

Jump to solution
‎03-11-2021 09:11 PM
3,794 Views
Yuri
NXP Employee
NXP Employee

@yang_wang-wy 
Hello,

Please look at my comments below.

1.
  All SRKs should be treated, since the hash for each of the entire SRK table
is stored in the SRK fuses.

2.
  It is possible to use another key.

3.
  The firmware will be download (it is needed to check it) but not booting.

4.
  Available information is provided in the following Migration Guide.

https://www.nxp.com/docs/en/application-note/AN12770.pdf

 

Regards,
Yuri.

View solution in original post

0 Kudos
Reply
7 Replies

Jump to solution
‎03-11-2021 09:11 PM
3,795 Views
Yuri
NXP Employee
NXP Employee

@yang_wang-wy 
Hello,

Please look at my comments below.

1.
  All SRKs should be treated, since the hash for each of the entire SRK table
is stored in the SRK fuses.

2.
  It is possible to use another key.

3.
  The firmware will be download (it is needed to check it) but not booting.

4.
  Available information is provided in the following Migration Guide.

https://www.nxp.com/docs/en/application-note/AN12770.pdf

 

Regards,
Yuri.

0 Kudos
Reply

Jump to solution
‎03-11-2021 10:23 PM
3,784 Views
yang_wang-wy
Contributor III

@Yuri Many thanks for your information

about the Q2 could you help to provide some doc about how to disable the 1st or second key in fuse?

aboout Q3 I want to understand if NXP will provide some solution to OEM that avoid the unsigned or wrong signed firmware download into Flash?

0 Kudos
Reply

Jump to solution
‎03-15-2021 11:05 PM
3,762 Views
Yuri
NXP Employee
NXP Employee

@yang_wang-wy 
Hello,

  You may look at the following discussion:

https://community.nxp.com/t5/i-MX-Processors/i-MX8X-permanently-revoke-a-SRK-key/m-p/1209783

Note, some i.MX8 revoking details are not intended for public discussion.

Also: unsigned or wrong signed firmware will not be loaded into Flash, images are checked
in DRAM memory.

Regards,
Yuri.

 

0 Kudos
Reply

Jump to solution
‎03-15-2021 11:24 PM
3,758 Views
yang_wang-wy
Contributor III

Hello Yuri,

Many thanks for your feedback. It helps me a lot.
You say that I could not download the unsigned firmware into flash. Are there any preconditions?
OEM_closed or another status? 
Because I found I could use the dd command in Linux or in uboot to download the unsigned firmware into flash. But my board is NXP_closed status, and I don't use ahab_close to change the status because I must be careful to do this change.

0 Kudos
Reply

Jump to solution
‎03-15-2021 11:29 PM
3,755 Views
Yuri
NXP Employee
NXP Employee

@yang_wang-wy 
Hello,

 as for "I could use the dd command in Linux or in uboot to download the unsigned
firmware into flash" - use signed U-boot and crypto-FS in Linux to avoid such issues.

Regards,
Yuri.

Reply

Jump to solution
‎03-15-2021 11:34 PM
3,752 Views
yang_wang-wy
Contributor III

@Yuri, okay, got it.
I will test a signed os container to verify it.
BTW, could you help give me some hint to using the imx-mkimage to generate the os container because we are using the yocto to build the file system and not use imx-mkimage for the rootfs wic file.
I checked https://community.nxp.com/t5/i-MX-Processors/How-to-generate-a-signed-OS-container-image-for-iMX8X/m...  and https://community.nxp.com/t5/i-MX-Processors/i-MX8X-Secure-Boot-with-encrypted-OS-container/m-p/1203... but not helpful.
Or I need to repost a new question in the community.

0 Kudos
Reply

Jump to solution
‎03-15-2021 11:47 PM
3,750 Views
Yuri
NXP Employee
NXP Employee

@yang_wang-wy 
Hello,

  Yes, it is good approach to repost a new question in the community.

Regards,
Yuri.

0 Kudos
Reply