uTasker bootloader with iMXRT1064

Davidino

On a practical point - is on-the-fly decryption from the internal QSPI flash in the 1064 really of practical significance? The flash is not accessible as it is on-chip and so code protection is less important as it can't be read out (unless the chips were to be opened in some way). Since on-the-fly decryption has a performance hit (not sure how much, but I heard of 30% or so) it seems that in many cases the 1064 has an advantage in that on-the-fly decryption may not be needed to ensure IP protection (in most standard instances) - compared to designs with off-chip QSPI flash where it would easily be extracted when not in encrypted from.

Note also that if you have code that fits in the internal RAM (enough space for code and variables) you can also use AES256 encryption in the flash and the uTasker boot loader will dynamically configure the FlexRAM to suit and ensure optimal performance, which can be 10x faster than XiP operation and also with much better deterministic performance [optimal for deep embedded control] as (core / FlexSPI) caching is never needed.

Regards

Mark

Hello @mjbcswitzerland , thank you for your answer.

Below some questions and answer.

1. Yes, I saw both the video and pdf, thank you.
2. The code size doesn't fit in ITCM as it's more than 300kB and I cannot reduce DTCM, so I simply moved some crucial functions in ITCM with _RAMFUNC() attribute (including cr_section_macros.h file).
3. Regarding the fact that the code contained inside the processor itself is protected, isn't it possible to read the flash memory content via USB using MCU NXP Boot Utility or with JTAG? Do I have to burn some eFuses so that flash memory content cannot be read?
4. Regarding the error that I get: The application is accepted (as the folder UPLOAD_DISK doesn't remain open) but the program doesn't work properly. I tested the bootloader with the simple hello_world SDK example, modified as explained in previous post, and the situation is the same (with _XIP version, it prints hello world with _XIP_BEE, it doesn't). You can find the project in attachment together with uTasker compiled bootloaders (writing on eFuses is disabled).
5. I tried to "attach to a running target using LinkServer" as explained here https://www.utasker.com/docs/iMX/MCUXpresso.pdf chapter 7 but it goes in "Read Timeout" both with XIP and XIP_BEE executable.

Thank you for your support.

Best Regards,

Davidino

Hi Davidino

I posted in your other thread about protecting Flash here: https://community.nxp.com/t5/i-MX-RT/Prevent-internal-ROM-code-from-being-read-in-imxRT1064/m-p/1348...

Note that the 1064 has 1MByte RAM so 300kByte code could operate in ITC, depending on the variable size and where they are located (512k RAM and 196k DTC, for example).

As noted in the other thread JTAG and ISP are sources of easy access to code, even when On-the-Fly encoded. So these interfaces have to be disabled or protected to an adequate degree.

Regards

Mark

Hello @mjbcswitzerland ,

thank you for your answers, both in this thread and in the other. Regarding the memory occupancy the situation is the following (consider that the project is going to expand further in the next future):

Memory region Used Size Region Size %age Used
PROGRAM_FLASH: 309384 B 4 MB 7.38%
SRAM_DTC: 132312 B 256 KB 50.47%
SRAM_ITC: 9352 B 128 KB 7.14%
SRAM_OC: 0 GB 640 KB 0.00%

Even if I move the remaing partitionable 128k OCRAM slot to ITCM, it's not enough yet. Maybe the only solution would be to move global data from DTCM to OCRAM, but it could affect program performances as well ("cachable or not cachable, this is the dilemma"). What do you think?

I thought about the code protection and I missed a point. If we need to provide to customer an updated release of the program (after all, it's the reason why a bootloader exists), they can easely obtain the source code from the executable!
I think that the only solution is to encrypt the code, and I don't understand why my code hello_world (the encryped form) posted before, doesn't work.

Thank you.

Best Regards,

Davide Brunelli

Hi Davide

I expect that OCRAM with caching would be a good solution since running code in ITC can be 10x faster than when running from QSPI flash. The OCRAM is about 1/4 the speed of DTC but with the cache it will tend to be more efficient much of the time.

You can (and should) still encode your application since you can then distribute it in a safe form. When the boot loader knows that it should be decrypted at reception and saved in plain XiP form it will then do this and the plain code is in the QSPI flash but never visible externally (or in the distributed files).

Regards

Mark

Hi Davidino

Could you tell me whether that extraneous ')' was in an original bat file or was the result of a manipulation? I checked through the ones in the repository and didn't identify this.

