RT117x to execute both encypted and plain-text executable

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RT117x to execute both encypted and plain-text executable

Jump to solution
1,148 Views
mastupristi
Senior Contributor I

on RT1051 we are able to run an encrypted FW or even a plain-text FW.

The fuses we write to RT1051 are as follows:

  • BT_FUSE_SEL 0x460[4]: Boot from fuse
  • SW_GP2 0x690 0x6a0 0x6b0 0x6c0: decryption key
  • ENCRYPTED_XIP_EN 0x450[1]: as per name
  • BEE_KEY0_SEL 0x460[13:12]: 0b11 BEE KEY0 taken from SW_GP2

The rest I keep to default (boot is from NOR on FLexSPI, SEC_CONFIG is Open, etc.).

In this way if the FW is encrypted (with the right key) the micro executes it. But if there is a plain-text FW in the flash, the micro runs it anyway.


On RT117x we are unable to start a plain-text FW.

the fuses I wrote are:

  • BT_FUSE_SEL 0x960[4]: Boot from fuse
  • ENCRYPT_XIP_EN 0x940[1]: as per name
  • USER_KEY5 0x1000 0x1010 0x1020 0x1030: Key encryption key


I keep the rest at default (OTFAD key taken from USER_KEY5, boot takes place from NOR on FLexSPI, SEC_CONFIG is Open, etc.)
Well in this way I can run an encrypted FW. But not a plain-text FW.
The documentation suggests there might be a way, but we're not finding it. In fact, if I understand correctly, OTFAD would try to decipher the keyblob, which a plain-text image does not have, so the operation should fail, and OTFAD should be turned off. And when OTFAD is turned off the data on the bus passes without being modified. Then the FW should be able to run. But that's not the case

We would like to know if there is a way to replicate the same functionality that we use on the RT1051.

 

best regards

Max

0 Kudos
Reply
1 Solution
956 Views
martin_hrncarek
NXP Employee
NXP Employee

Hi @mastupristi,

RT1051 vs RT1170 Encryped XiP implementation is different. 

Once Ecnrypted XiP is enabled on RT1170, all mandatory structures must be present on an external memory (Valid OTFAD KeyBlob along with PUF Keystore if enabled). Otherwise device will not boot.

You can refer to AN13250 + SW to check how it is implemented and what steps must be performed.

ON RT1051 if the BEE config structures are not present on the external memory, the boot flow continues, thus why you can boot plain image. This corresponds with image created using "XIP_BOOT_HEADER_ENABLE=1" enabled in SDK. This doesn't include structures for encrypted xip, just the base ones as FCB and IVT.

Only way how to run plain image on RT1170 with encrypted XiP enabled is to disable OTFAD decrypt in configuration. 

For example:

set BASE_ADDR=0x30000000
set OTFAD_KEY1=6def5a17e01e0f9ced272ac96dd8faba
set CTR1=0020406001030507
set START1=0x30001000
set LENGTH1=0x6000 -> This must be set to 0, then OTFAD will not decrypt the flash content and plain application can boot.

NOTE:

Encrypted XiP must be always enabled along with HAB (device closed) to ensure integrity, authenticity and confidentiality of your application image.

Best Regards,
Martin H

View solution in original post

0 Kudos
Reply
5 Replies
1,097 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @mastupristi ,

 

On RT117x, when encrypted XIP is enabled, key blob is always needed. Please kindly refer to the following for details.

Kan_Li_0-1701674844859.png

 

Please kindly refer to Figure 10-3. FlexSPI NOR boot flow in RM for more details.

 

Hope that makes sense,

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

0 Kudos
Reply
1,093 Views
mastupristi
Senior Contributor I

But isn't this the same thing that occurs in RT105x? At least limited to the portion of flowchart you highlighted, RT105x has only BEE. If what you say is true it should also apply to RT105x, but it doesn't.
So:

  • either explain to me in detail the difference between RT117x and RT105x, which justifies the different behavior.
  • Or help me find a way to make RT117x behave like RT105x.

regards

Max

0 Kudos
Reply
1,086 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @mastupristi ,

 

Actually as far as I know, RT1051 and RT1170 should only run encrypted image under BT_FUSE_SEL==1 and ENCRYPTED_XIP_EN==1. OTFAD can't turn on/off automatically, it is configured by ROM code according to ENCRYPTED_XIP_EN == 1, OTFAD only unwrap the keyblob by itself. In RT1051, BEE replaces of OTFAD, and all of configuration and EKIB/EPRDB unwrapping are finished by ROM code according to ENCRYPTED_XIP_EN==1. May I have more info regarding the RT1051 on your hands?

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply
1,081 Views
mastupristi
Senior Contributor I

May I have more info regarding the RT1051 on your hands?

I don't know more than what I've already told you, but you can easily try on your own (as long as you sacrifice an EVKB)

The fuses you need to write are:

  • BT_FUSE_SEL 0x460[4]: Boot from fuse
  • SW_GP2 0x690 0x6a0 0x6b0 0x6c0: decryption key
  • ENCRYPTED_XIP_EN 0x450[1]
  • BEE_KEY0_SEL 0x460[13:12]: 0b11 BEE KEY0 taken from SW_GP2

I keep to default all the others (our boards boot from NOR on FLexSPI, I keep SEC_CONFIG Open, etc.).

At this point you can either run an encrypted image, or a plaintext image. The plain-text image can be an example of the SDK compiled with all boot headers (XIP_BOOT_HEADER_ENABLE=1). And this happens without changing the boot pin configurations. For example, on my boards I have BOOT[01]=0b00 (boot from fuse).

please try to see for yourself

 

regards

Max

0 Kudos
Reply
957 Views
martin_hrncarek
NXP Employee
NXP Employee

Hi @mastupristi,

RT1051 vs RT1170 Encryped XiP implementation is different. 

Once Ecnrypted XiP is enabled on RT1170, all mandatory structures must be present on an external memory (Valid OTFAD KeyBlob along with PUF Keystore if enabled). Otherwise device will not boot.

You can refer to AN13250 + SW to check how it is implemented and what steps must be performed.

ON RT1051 if the BEE config structures are not present on the external memory, the boot flow continues, thus why you can boot plain image. This corresponds with image created using "XIP_BOOT_HEADER_ENABLE=1" enabled in SDK. This doesn't include structures for encrypted xip, just the base ones as FCB and IVT.

Only way how to run plain image on RT1170 with encrypted XiP enabled is to disable OTFAD decrypt in configuration. 

For example:

set BASE_ADDR=0x30000000
set OTFAD_KEY1=6def5a17e01e0f9ced272ac96dd8faba
set CTR1=0020406001030507
set START1=0x30001000
set LENGTH1=0x6000 -> This must be set to 0, then OTFAD will not decrypt the flash content and plain application can boot.

NOTE:

Encrypted XiP must be always enabled along with HAB (device closed) to ensure integrity, authenticity and confidentiality of your application image.

Best Regards,
Martin H

0 Kudos
Reply