Hi,
I have followed the AN12681 to enabled the HAB secure boot in i.MX RT105x. Everything works fine.
I found that I still can read and write SRK_HASH (0x580[31:0]) after the instructions of AN12681. It means there is a chance to change the SRK_HASH to break the bootup sequence.
There is a bit of SRK_LOCK (0x400[14]) as below. I suppose it can lock the read and write of SRK_HASH (like SJC_RESP_LOCK). So write 0x1 to SRK_LOCK (0x400[14]). Unfortunately, my board cannot boot now... Do you know the role of SRK_LOCK (0x400[14])?
My fuse settings are:
'After' means write 0x1 to SRK_LOCK (0x400[14]), my board fails to boot.
Solved! Go to Solution.
Hi @JerryQian_132 ,
From AN12681 , we can know, to the HAB secure boot, the fuse just need to modify the following point:
SRK table and the SEC_CONFIG to enable HAB closed mode, no SRK_LOCK (0x400[14]), after you modify SRK_LOCK, the SRK_Table shoud even can't be read by the HAB secure boot, that's why you boot failed.
I think you totally don't need to modify SRK_LOCK bit.
As, even you can read and write SRK_HASH (0x580[31:0]) , because you have the related certificate files, if to others, don't have it, they can't access it. So, the related fuse table still be protected.
As you know, fuse area just can modify from 0 to 1, can't be back, maybe you need to test another chip for the HAB secure boot, by totally following the AN12681.
Best Regards,
kerry
Hi @JerryQian_132 ,
From AN12681 , we can know, to the HAB secure boot, the fuse just need to modify the following point:
SRK table and the SEC_CONFIG to enable HAB closed mode, no SRK_LOCK (0x400[14]), after you modify SRK_LOCK, the SRK_Table shoud even can't be read by the HAB secure boot, that's why you boot failed.
I think you totally don't need to modify SRK_LOCK bit.
As, even you can read and write SRK_HASH (0x580[31:0]) , because you have the related certificate files, if to others, don't have it, they can't access it. So, the related fuse table still be protected.
As you know, fuse area just can modify from 0 to 1, can't be back, maybe you need to test another chip for the HAB secure boot, by totally following the AN12681.
Best Regards,
kerry
Hi Kerry,
"after you modify SRK_LOCK, the SRK_Table shoud even can't be read by the HAB secure boot, that's why you boot failed".
This makes sense. Thanks for clarifying.
BR
Jerry Qian