secure boot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

secure boot

1,458 Views
ljm3721
Contributor I

When I enable efuse, I cannot burn new u-boot.imx, including signed u-boot.imx?

 

0 Kudos
Reply
9 Replies

1,375 Views
Harvey021
NXP TechSupport
NXP TechSupport

Nedd to add DCD blocks to csf while using uuu.

 

Best regards

Harvey

0 Kudos
Reply

1,340 Views
ljm3721
Contributor I

HI
How do I add DCD, are there any relevant steps? Because I didn’t see the relevant operations in the link below:
https://github.com/u-boot/u-boot/blob/master/doc/imx/habv4/guides/mx6_mx7_secure_boot.txt

0 Kudos
Reply

1,335 Views
Harvey021
NXP TechSupport
NXP TechSupport

You can add DCD from u-boot.imx.log  to your csf.

 

Best regards

Harvey

0 Kudos
Reply

1,277 Views
ljm3721
Contributor I

HI
I still can't burn the image after adding DCD. Can you help me find out what's wrong?

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x877ff400 0x00000000 0x00084c00 "u-boot.imx",\
0x00910000 0x0000002c 0x000001e8 "u-boot.imx"

 

0 Kudos
Reply

1,261 Views
Harvey021
NXP TechSupport
NXP TechSupport

Sent you email.

 

Regards

Harvey

0 Kudos
Reply

1,241 Views
ljm3721
Contributor I

HI
I tried according to the method in your email, but it still didn't work. Instead, a phenomenon occurred that the board without efuse was burned continuously and could not be started.

0 Kudos
Reply

1,327 Views
ljm3721
Contributor I

HI

I added the following to my csf file:

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x877ff400 0x00000000 0x00084c00 "u-boot.imx",\
0x00910000 0x0000002c 0x000001e8 "u-boot.imx"

I have another question:
I didn’t burn SRK_1_2_3_4_fuse.bin to efuse, why can I get the following printout:
Normal Boot
Hit any key to stop autoboot: 0
=> fuse read 3 0 8
Reading bank 3:

Word 0x00000000: 00000000 00000000 00000000 00000000
Word 0x00000004: 00000000 00000000 00000000 00000000
=> hab_status

Secure boot disabled

HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!

=>
Isn't it necessary to burn efuse first before there will be no events?

 

0 Kudos
Reply

1,441 Views
Harvey021
NXP TechSupport
NXP TechSupport

Please tell more details. Which eFUSE you've enabled. 

 

Best regards

Harvey

0 Kudos
Reply

1,404 Views
ljm3721
Contributor I

I am using Imx6ull. I burned the SRK_1_2_3_4_fuse.bin generated by the CSF tool to efuse according to the documentation, as follows:
=> fuse prog -y 3 0 0x72A064C2
=> fuse prog -y 3 1 0x69824956
=> fuse prog -y 3 2 0x63966059
=> fuse prog -y 3 3 0x4842015
=> fuse prog -y 3 4 0x416A880E
=> fuse prog -y 3 5 0xF533453B
=> fuse prog -y 3 6 0x23306C28
=> fuse prog -y 3 7 0x8E2C366E
After that I use the following command to detect the event:
=> hab_status
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
I saw no events and thought it was successful, so I enabled it, as follows:
=> fuse prog 0 6 0x00000002

But after I enable Secure boot, I cannot re-burn the previous u-boot.imx (signed):
sudo uuu -d -b emmc 'u-boot.imx'
Below is my csf file:

Header]
Version = 4.1
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = SW

[Install SRK]
# Index of the key location in the SRK table to be installed
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0

[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate CSF]

[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed

Target Index = 2
# Key to install
File= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"

[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x877ff400 0x00000000 0x00084c00 "u-boot.imx"

 

$ cat ./git/mx6ull_14x14_evk_emmc_config/u-boot.imx.log
Image Type: Freescale IMX Boot Image
Image Ver: 2 (i.MX53/6/7 compatible)
Mode: DCD
Data Size: 553056 Bytes = 540.09 KiB = 0.53 MiB
Load Address: 877ff420
Entry Point: 87800000
HAB Blocks: 0x877ff400 0x00000000 0x00084c00
DCD Blocks: 0x00910000 0x0000002c 0x000001e8

Is there a problem with the CSF file? Looking forward to your reply

0 Kudos
Reply