You are right that there is not presently a code for encrypted content to be saved in unencrypted form but it is quite easy to add. The existing codes are

#define BOOT_LOADER_TYPE_MASK                    0xf000
#define BOOT_LOADER_TYPE_PLAIN_XiP_RESET_VECTOR  0x0000                  // execute in QSPi flash (execute in place) starting with reset vector
#define BOOT_LOADER_TYPE_PLAIN_RAM_EXECUTION     0x1000                  // copy plain code to ITC and execute there
#define BOOT_LOADER_TYPE_PLAIN_XiP_CONFIG_TABLE  0x2000                  // execute in QSPi flash (execute in place) starting with configuration table
#define BOOT_LOADER_TYPE_PLAIN_SDRAM_EXECUTION   0x3000                  // copy plain code to SDRAM and execute there
#define BOOT_LOADER_TYPE_AES256_SDRAM_EXECUTION  0x4000                  // decrypt AES256 encrypted code to SDRAM and execute there
#define BOOT_LOADER_TYPE_AES128_XiP_RESET_VECTOR 0x5000                  // execute in QSPI flash (execute in place) starting with reset vector using on-the-fly decryption
#define BOOT_LOADER_TYPE_AES128_XiP_CONFIG_TABLE 0x6000                  // execute in QSPI flash (execute in place) starting with configuration table using on-the-fly decryption
#define BOOT_LOADER_TYPE_AES256_RAM_EXECUTION    0x9000                  // decrypt AES256 encrypted code to ITC and execute there

So two new ones for "AES to plain code reset" and/or "AES to plain code with config table" could be added. The USB usb_device_loader.c file which handles USB MSD class and loading checks the new file as it arrives and decrypts it on-the-fly (it can decrypt in AES128 or AES256 but I would suggest using AES256 when it doesn't need to be compatible with BEE, which (only) supports AES128 (although I understand there is no real difference in strength)) but usually it only decrypts the start so that it can verify that the content matches that which is advertised. The same file is also used for the Kinetis AES256 encrypted method which decrypts the full content on the fly and saves it to internal flash.
See https://www.youtube.com/watch?v=MXsJvTdCcH4&list=PLWKlVb_MqDQFZAulrUywU30v869JBYi9Q&index=25
which means that the technique is already include in the actual code.
It will be necessary - at a couple of locations - to check the type code in order to choose the decryption algorithm setting to use and to continue decrypting before saving (as the Kinetis configuration will always does) when the code signals that it should be used.

Also the primary loader will need to understand the new code so that it understands that it should start the application as plain-code (effectively equivalent to BOOT_LOADER_TYPE_PLAIN_XiP_RESET_VECTOR and BOOT_LOADER_TYPE_PLAIN_XiP_CONFIG_TABLE).

Good luck

Regards

Mark

Hello Mark,

thank you for your useful information.We are going to decide if we need to create this "new" bootloader mode (save file decrypted in flash) according to the performance that we can reach.

The problem was caused by me manipulating the file, but I can underline some bugs (at least as far as I can say):

In generate.bat for uTaskerV1.4_BM_XiP:

...

if %1==MIMXRT1010 (set CODE=E=128-60020200) else (if %1==MIMXRT1050 (set CODE=E=128B-60080200) else (set CODE=E=128B-60020200))
if %iMX_RT%==MIMXRT1050 (set OFFSET=0x80000) else (set OFFSET=0x20000)

....

Changed to (just to suit my need):

if %1==MIMXRT1010 (set CODE=E=128-60020200) else (if %1==MIMXRT1050 (set CODE=E=128B-60080200) else (set CODE=E=128B-70020400))
if %1==MIMXRT1050 (set OFFSET=0x80000) else (set OFFSET=0x20000)

Aside that if I comment out "#define USE_HTTP" from config.h in uTaskerSerialBoot, I get error:

