I'd appreciate your support to work out the following issue that I run into after adding some CAAM related feature to an application that had been otherwise working fine for a while.
Description of the working system:
Proprietary board based on IMXRT1175 (SDK_2.x_MIMXRT1175xxxxx version 2.13.0).
Secure boot enabled by writing SRK table fuses and SEC_CONFIG[1] fuse.
Application signed using a proprietary internal tool (not an NXP tool).
I can load my application using blhost command "load-image" that runs it from ram.
Secure boot checks are passed and my application runs correctly.
Description of the problem:
The application has been modified to introduce additional features that make use of CAAM. The project includes now mbed tls and uses BLACKBLOB.
The application is signed using same internal tool as above.
Different scenarios are now occurring:
1. When loading the application on same target as above (secure boot enabled) using the debugger probe (Segger JLink+) the application runs as expected.
On the contrary,
2. Launching the same application with blhost on the same board (security fuses set) the application starts and runs correctly until CAAM is initialized. CAAM initialization is apparently failing, preventing the application to properly execute cryptographic operations.
I have also observed that:
3. Loading with blhost the same application on a similar board where secure-boot fuses are NOT set, the application executes smoothly as expected (blackblob is decapsulated, mbed tls primitives are used properly to execute various cryptographic functions, etc.).
Questions:
Are there any precautions to take to initialize/utilize the CAAM on CPU whose fuses are set to enforce secure boot?
What documents / application notes would you suggest to consult for further information?
Thank you for your support
