ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

imx8 secure boot questions.

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 
解決済み
ソリューションへジャンプ

imx8 secure boot questions.

ソリューションへジャンプ
‎03-11-2021 03:44 AM
4,730件の閲覧回数
yang_wang-wy
Contributor III

Hello Sir,

I have some questions about the secure boot want to make clear with your support based on IMX8 NXP processor.

1. When we use the cst tool generate a srk_1234_fuse.bin means all the 4 pairs keys generated and we have 4 single pem public key. I want to say that if `srk_1234_fuse.bin`all the value must be download in one time or could be separate 4 keys like we have 4 pem files? or I could ask if every verification process will use all the srk_1234_fuse.bin value or just 1/4 ?

2. If I must follow the sequence use the 1st pem file when sign the image? May I use the 2nd pem file sign the image first time? What is the rules about which one is working? How to let the first key to be dropped?

3. If I set the secure boot as `OEM_CLOSED` status means that I have start the full function of secure boot, I want to ask in this status that if the unsigned or wrong signed firmware will be download but not booting or directly can not be downloaded?

4. What is the difference in B0 and C0 in secure boot topic? Is there only the offset changed? (from 0x8000 to 0x0)? Because I have the B0 and C0 CPU modules but looks all the documents are related with the B0, But C0 is the tomorrow.

Many thanks for your help about the below questions.

タグ(2)
0 件の賞賛
返信
1 解決策

ソリューションへジャンプ
‎03-11-2021 09:11 PM
4,724件の閲覧回数
Yuri
NXP Employee
NXP Employee

@yang_wang-wy 
Hello,

Please look at my comments below.

1.
  All SRKs should be treated, since the hash for each of the entire SRK table
is stored in the SRK fuses.

2.
  It is possible to use another key.

3.
  The firmware will be download (it is needed to check it) but not booting.

4.
  Available information is provided in the following Migration Guide.

https://www.nxp.com/docs/en/application-note/AN12770.pdf

 

Regards,
Yuri.

元の投稿で解決策を見る

0 件の賞賛
返信
7 返答(返信)

ソリューションへジャンプ
‎03-11-2021 09:11 PM
4,725件の閲覧回数
Yuri
NXP Employee
NXP Employee

@yang_wang-wy 
Hello,

Please look at my comments below.

1.
  All SRKs should be treated, since the hash for each of the entire SRK table
is stored in the SRK fuses.

2.
  It is possible to use another key.

3.
  The firmware will be download (it is needed to check it) but not booting.

4.
  Available information is provided in the following Migration Guide.

https://www.nxp.com/docs/en/application-note/AN12770.pdf

 

Regards,
Yuri.

0 件の賞賛
返信

ソリューションへジャンプ
‎03-11-2021 10:23 PM
4,714件の閲覧回数
yang_wang-wy
Contributor III

@Yuri Many thanks for your information

about the Q2 could you help to provide some doc about how to disable the 1st or second key in fuse?

aboout Q3 I want to understand if NXP will provide some solution to OEM that avoid the unsigned or wrong signed firmware download into Flash?

0 件の賞賛
返信

ソリューションへジャンプ
‎03-15-2021 11:05 PM
4,692件の閲覧回数
Yuri
NXP Employee
NXP Employee

@yang_wang-wy 
Hello,

  You may look at the following discussion:

https://community.nxp.com/t5/i-MX-Processors/i-MX8X-permanently-revoke-a-SRK-key/m-p/1209783

Note, some i.MX8 revoking details are not intended for public discussion.

Also: unsigned or wrong signed firmware will not be loaded into Flash, images are checked
in DRAM memory.

Regards,
Yuri.

 

0 件の賞賛
返信

ソリューションへジャンプ
‎03-15-2021 11:24 PM
4,688件の閲覧回数
yang_wang-wy
Contributor III

Hello Yuri,

Many thanks for your feedback. It helps me a lot.
You say that I could not download the unsigned firmware into flash. Are there any preconditions?
OEM_closed or another status? 
Because I found I could use the dd command in Linux or in uboot to download the unsigned firmware into flash. But my board is NXP_closed status, and I don't use ahab_close to change the status because I must be careful to do this change.

0 件の賞賛
返信

ソリューションへジャンプ
‎03-15-2021 11:29 PM
4,685件の閲覧回数
Yuri
NXP Employee
NXP Employee

@yang_wang-wy 
Hello,

 as for "I could use the dd command in Linux or in uboot to download the unsigned
firmware into flash" - use signed U-boot and crypto-FS in Linux to avoid such issues.

Regards,
Yuri.

返信

ソリューションへジャンプ
‎03-15-2021 11:34 PM
4,682件の閲覧回数
yang_wang-wy
Contributor III

@Yuri, okay, got it.
I will test a signed os container to verify it.
BTW, could you help give me some hint to using the imx-mkimage to generate the os container because we are using the yocto to build the file system and not use imx-mkimage for the rootfs wic file.
I checked https://community.nxp.com/t5/i-MX-Processors/How-to-generate-a-signed-OS-container-image-for-iMX8X/m...  and https://community.nxp.com/t5/i-MX-Processors/i-MX8X-Secure-Boot-with-encrypted-OS-container/m-p/1203... but not helpful.
Or I need to repost a new question in the community.

0 件の賞賛
返信

ソリューションへジャンプ
‎03-15-2021 11:47 PM
4,680件の閲覧回数
Yuri
NXP Employee
NXP Employee

@yang_wang-wy 
Hello,

  Yes, it is good approach to repost a new question in the community.

Regards,
Yuri.

0 件の賞賛
返信