i.mx RT1171 OTFAD&HAB secure boot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.mx RT1171 OTFAD&HAB secure boot

1,477 Views
samet-san
Contributor II

Hello 

We have a I.MX RT1171 MCU.   We use  a external Flash. 

We want to do secure boot with OTFAD or IEE or HAB. I implemented instructions in Security Reference Manual. But I couldn't run it. 

Fuses are below ; 

Fuse request: 0x960 |= 0x10 (mask: 0x10); current value=0x1a; status=MATCHES
Fuse request: 0x970 |= 0x0 (mask: 0x1000); current value=0x0; status=MATCHES
Fuse request: 0x860 |= 0x40 (mask: 0x40); current value=0xc068; status=MATCHES
Fuse request: 0x8E0 |= 0x40 (mask: 0x40); current value=0x252; status=MATCHES
Fuse request: 0xC70 |= 0x0 (mask: 0x10); current value=0x0; status=MATCHES


I am doing what  is wrong?

 

0 Kudos
Reply
9 Replies

1,229 Views
samet-san
Contributor II

Hi diego

Thanks for everything. I fixed  my problem.  I  wrote wrong address in linker file.  It is running now. There is not any problem. 

 

0 Kudos
Reply

1,220 Views
diego_charles
NXP TechSupport
NXP TechSupport

Hi @samet-san 

Thank you for letting me know, I am glad to know that it is working. 

Diego

 

0 Kudos
Reply

1,435 Views
diego_charles
NXP TechSupport
NXP TechSupport

Hi @samet-san 

I hope that you are doing well. 

I see that you already burned security related fuses on your MCU. Did you already burned the SRK related fuses?

diego_charles_0-1718810640168.png

They are required and their value depends on the certificate you generate for secure boot. After those fuses are burned you need to generate the signed bootable image using the same certificate. Try generating a signed image using HAB with the MCUXpresso Secure Provisioning tool. Make sure to import your certifcates, so the tool could sign the image with them.

Let me know if I there is anything else where I could help you.

Diego

 

0 Kudos
Reply

1,417 Views
samet-san
Contributor II

Thank you Diego. 

I burned fuses you  say.  But I didnt want to share them. 

I tried diffrent options in MCUXpresso Secure Provisioning. But I dont know which one of them is correct. 

 

I choosed "Boot : Encrypted(HAB)" . I hope it is correct. But I want to use OTFAD and HAB together.

I dont know  how can I do it.

Thanks a lot.

0 Kudos
Reply

1,404 Views
diego_charles
NXP TechSupport
NXP TechSupport

Hi @samet-san 

Yes, you made well not sharing those  fuses!  I did it  becuase I am not using them, and thanks for the confirmation. 

I you want to use OTFAD and HAB please use the Encrypted( OTFAD) authenticated option. Below a reference image

diego_charles_0-1718902097576.png

Please check step by step setup in the section 6.2.3.9 Booting OTFAD encrypted image authenticated with user keys of the SPT User guide ( click on Help tile of the tool to open the guide) 

I hope this could help you!

Diego

0 Kudos
Reply

1,368 Views
samet-san
Contributor II

Hi Diego 

Thanks for your help.

I couldn't run it.  My configuration is below; DCD file is empty.  I dont know  what I write about it .

Adsız.png

 

This is myfuses; 

Fuse request: 0x940 |= 0x2 (mask: 0xff); current value=0x800; status=WRITE
Fuse request: 0x970 |= 0x0 (mask: 0x1000); current value=0x0; status=MATCHES
Fuse request: 0x860 |= 0x0 (mask: 0x40); current value=0xc028; status=MATCHES
Fuse request: 0x8E0 |= 0x0 (mask: 0x40); current value=0x202; status=MATCHES
Fuse request: 0xB00 |= 0x278c501c; current value=0x278c501c; status=MATCHES
Fuse request: 0xB10 |= 0x7345100b; current value=0x7345100b; status=MATCHES
Fuse request: 0xB20 |= 0x472e7aa8; current value=0x472e7aa8; status=MATCHES
Fuse request: 0xB30 |= 0xb13fb29a; current value=0xb13fb29a; status=MATCHES
Fuse request: 0xB40 |= 0xca3b1685; current value=0xca3b1685; status=MATCHES
Fuse request: 0xB50 |= 0x6505ca99; current value=0x6505ca99; status=MATCHES
Fuse request: 0xB60 |= 0x6e6652e6; current value=0x6e6652e6; status=MATCHES
Fuse request: 0xB70 |= 0x6669fc6d; current value=0x6669fc6d; status=MATCHES
Fuse request: 0xC70 |= 0x0 (mask: 0x10); current value=0x0; status=MATCHES
Fuse request: 0x1000 |= 0xffb62518; current value=0xffb62518; status=MATCHES
Fuse request: 0x1010 |= 0x1b8fa603; current value=0x1b8fa603; status=MATCHES
Fuse request: 0x1020 |= 0x645e94b0; current value=0x645e94b0; status=MATCHES
Fuse request: 0x1030 |= 0x6cdd2ac4; current value=0x6cdd2ac4; status=MATCHES

I dont know where it is false.

 

0 Kudos
Reply

1,362 Views
diego_charles
NXP TechSupport
NXP TechSupport

Hi @samet-san 

Thank you for your reply.  

When you say that you can not run the app, was the application flashed into memory? Please share full log from the tool when you attempt to write an image.

I see the below error and it makes me think that the flashloader, used to flash the image, was not even executed.

diego_charles_1-1719287226766.png

If I am correct,  it seems that the flashloader signature does not match  the SRK fuses, so  it was rejected by the ROM, this implies that if the flashloader does not executes, you will not be able to flash the image.

In the PKI management of the tool we have an option to generate keys and certificates, and import keys. Make sure to import the keys and certificates that you used the first time you burn the SRK fuses. 

diego_charles_2-1719287719295.png

If you check your write script, from the tool's Write image tab, is the value written to SRK fuses matching the ones you have?

diego_charles_3-1719288184821.png

I hope this helps,

Diego

 

 

 

0 Kudos
Reply

1,353 Views
samet-san
Contributor II

Hi Diego 

Flashloader is running. It doesn't have any problem. This problem is temporary. Some connection problems.  It doesn't matter.

They SRK keys is same.  Also, Certificates are included.

1.png2.png

I think I configurated uncorrect something .I am doing uncorrect somewhere. But I dont know it. 

Thanks a lot

0 Kudos
Reply

1,279 Views
diego_charles
NXP TechSupport
NXP TechSupport

Hi @samet-san 

My apologies for the delay. 

Thank you for letting me know, ok, I understand that you where able to flash your signed application, but it does not boot. 

Please verify the the boot mode and boot config pin settings. Since you have not burn the fuse to boot from fuses, the boot mode pins should be 0b10 and all of the boot config pins should be set low. 

If you have found anything else in the meantime please let me know. 

Diego

 

 

 

 

0 Kudos
Reply