c:/nxp/mcuxpressoide_11.3.0_5222/ide/plugins/com.nxp.mcuxpresso.tools.win32_11.3.0.202008311133/tools/bin/../lib/gcc/arm-none-eabi/9.3.1/../../../../arm-none-eabi/bin/ld.exe: ./Hardware/iMX/iMX.o:(.rodata.ctTaskTable+0x34): undefined reference to `fnNetworkIndicator'
c:/nxp/mcuxpressoide_11.3.0_5222/ide/plugins/com.nxp.mcuxpresso.tools.win32_11.3.0.202008311133/tools/bin/../lib/gcc/arm-none-eabi/9.3.1/../../../../arm-none-eabi/bin/ld.exe: ./uTasker/Driver.o: in function `fnWrite':
C:\myNxp\uTasker\uTasker-GIT-Kinetis\uTaskerSerialBoot/../uTasker/Driver.c:355: undefined reference to `fnNetworkTx'
c:/nxp/mcuxpressoide_11.3.0_5222/ide/plugins/com.nxp.mcuxpresso.tools.win32_11.3.0.202008311133/tools/bin/../lib/gcc/arm-none-eabi/9.3.1/../../../../arm-none-eabi/bin/ld.exe: ./stack/Ethernet.o: in function `fnTaskEthernet':
C:\myNxp\uTasker\uTasker-GIT-Kinetis\uTaskerSerialBoot/../stack/Ethernet.c:299: undefined reference to `fnGetEthernetPars'
c:/nxp/mcuxpressoide_11.3.0_5222/ide/plugins/com.nxp.mcuxpresso.tools.win32_11.3.0.202008311133/tools/bin/../lib/gcc/arm-none-eabi/9.3.1/../../../../arm-none-eabi/bin/ld.exe: ./stack/Ethernet.o: in function `fnEthernetMuxEvent':
C:\myNxp\uTasker\uTasker-GIT-Kinetis\uTaskerSerialBoot/../stack/Ethernet.c:1107: undefined reference to `network'
c:/nxp/mcuxpressoide_11.3.0_5222/ide/plugins/com.nxp.mcuxpresso.tools.win32_11.3.0.202008311133/tools/bin/../lib/gcc/arm-none-eabi/9.3.1/../../../../arm-none-eabi/bin/ld.exe: ./stack/arp.o: in function `is_subnet':
C:\myNxp\uTasker\uTasker-GIT-Kinetis\uTaskerSerialBoot/../stack/arp.c:366: undefined reference to `network'
c:/nxp/mcuxpressoide_11.3.0_5222/ide/plugins/com.nxp.mcuxpresso.tools.win32_11.3.0.202008311133/tools/bin/../lib/gcc/arm-none-eabi/9.3.1/../../../../arm-none-eabi/bin/ld.exe: ./stack/arp.o: in function `fnBuildSendARP':
C:\myNxp\uTasker\uTasker-GIT-Kinetis\uTaskerSerialBoot/../stack/arp.c:545: undefined reference to `network'
c:/nxp/mcuxpressoide_11.3.0_5222/ide/plugins/com.nxp.mcuxpresso.tools.win32_11.3.0.202008311133/tools/bin/../lib/gcc/arm-none-eabi/9.3.1/../../../../arm-none-eabi/bin/ld.exe: C:\myNxp\uTasker\uTasker-GIT-Kinetis\uTaskerSerialBoot/../stack/arp.c:545: undefined reference to `network'
c:/nxp/mcuxpressoide_11.3.0_5222/ide/plugins/com.nxp.mcuxpresso.tools.win32_11.3.0.202008311133/tools/bin/../lib/gcc/arm-none-eabi/9.3.1/../../../../arm-none-eabi/bin/ld.exe: ./stack/arp.o: in function `fnTimeoutValue':
C:\myNxp\uTasker\uTasker-GIT-Kinetis\uTaskerSerialBoot/../stack/arp.c:413: undefined reference to `network'
c:/nxp/mcuxpressoide_11.3.0_5222/ide/plugins/com.nxp.mcuxpresso.tools.win32_11.3.0.202008311133/tools/bin/../lib/gcc/arm-none-eabi/9.3.1/../../../../arm-none-eabi/bin/ld.exe: ./stack/arp.o:C:\myNxp\uTasker\uTasker-GIT-Kinetis\uTaskerSerialBoot/../stack/arp.c:752: more undefined references to `network' follow

The reason is that without USE_HTTP in webinterface.c functions fnGetEthernetPars() and fnNetworkTx() and struct network are comment out, but they are still in use.

Hope it can help you.Thank you.

Best Regards,

Davidino

Hi Davidino

I think the bat file can be extended to automatically recognise the 1064 case with:

if %1==MIMXRT1010 (set CODE=E=128-60020400) else if %1==MIMXRT1050 (set CODE=E=128B-60080400) else if %1==MIMXRT1064 (set CODE=E=128B-70020400) else (set CODE=E=128B-60020400)


The serial loader is usually used with HTTP,  MODBUS/TCP, FTP or TFTP and if these are all disabled (or TCP disabled) it is correct that you get those linker errors.
However, if you want to build a (test) version with just basic Ethernet support (eg. to test that it can ping without needing a TCP protocol) this can be solved as follows:
1. In webInterface.c make
NETWORK_PARAMETERS network[IP_NETWORK_COUNT] = ...
conditional on USE_IP (rather than it being conditional on HTTP, FTP, etc.

2. In the same file do the same with the dummy functions fnNetworkTx() and fnGetEthernetPars().

This will now build.

Regards

Mark

Hello Mark,

if I'm not wrong this is an error, right?

if %iMX_RT%==MIMXRT1050 (set OFFSET=0x80000) else (set OFFSET=0x20000)

and should be changed to:

if %1==MIMXRT1050 (set OFFSET=0x80000) else (set OFFSET=0x20000)

regarding the USE_HTTP the error happens, for example, even if USE_FTP is enabled.

Can you confirm? Thank you.

Hi Davidino

There are a number of bat files that are used in different environment:
The MCUXpresso version uses
if %1==MIMXRT1010
since the parameters are passed by the MCUXpresso post-build step as parameters:
and the GCC make file version uses
if %iMX_RT%==MIMXRT1010
since iMX_RT is manually set in the file.
Therefore both are correct but it depends which environment you are building in (and which of the bat files is actually being used).

If I build with USE_FTP only I don't have any problems since those missing functions and struct are conditional on
#if defined USE_HTTP || defined USE_FTP || defined USE_TFTP

Possibly you are using an older version where there is a difference but if you check these conditions it should be clear what is missing.

Regards

Mark