MIMXRT685-EVK: Getting debug authentication to work

daparker · ‎08-11-2022

Hello, I'm evaluating the debug authentication process in section 48.10 of the RT600 user manual to enable post-launch retail microcontroller debugging for an upcoming product. I'm looking for some pointers or guidance on getting the debug authentication to succeed with with my MIMXRT685-EVK board and NXP tools. So far, I've created the attached project using the MCUXpresso Secure Provisioning SDK 4.1 [secure_provisioning.zip]. This project is configured to create a secure bootable image based on the gpio_led_output demo, write the RKH to OTP, RTKH to shadow registers and disable Hifi4 DSP access unless the debug authentication succeeds. To setup my repro, I use the following steps:

Build the gpio_led_output in MCUXpresso with the
BOOT_HEADER_ENABLE preprocessor define undefined. Then build the image in the SP SDK and click "Show write script" to update the write script used below.
Set to enter serial ISP mode. ISP DIP switches (L,L,H)
Remove power from the system to clear shadow register config, then plug the link probe and RT685 USB back in.
Run these scripts to program the image from the Secure Provisioning project:
1. /write_image_mac.sh
2. ./gen_scripts/write_shadows.sh
Set to boot from FlexSPI Port B: (H,L,H), soft reset. Verify the target is booted securely into the gpio_led_output demo by making sure the blue user LED is on.
Generate a DC and attempt authentication with the following commands:
1. nxpdebugmbox gendc -c gendc_config.yaml -e gen_sb/mbi_config.json auth.dc --force
2. nxpdebugmbox -vv auth -b 0 -c auth.dc -k dck
Authentication fails with the attached log [log.txt]. Exerpt:

INFO:spsdk.debuggers.debug_probe_pyocd:PyOCD connected via LPC-LINK2 CMSIS-DAP V5.224 probe.
DEBUG:spsdk.debuggers.utils:step T.1: Activate the correct AP
DEBUG:spsdk.debuggers.utils:step T.2: Set the AP access size and address mode
DEBUG:spsdk.debuggers.utils:step T.3: Set the initial AHB address to access
DEBUG:spsdk.debuggers.utils:step T.4: Access the memory system at that address
DEBUG:spsdk.debuggers.utils:Chip has NOT enabled AHB access.
INFO:spsdk.apps.nxpdebugmbox:Debug Authentication ends without AHB access.

Is there anyone who can help out with this?

daparker · ‎08-12-2022

I have a real JLink. I can just switch to using that instead of the LPC-LINK2. This should be the full set of repro steps now, and both debugger keys should be included. The result is not much different from before, which I attached [nxpdebugmbox.txt]

./write_image_mac.sh
./gen_scripts/write_shadows.sh
nxpdebugmbox -vv auth -b 0 -c auth.dc -k keys/dck.pem

I think my configuration should be correct, however I'd appreciate some help validating it. I noticed some of the stuff in the yaml appeared to be unused by nxpdebugmbox so I removed it, as I'm passing in an elf2sb file instead. Also, this should be a totally unfused MCU. Are any fuses required to be burned or data written to flash to make debug auth work? I don't think that should be the case, but I'd like to double check.

diego_charles · ‎08-15-2022

Hi @daparker

Thanks for the additional information!

I am currently reviewing your files and steps.

Diego.

diego_charles · ‎09-01-2022

Hi @daparker

We would need to burn some fuses to get debug authentication.

To avoid assumming things, could you help me to read all the fuses you got on your MCU (if any)?

Many thanks for your patience,

Diego

daparker · ‎09-06-2022

Good morning, we're also suspecting fuse config as we were able to get this to work on one of our proto boards. Attached is the fuse config read from SPSDK.

diego_charles · ‎09-07-2022

Hi @daparker

Thank you for your reply!

Our team double checked the shadow registers required by debug authentication, For SEC_BOOT_CFG[5] (0x40130194), it should be set to 0x80.

We are also checking the reliability of configuration using fuses, I will get back to you as soon I receive more information.

Regarding your comment on red : we're also suspecting fuse config as we were able to get this to work on one of our proto boards, to avoid assuming anything could you expand on the text on red?

Many thanks for your patience,

Diego

daparker · ‎09-09-2022

Hey Diego, happy Friday. To Clarify in red, I mean we got this working on our own hardware. I'm just not able to get it work on my devkit. Besides that, we would like to use OTP not PUF. I did try your suggestion below and this still doesn't work on my devkit.

diego_charles · ‎08-12-2022

Hi @daparker

I hope you are doing well!

I am concerned about the debug Credential Key you have DCK.pub , I have not find its associated .pem in your files. Or as it is private, did you put it somewhere else? Or did you verified that the .pub you gave us , corresponds to the .pem you have?

So what I suggest you to do is:

generate debugger key pair ( I have not seen this command yet on your files or description)

nxpkeygen -d debug -k rsa2048 keys\dck.pem

So, when calling the this command give the dck.pem

nxpdebugmbox -vv auth -b 0 -c auth.dc -k dck.pem

Here is an example with the LPC55

Here is another tip: I recommend you to load J-Link into your LPC-LINK2. Sometimes when we enable debug authentication, Segger is more reliable to initiate a debug session on the MCUXpresso. I do not why , but I have seen this on the LPC55.

Please let me know more details, so we can dig further if needed. Checking if DC keys match to what we expect on the RT600. Or if there is any setting we could do.

All the best,

Diego.

MIMXRT685-EVK: Getting debug authentication to work

MIMXRT685-EVK: Getting debug authentication to work

i.MXRT 600

generate debugger key pair ( I have not seen this command yet on your files or description)