i.MX RT10xx Secure Boot/HAB with Secure Provisioning Tool

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.MX RT10xx Secure Boot/HAB with Secure Provisioning Tool

Jump to solution
1,084 Views
MulattoKid
Contributor IV

Hi,

I'm looking to verify my understanding of how the Secure Provisioning Tool works:

  1. Given an ELF file without any flash config, and IVT, the Secure Provisioning Tool will generate these based on the selected configuration in the tool itself. It will then extract the binary from the ELF file, and add these generated blocks to the front of the binary. The binary can now be flashed, and if e.g. the Secure Provisioning Tool was configured to generate a Secure Boot/HAB binary, the boot ROM will initiate HAB validation when the MCU boots. Is my understanding correct?
  2. How are the fuses that lock down the they keys that can be used for signing a binary configured, does it happen automatically the first time a binary with HAB enabled is attempted booted?

Kind regards,
Daniel

0 Kudos
Reply
1 Solution
1,070 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @MulattoKid ,

  Share you some document, it will help you understand your issues, it is from the commander line method, in fact, the SPT tool also merge the commander line method to the GUI method:

My HAB document:

https://community.nxp.com/t5/i-MX-RT-Knowledge-Base/RT1050-HAB-Encrypted-Image-Generation-and-Analys...

1. Given an ELF file without any flash config, and IVT, the Secure Provisioning Tool will generate these based on the selected configuration in the tool itself. It will then extract the binary from the ELF file, and add these generated blocks to the front of the binary. The binary can now be flashed, and if e.g. the Secure Provisioning Tool was configured to generate a Secure Boot/HAB binary, the boot ROM will initiate HAB validation when the MCU boots. Is my understanding correct?

=>Answer:  You understand is correct, the SPT tool will help to generate the image from IVT+BD+HAB data +app, then download the FCB at first, then download the secured or signed imaged from IVT aea.

2. How are the fuses that lock down the they keys that can be used for signing a binary configured, does it happen automatically the first time a binary with HAB enabled is attempted booted?

=>Answer: If you check my document in the above, you will find, it will use this method do burn your fuse:

kerryzhou_0-1710471917902.png

 

In fact, modify the fuse area directly.

 

Wish it helps you!

If you still have question about it, please kindly let me know.

If your question is solved, please help me to mark the correct answer, just to close this case, thanks.

Any new issues, welcome to create the new question post.

Best Regards,

Kerry

View solution in original post

0 Kudos
Reply
6 Replies
1,071 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @MulattoKid ,

  Share you some document, it will help you understand your issues, it is from the commander line method, in fact, the SPT tool also merge the commander line method to the GUI method:

My HAB document:

https://community.nxp.com/t5/i-MX-RT-Knowledge-Base/RT1050-HAB-Encrypted-Image-Generation-and-Analys...

1. Given an ELF file without any flash config, and IVT, the Secure Provisioning Tool will generate these based on the selected configuration in the tool itself. It will then extract the binary from the ELF file, and add these generated blocks to the front of the binary. The binary can now be flashed, and if e.g. the Secure Provisioning Tool was configured to generate a Secure Boot/HAB binary, the boot ROM will initiate HAB validation when the MCU boots. Is my understanding correct?

=>Answer:  You understand is correct, the SPT tool will help to generate the image from IVT+BD+HAB data +app, then download the FCB at first, then download the secured or signed imaged from IVT aea.

2. How are the fuses that lock down the they keys that can be used for signing a binary configured, does it happen automatically the first time a binary with HAB enabled is attempted booted?

=>Answer: If you check my document in the above, you will find, it will use this method do burn your fuse:

kerryzhou_0-1710471917902.png

 

In fact, modify the fuse area directly.

 

Wish it helps you!

If you still have question about it, please kindly let me know.

If your question is solved, please help me to mark the correct answer, just to close this case, thanks.

Any new issues, welcome to create the new question post.

Best Regards,

Kerry

0 Kudos
Reply
1,065 Views
MulattoKid
Contributor IV

Hi @kerryzhou,

Thanks a lot for your response, that clarifies a lot!

Kind regards,
Daniel

0 Kudos
Reply
1,059 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @MulattoKid ,

  You are always welcome!

  If you meet any issues in the future, welcome to create the case, and let us know.

Best Regards,

kerry

0 Kudos
Reply
1,054 Views
MulattoKid
Contributor IV

Oh, one thing I forgot to confirm: flashing the signed binary itself can be done in the regular internal boot mode, but for the files that modify the fuse map it's required to be in serial downloader mode, correct?

0 Kudos
Reply
1,050 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @MulattoKid ,

   Yes, all need to in the serial download mode, and also need to use the signed flashloader if you already do the HAB signed.

 

Wish it helps you!

If you still have question about it, please help to create the new question post, thanks.

Best Regards,

Kerry

1,047 Views
MulattoKid
Contributor IV

Great, thanks!