FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

i.MX RT10xx BEE usage

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.MX RT10xx BEE usage

‎07-30-2024 05:32 AM
332 Views
MulattoKid
Contributor IV

Hi,

I'm working on encrypted XIP on RT1060, and have a question regarding a multi-stage boot procedure. My setup is as follows:

  • Bootloader ELF file is built and written using the Secure Provisioning Tool with the "XIP encrypted (BEE user keys) authenticated" configuration
  • BOOT_CFG1[1] is set to 1 to enable encrypted XIP
  • The encrypted region is from 0x6000_1000 to 0x6061_0000 (which encompasses both the bootloader and the application image)

The bootloader is successfully booted by the boot ROM when done like this.

My goal is to also have the main application image be encrypted. I've made an encrypted version of the application image using OpenSSL using the same key and IV (I believe - I used the method suggested here https://community.nxp.com/t5/i-MX-RT-Crossover-MCUs/RT1064-Signed-amp-Encrypted-bootloader-amp-appli...). However, my bootloader fails to verify the application image as its encrypted. I'm a bit surprised by this as I thought that specifying the encrypted region to include the application image would automatically ensure any reads from this address range were decrypted, but is that not the case? Does the bootloader need to enable BEE using e.g. BEE_Init, BEE_Enable etc as shown in the bee example in the SDK? Is this done by the boot ROM, and so that's why that works, and any other application code also needs to enable the BEE?

Kind regards,
Daniel

0 Kudos
Reply
3 Replies

‎07-31-2024 04:36 AM
297 Views
MulattoKid
Contributor IV

Basically my Secure Provisioning Tool looks like this:

Screenshot from 2024-07-31 13-33-57.png

The bootloader is built and written using the tool into region 0, and works fine. Question is how I can generate other data to put into e.g. region 1? I now the key, but what IV should be used?

0 Kudos
Reply

‎07-31-2024 12:21 AM
301 Views
MulattoKid
Contributor IV

I believe I've verified that data read from the main application image's address range are decrypted. I did this by flashing an unencrypted application image, of which the first four bytes always are 0x574F4C46. The bootloader will attempt to verify these four bytes, and logs the ones it read if they don't match.

The bootloader fails to match these values and logs 0x1BC5A042. I've read back flash which verifies that the actual flash contents are 0x574F4C46. This indicates that reading from this flash address involves the BEE.

Assuming I'm correct, the issue then seems to be the actual way I encrypt the application image. In the Secure Provisioning Tool I have 1 region configured:
- Start: 0x60001000
- Length: 0x00600000
and the mode is CTR. Since the mode is CTR, does that mean the entire region needs to be encrypted together? If so, that might be causing an issue.

Also, what IV does the tool use?

Thanks,
Daniel

0 Kudos
Reply

‎07-30-2024 05:39 AM
328 Views
MulattoKid
Contributor IV

Reading https://community.nxp.com/t5/i-MX-RT-Crossover-MCUs/Is-BEE-automatically-enabled-when-programming-an... seems to indicate that ROM should configured the BEE (based on the settings from the Secure Provisioning Tool), and further enabling shouldn't be necessary?

0 Kudos
Reply