Firmware update with iMXRT1021 + BEE encryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Firmware update with iMXRT1021 + BEE encryption

2,310 Views
t_thurgood
Contributor III

kerryzhou

Hi Kerry,

We have our 1021 product running in encrypted mode using BEE.

That is, BEE_KEY0_SEL, EncryptedXIP and SRK fuses all active.

Using an ethernet port, the image will be updated, writing to an inactive (but part of encrypted region) bank in flash. After a power cycle the new image will be executed.

What is the recommended process for updating the firmware to maintain the BEE encryption?

Can the BEE be used to encrypt a plain image+csf as it is written to flash?

Or does the image have to be encrypted+csf, then downloaded and written to flash without the BEE?

There won't be any type of proprietary flashloader, just whatever methods are needed for receiving blocks of data and writing to the required areas of flash.

br,

Tony

0 Kudos
Reply
7 Replies

2,113 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi Tony Thurgood,

  I am very glad to hear your RT1021 product running in encrypted mode using BEE.

  What's the key you are using now? Master key or the user key?

  From the flashloader process, before download the image to the flash, the image should already be secured, not the plain image+csf, then secure it when download the code.

  Anyway, I will double check it on my side.

Kerry

 

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

 

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

2,113 Views
t_thurgood
Contributor III

HI kerryzhou

I am using "Fixed Otpmk Key".

This is not about the flashloader, just updating firmware on a product that is running in encrypted mode, similar to "over-the-air", but we are using ethernet lan.

What is the recommended process for updating the firmware to maintain the BEE encryption?

 Can the BEE be used to encrypt a plain image+csf as it is written to flash?

Or does the image have to be encrypted+csf, then downloaded and written to flash without the BEE?

br,

Tony

0 Kudos
Reply

2,113 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi Tony Thurgood,

  Today, I checked our internal OTA bootloader with secure, you can find it also download the encrypted FW directly:

pastedImage_1.png

So, I think even you use the ethernet, you also can receive the encrypted FW, and write it to the related flash area.

Wish it helps you!

Kerry

 

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

 

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

2,113 Views
t_thurgood
Contributor III

Hi kerryzhou

Thanks for the explanation.

Is there an NXP document for the L2 Bootloader?

Where can I find the L2 Bootloader code?

br,

Tony

0 Kudos
Reply

2,113 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi Tony Thurgood,

  You are welcome!

  Yes, we have, but we can't share it directly in the public community.

  Do you already sign the NDA with NXP side?

  If not, you can sign the NDA with NXP at first, after the NDA is approved, then you can request it from the technical support case:

https://support.nxp.com/s/ 

  Request NDA also can create the above case channel.

Wish it helps you!

Kerry

 

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

 

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

2,113 Views
t_thurgood
Contributor III

HI kerryzhou

Ok, we are sorting out the NDA, thanks.

I have another question related to F/W update.

If the new image is built (using the position independent compiler option), that can be located anywhere in unused flash memory. How are the Interrupts managed?

The interrupt table @ 0x60002000 would need to be updated with the new code position/offsets before the POR reset. But this is not known at build time.

What is the NXP advice for this?

br,

Tony

0 Kudos
Reply

2,113 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi Tony Thurgood,

   So normally, you need to use the the secondary bootloader, you define the specific address as your app, then after the app is updated, use the secondary bootloader jump to your new app area.

   Your secondary bootloader is located from 0X60002000.

   About the detail flow, I suggest you refer to the RT1060 OTA_bootlaoder in the SDK, it seems the RT1020 SDK still don't have it, please download the RT1060 SDK from this link:

Welcome | MCUXpresso SDK Builder 

SDK_2.7.0_EVK-MIMXRT1060\boards\evkmimxrt1060\bootloader_examples\ota_bootloader

SDK_2.7.0_EVK-MIMXRT1060\boards\evkmimxrt1060\lwip_examples\lwip_httpssrv_ota

ota_bootloader is the secondary bootloader located from 0X60002000, the lwip_httpssrv_ota is used to upload the firmware through the http.

You can refer to it.

Wish it helps you!

Kerry

 

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

 

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply