Hello Sir,
I have some questions about the secure boot want to make clear with your support based on IMX8 NXP processor.
1. When we use the cst tool generate a srk_1234_fuse.bin means all the 4 pairs keys generated and we have 4 single pem public key. I want to say that if `srk_1234_fuse.bin`all the value must be download in one time or could be separate 4 keys like we have 4 pem files? or I could ask if every verification process will use all the srk_1234_fuse.bin value or just 1/4 ?
2. If I must follow the sequence use the 1st pem file when sign the image? May I use the 2nd pem file sign the image first time? What is the rules about which one is working? How to let the first key to be dropped?
3. If I set the secure boot as `OEM_CLOSED` status means that I have start the full function of secure boot, I want to ask in this status that if the unsigned or wrong signed firmware will be download but not booting or directly can not be downloaded?
4. What is the difference in B0 and C0 in secure boot topic? Is there only the offset changed? (from 0x8000 to 0x0)? Because I have the B0 and C0 CPU modules but looks all the documents are related with the B0, But C0 is the tomorrow.
Many thanks for your help about the below questions.
Solved! Go to Solution.
@yang_wang-wy
Hello,
Please look at my comments below.
1.
All SRKs should be treated, since the hash for each of the entire SRK table
is stored in the SRK fuses.
2.
It is possible to use another key.
3.
The firmware will be download (it is needed to check it) but not booting.
4.
Available information is provided in the following Migration Guide.
https://www.nxp.com/docs/en/application-note/AN12770.pdf
Regards,
Yuri.
@yang_wang-wy
Hello,
Please look at my comments below.
1.
All SRKs should be treated, since the hash for each of the entire SRK table
is stored in the SRK fuses.
2.
It is possible to use another key.
3.
The firmware will be download (it is needed to check it) but not booting.
4.
Available information is provided in the following Migration Guide.
https://www.nxp.com/docs/en/application-note/AN12770.pdf
Regards,
Yuri.
@Yuri Many thanks for your information
about the Q2 could you help to provide some doc about how to disable the 1st or second key in fuse?
aboout Q3 I want to understand if NXP will provide some solution to OEM that avoid the unsigned or wrong signed firmware download into Flash?
@yang_wang-wy
Hello,
You may look at the following discussion:
https://community.nxp.com/t5/i-MX-Processors/i-MX8X-permanently-revoke-a-SRK-key/m-p/1209783
Note, some i.MX8 revoking details are not intended for public discussion.
Also: unsigned or wrong signed firmware will not be loaded into Flash, images are checked
in DRAM memory.
Regards,
Yuri.
Hello Yuri,
Many thanks for your feedback. It helps me a lot.
You say that I could not download the unsigned firmware into flash. Are there any preconditions?
OEM_closed or another status?
Because I found I could use the dd command in Linux or in uboot to download the unsigned firmware into flash. But my board is NXP_closed status, and I don't use ahab_close to change the status because I must be careful to do this change.
@yang_wang-wy
Hello,
as for "I could use the dd command in Linux or in uboot to download the unsigned
firmware into flash" - use signed U-boot and crypto-FS in Linux to avoid such issues.
Regards,
Yuri.
@Yuri, okay, got it.
I will test a signed os container to verify it.
BTW, could you help give me some hint to using the imx-mkimage to generate the os container because we are using the yocto to build the file system and not use imx-mkimage for the rootfs wic file.
I checked https://community.nxp.com/t5/i-MX-Processors/How-to-generate-a-signed-OS-container-image-for-iMX8X/m... and https://community.nxp.com/t5/i-MX-Processors/i-MX8X-Secure-Boot-with-encrypted-OS-container/m-p/1203... but not helpful.
Or I need to repost a new question in the community.
@yang_wang-wy
Hello,
Yes, it is good approach to repost a new question in the community.
Regards,
Yuri.