i.MX RT10xx Secure Boot/HAB with Secure Provisioning Tool

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决

i.MX RT10xx Secure Boot/HAB with Secure Provisioning Tool

跳至解决方案
1,275 次查看
MulattoKid
Contributor IV

Hi,

I'm looking to verify my understanding of how the Secure Provisioning Tool works:

  1. Given an ELF file without any flash config, and IVT, the Secure Provisioning Tool will generate these based on the selected configuration in the tool itself. It will then extract the binary from the ELF file, and add these generated blocks to the front of the binary. The binary can now be flashed, and if e.g. the Secure Provisioning Tool was configured to generate a Secure Boot/HAB binary, the boot ROM will initiate HAB validation when the MCU boots. Is my understanding correct?
  2. How are the fuses that lock down the they keys that can be used for signing a binary configured, does it happen automatically the first time a binary with HAB enabled is attempted booted?

Kind regards,
Daniel

0 项奖励
回复
1 解答
1,261 次查看
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @MulattoKid ,

  Share you some document, it will help you understand your issues, it is from the commander line method, in fact, the SPT tool also merge the commander line method to the GUI method:

My HAB document:

https://community.nxp.com/t5/i-MX-RT-Knowledge-Base/RT1050-HAB-Encrypted-Image-Generation-and-Analys...

1. Given an ELF file without any flash config, and IVT, the Secure Provisioning Tool will generate these based on the selected configuration in the tool itself. It will then extract the binary from the ELF file, and add these generated blocks to the front of the binary. The binary can now be flashed, and if e.g. the Secure Provisioning Tool was configured to generate a Secure Boot/HAB binary, the boot ROM will initiate HAB validation when the MCU boots. Is my understanding correct?

=>Answer:  You understand is correct, the SPT tool will help to generate the image from IVT+BD+HAB data +app, then download the FCB at first, then download the secured or signed imaged from IVT aea.

2. How are the fuses that lock down the they keys that can be used for signing a binary configured, does it happen automatically the first time a binary with HAB enabled is attempted booted?

=>Answer: If you check my document in the above, you will find, it will use this method do burn your fuse:

kerryzhou_0-1710471917902.png

 

In fact, modify the fuse area directly.

 

Wish it helps you!

If you still have question about it, please kindly let me know.

If your question is solved, please help me to mark the correct answer, just to close this case, thanks.

Any new issues, welcome to create the new question post.

Best Regards,

Kerry

在原帖中查看解决方案

0 项奖励
回复
6 回复数
1,262 次查看
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @MulattoKid ,

  Share you some document, it will help you understand your issues, it is from the commander line method, in fact, the SPT tool also merge the commander line method to the GUI method:

My HAB document:

https://community.nxp.com/t5/i-MX-RT-Knowledge-Base/RT1050-HAB-Encrypted-Image-Generation-and-Analys...

1. Given an ELF file without any flash config, and IVT, the Secure Provisioning Tool will generate these based on the selected configuration in the tool itself. It will then extract the binary from the ELF file, and add these generated blocks to the front of the binary. The binary can now be flashed, and if e.g. the Secure Provisioning Tool was configured to generate a Secure Boot/HAB binary, the boot ROM will initiate HAB validation when the MCU boots. Is my understanding correct?

=>Answer:  You understand is correct, the SPT tool will help to generate the image from IVT+BD+HAB data +app, then download the FCB at first, then download the secured or signed imaged from IVT aea.

2. How are the fuses that lock down the they keys that can be used for signing a binary configured, does it happen automatically the first time a binary with HAB enabled is attempted booted?

=>Answer: If you check my document in the above, you will find, it will use this method do burn your fuse:

kerryzhou_0-1710471917902.png

 

In fact, modify the fuse area directly.

 

Wish it helps you!

If you still have question about it, please kindly let me know.

If your question is solved, please help me to mark the correct answer, just to close this case, thanks.

Any new issues, welcome to create the new question post.

Best Regards,

Kerry

0 项奖励
回复
1,256 次查看
MulattoKid
Contributor IV

Hi @kerryzhou,

Thanks a lot for your response, that clarifies a lot!

Kind regards,
Daniel

0 项奖励
回复
1,250 次查看
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @MulattoKid ,

  You are always welcome!

  If you meet any issues in the future, welcome to create the case, and let us know.

Best Regards,

kerry

0 项奖励
回复
1,245 次查看
MulattoKid
Contributor IV

Oh, one thing I forgot to confirm: flashing the signed binary itself can be done in the regular internal boot mode, but for the files that modify the fuse map it's required to be in serial downloader mode, correct?

0 项奖励
回复
1,241 次查看
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @MulattoKid ,

   Yes, all need to in the serial download mode, and also need to use the signed flashloader if you already do the HAB signed.

 

Wish it helps you!

If you still have question about it, please help to create the new question post, thanks.

Best Regards,

Kerry

1,238 次查看
MulattoKid
Contributor IV

Great, thanks!