帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

imx8 secure boot questions.

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决
跳至解决方案

imx8 secure boot questions.

跳至解决方案
‎03-11-2021 03:44 AM
4,728 次查看
yang_wang-wy
Contributor III

Hello Sir,

I have some questions about the secure boot want to make clear with your support based on IMX8 NXP processor.

1. When we use the cst tool generate a srk_1234_fuse.bin means all the 4 pairs keys generated and we have 4 single pem public key. I want to say that if `srk_1234_fuse.bin`all the value must be download in one time or could be separate 4 keys like we have 4 pem files? or I could ask if every verification process will use all the srk_1234_fuse.bin value or just 1/4 ?

2. If I must follow the sequence use the 1st pem file when sign the image? May I use the 2nd pem file sign the image first time? What is the rules about which one is working? How to let the first key to be dropped?

3. If I set the secure boot as `OEM_CLOSED` status means that I have start the full function of secure boot, I want to ask in this status that if the unsigned or wrong signed firmware will be download but not booting or directly can not be downloaded?

4. What is the difference in B0 and C0 in secure boot topic? Is there only the offset changed? (from 0x8000 to 0x0)? Because I have the B0 and C0 CPU modules but looks all the documents are related with the B0, But C0 is the tomorrow.

Many thanks for your help about the below questions.

标记 (2)
0 项奖励
回复
1 解答

跳至解决方案
‎03-11-2021 09:11 PM
4,722 次查看
Yuri
NXP Employee
NXP Employee

@yang_wang-wy 
Hello,

Please look at my comments below.

1.
  All SRKs should be treated, since the hash for each of the entire SRK table
is stored in the SRK fuses.

2.
  It is possible to use another key.

3.
  The firmware will be download (it is needed to check it) but not booting.

4.
  Available information is provided in the following Migration Guide.

https://www.nxp.com/docs/en/application-note/AN12770.pdf

 

Regards,
Yuri.

在原帖中查看解决方案

0 项奖励
回复
7 回复数

跳至解决方案
‎03-11-2021 09:11 PM
4,723 次查看
Yuri
NXP Employee
NXP Employee

@yang_wang-wy 
Hello,

Please look at my comments below.

1.
  All SRKs should be treated, since the hash for each of the entire SRK table
is stored in the SRK fuses.

2.
  It is possible to use another key.

3.
  The firmware will be download (it is needed to check it) but not booting.

4.
  Available information is provided in the following Migration Guide.

https://www.nxp.com/docs/en/application-note/AN12770.pdf

 

Regards,
Yuri.

0 项奖励
回复

跳至解决方案
‎03-11-2021 10:23 PM
4,712 次查看
yang_wang-wy
Contributor III

@Yuri Many thanks for your information

about the Q2 could you help to provide some doc about how to disable the 1st or second key in fuse?

aboout Q3 I want to understand if NXP will provide some solution to OEM that avoid the unsigned or wrong signed firmware download into Flash?

0 项奖励
回复

跳至解决方案
‎03-15-2021 11:05 PM
4,690 次查看
Yuri
NXP Employee
NXP Employee

@yang_wang-wy 
Hello,

  You may look at the following discussion:

https://community.nxp.com/t5/i-MX-Processors/i-MX8X-permanently-revoke-a-SRK-key/m-p/1209783

Note, some i.MX8 revoking details are not intended for public discussion.

Also: unsigned or wrong signed firmware will not be loaded into Flash, images are checked
in DRAM memory.

Regards,
Yuri.

 

0 项奖励
回复

跳至解决方案
‎03-15-2021 11:24 PM
4,686 次查看
yang_wang-wy
Contributor III

Hello Yuri,

Many thanks for your feedback. It helps me a lot.
You say that I could not download the unsigned firmware into flash. Are there any preconditions?
OEM_closed or another status? 
Because I found I could use the dd command in Linux or in uboot to download the unsigned firmware into flash. But my board is NXP_closed status, and I don't use ahab_close to change the status because I must be careful to do this change.

0 项奖励
回复

跳至解决方案
‎03-15-2021 11:29 PM
4,683 次查看
Yuri
NXP Employee
NXP Employee

@yang_wang-wy 
Hello,

 as for "I could use the dd command in Linux or in uboot to download the unsigned
firmware into flash" - use signed U-boot and crypto-FS in Linux to avoid such issues.

Regards,
Yuri.

回复

跳至解决方案
‎03-15-2021 11:34 PM
4,680 次查看
yang_wang-wy
Contributor III

@Yuri, okay, got it.
I will test a signed os container to verify it.
BTW, could you help give me some hint to using the imx-mkimage to generate the os container because we are using the yocto to build the file system and not use imx-mkimage for the rootfs wic file.
I checked https://community.nxp.com/t5/i-MX-Processors/How-to-generate-a-signed-OS-container-image-for-iMX8X/m...  and https://community.nxp.com/t5/i-MX-Processors/i-MX8X-Secure-Boot-with-encrypted-OS-container/m-p/1203... but not helpful.
Or I need to repost a new question in the community.

0 项奖励
回复

跳至解决方案
‎03-15-2021 11:47 PM
4,678 次查看
Yuri
NXP Employee
NXP Employee

@yang_wang-wy 
Hello,

  Yes, it is good approach to repost a new question in the community.

Regards,
Yuri.

0 项奖励
回复