OTFAD encryption for i.MX RT 1160 EVK without fuse

vishnusudhankj · ‎07-21-2022

Hi,

I am trying the OTFAD Encryption mechanism for unsigned image in i.MXRT 1160 EVK. I followed the steps provided in the SPT as below,

To build the image, do the following:

In the Toolbar set Boot Type to Encrypted, (OTFAD) unsigned for RT11xx or XIP encrypted (OTFAD user keys) unsigned for RT10xx.
As Source executable image, use the image external NOR flash(sample MCU IDE Blinky key program ).
Click OTFAD encryption/ XIP encryption (OTFAD user keys) to open the OTFAD Configuration window. In the window set random keys. The window allows you to configure the number of OTFAD regions (contexts), KEK source (OTP or KeyStore), KEK, Key scramble, user keys for regions, regions ranges, random key generation.
Click Build image.
Check that the bootable image was built successfully.

To write the image, do the following:

Switch to Write image view.
Make sure that the board is set to Serial bootloader (ISP) mode.
Reset the board if the OTFAD KEK source is set to KeyStore. It is necessary so that the KeyStore is enrolled successfully.
Ensure that Use built image checkbox is selected.
Open OTP configuration and review the settings and fix any reported problems.
Set a corresponding GPIO pin to enable XIP encryption without burning the fuse (RT11xx). Set to internal mode (sw1 as 0100)& sw2 as 0100000000.
Click Write image.
In the following window, confirm to write fuses:
- OK - Continue writing the image and burning fuses.
  Note: Burning fuses can only be done once, after that it is not possible to modify them.
- Cancel - Abort writing the image and burning fuses.

I set the GPIO as mentioned in step 6, but while try to write image , but still the fuse windows popup's and asking to fuse the OTFAD KEK key .

How can I verify the OTFAD encryption without writing into fuse?

jeremyzhou · ‎07-28-2022

Hi,
Thanks for your reply.
Firstly, I'd like to know whether you set the SW1 and SW2 as below green square shows, after write image completes, then reset the board to boot up.

next, according to your description, the board doesn't run as expected, you can use the SPT tool to connect it to check whether enter Serial Download instead.
TIC

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

View solution in original post

vishnusudhankj · ‎08-19-2022

Hi @jeremyzhou

I am trying few trials in the OTFAD encryption steps as below,

1. Try to encrypt the my binary using image_enc.exe tool.

2. With this tool , i am providing manually the command as .\image_enc.exe ifile=zephyr-Copy_bootable_nopadding.bin ofile=zephyr_enc_new.bin base_addr=0x30001000 kek=DAD4561645792590D5946289F043BECD otfad_arg=[0123456789abcdeffedcba9876543210,0020406001030507,0x30001000,0xE000] otfad_ctx_lock=0,0,0,0 is_boot_image=0 hw_eng=otfad in the image_enc path

3. Its shows as below,

Kindly suggest is any parameter or any syntax did i missed? SPT uses the same command , but through manually i could not able to execute the same steps.

jeremyzhou · ‎07-26-2022

Hi,
Thanks for your reply.
1) We are setting the GPIO pin to skip the fuse burning ? Is my understanding correct?
-- No, I'm afraid not, set the GPIO pin is not used to skip the fuse buring, in my opinion, the step is unnecessary actually, it's confusing, so I'll contact with the SPT tool for confirming later.
Have a great day,
TIC

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

vishnusudhankj · ‎07-28-2022

Hi @jeremyzhou

Thanks for your clarification,

I tried by burning the fuse & flash the sample program (blinky - available with IDE)with OTFAD encryption (unsigned) as steps mentioned in user guide for i.MX RT1160 EVK.

I could able to build , burn the KEK fuse & write the image using SPT .

Upon reset, I couldn't able to see the required output(blinky the LED), seems the execution getting fails.

Attached SPT log for your reference.(OTFAD Encryption_withmcuide.docx)

Kindly suggest how to verify the OTFAD encryption method?

Note : Tried with hello world program also, In serial terminal remains blank, (execution getting failed upon reset)

jeremyzhou · ‎07-28-2022

Hi,
Thanks for your reply.
Firstly, I'd like to know whether you set the SW1 and SW2 as below green square shows, after write image completes, then reset the board to boot up.

next, according to your description, the board doesn't run as expected, you can use the SPT tool to connect it to check whether enter Serial Download instead.
TIC

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

vishnusudhankj · ‎07-25-2022

Hi,

Also, please suggest for any method of encryption , is the boot header such as IVT, BD & DCD also will get encrypted?

jeremyzhou · ‎07-26-2022

Hi @vishnusudhankj ，
Thank you for your interest in NXP Semiconductor products and for the opportunity to serve you.
1) How can I verify the OTFAD encryption without writing into fuse?
-- Actually, I'm not very clear with your question, as there's no offline tool to simulate the MCU to load the encrypted image, so it has no other way except for the checking the log.
2) The write image process is wrong, please refer to the guide to do it.
3) Is the boot header such as IVT, BD & DCD also will get encrypted?
-- Yes, you can encrypt them.
TIC

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

vishnusudhankj · ‎07-26-2022

Hi @jeremyzhou

As in the guide , under section Booting OTFAD encrypted image unsigned with user keys(7.2.3.7) , In write image part ,step 6 mentioned as

"Set a corresponding GPIO pin to enable XIP encryption without burning the fuse (RT11xx). See Table 6 for more
information." ,

I followed the steps as suggested in the guide & set the corresponding GPIO pin as suggested in table 6.

By clicking the write image, pop windows open up as and asking to burning fuse of OTFAD key. (then i am confused , actually what the step 6 is referring)?

We are setting the GPIO pin to skip the fuse burning ? Is my understanding correct? If so , why the popup opens and asking to burn the fuse? kindly clarify the same.