Signature and encrypt XIP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Signature and encrypt XIP

Jump to solution
1,784 Views
ffloree
Contributor III

Hi,

We are running into a problem in RT1052 platform, my software system is bootloader + application, run as XIP, which both reside in flash but not next to each other. After running bootloader, MCU will jump to application area to run.

Bootloader has been encrypted by HAB signature, but which encryption method is available for my application? After reading your AN12079, I have some questions:

1. if BEE encryption (encrypt/decrypt XIP) has been applied on the application, can I download a plain image and debug it in this area by JTAG?

2. Does encrypt XIP happen at bootable image download?

3. If the application is only encrypted by signature, is it possible to make bootloader tell MCU to check the signature before jumping?

I just want to figure out how to encrypt a XIP application, any suggestions? Thank you!

1 Solution
1,638 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi tom fang,

   Glad to see you, you are always welcome!

   Answer your questions:

1. This is my understanding of XIP encryption process, is it correct?

    1) PC side: an unsigned image (plain image) ->add BEE configuration->.sb file (it isn't encrypted)

    2) download process: .sb file is being downloaded to flash, but data belonging to the ranges of BEE indicated will be encrypted while writing, so the file in flash would be different from the original one ( in step 1)

    3) bootup process: after a reboot, MCU will run the image, but once it runs code belonging to the special ranges must be decrypted firstly.

Answer: The PC side use the unsigned image, then it should add the BEE encrypted code, then download the encrypted code directly. You have checked AN12079, you can find when generate the .sb files, it is using:

elftosb.exe -f kinetis -V -c program_flexspinor_image_hyperflash_encrypt.bd -o boot_image.sb ivt_application_unsigned_nopadding.bin

It means, the boot_image.sb already the encrypted code, then use the MFGtool, just need to download the code.

pastedImage_3.png

You can find when do the download, it just download  the flashloader, the fuse and the .sb files.

This is my understanding. If you have the interest, you also can try the BEE encrypted operation details, then check each steps generated files, and compare with your last downloaded and flash readout memory. You can check my HAB operation process, may useful to your understanding:

RT1050 HAB Encrypted Image Generation and Analysis 

BEE is simliar.

  When do the BEE boot, the spcial ranges which is encrypted must do decrypted at first. BEE is runing while decrypted directly. Not like the HAB encrypted, which will copy to the internal RAM, and do the decrypted, then run from RAM driectly.

2. My bootloader did have done the HAB signature and run in flash as XIP, yes, flashloader was signed as well, but it did run as XIP. So according to your answers, it seems APP couldn't do signature encryption, because it needs a signed flashloader to work together, and only ROM code can do that, am I right?

Answer:  Please note, HAB signature and encrypted just to the Non XIP code. If it is the XIP code, you need to use the BEE. Non XIP code means the real app code in the internal RAM. The signed flashloader needs the ROM code to do it.

Wish it helps you!

Have a great day,
Kerry

 

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

 

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

View solution in original post

4 Replies
1,638 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi tom fang

1. if BEE encryption (encrypt/decrypt XIP) has been applied on the application, can I download a plain image and debug it in this area by JTAG?

Answer: If your chip already do the BEE encryption(already set the fuse), the directly debug in the flash through the SWD/JTAG will have problems, so I suggest you download the code with MCUBootUtility tools, which can select the encrypted flash area.

MCUbootUtility tool download link:

https://github.com/JayHeng/NXP-MCUBootUtility/archive/v2.2.0.zip

the related user manual is:
https://github.com/JayHeng/NXP-MCUBootUtility

2. Does encrypt XIP happen at bootable image download?

Answer:  Encrypted XIP code will be downloaded to your code, then after boot, the code will do the Encrypted XIP boot.

You can try the MCUbootUtility tool, download the firmware, and readout the flash image, you will know the encrypted image details.

3. If the application is only encrypted by signature, is it possible to make bootloader tell MCU to check the signature before jumping?

Answer: If you do the HAB signature, the code should be Non XIP code, which should run in the RAM, you can refer to the AN12681 and AN12079, you can find the flashloader also need to do the signed operation at first.

If you want to just do the app firmware encrypted, you can use the MCUbootUtility tool just select the related app image address do the BEE encrypted operation.

Wish it helps you!

If you still have questions about it, please kindly let me know.

Have a great day,
Kerry

 

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

 

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
1,638 Views
ffloree
Contributor III

Hi Kerry, good to see you again! Thanks for your answers, I have been using NXP-MCUBootUtility and reading AN12079, based on your answers, still many confusing here.

1. This is my understanding of XIP encryption process, is it correct?

    1) PC side: an unsigned image (plain image) ->add BEE configuration->.sb file (it isn't encrypted)

    2) download process: .sb file is being downloaded to flash, but data belonging to the ranges of BEE indicated will be encrypted while writing, so the file in flash would be different from the original one ( in step 1)

    3) bootup process: after a reboot, MCU will run the image, but once it runs code belonging to the special ranges must be decrypted firstly.

2. My bootloader did have done the HAB signature and run in flash as XIP, yes, flashloader was signed as well, but it did run as XIP. So according to your answers, it seems APP couldn't do signature encryption, because it needs a signed flashloader to work together, and only ROM code can do that, am I right?

0 Kudos
1,639 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi tom fang,

   Glad to see you, you are always welcome!

   Answer your questions:

1. This is my understanding of XIP encryption process, is it correct?

    1) PC side: an unsigned image (plain image) ->add BEE configuration->.sb file (it isn't encrypted)

    2) download process: .sb file is being downloaded to flash, but data belonging to the ranges of BEE indicated will be encrypted while writing, so the file in flash would be different from the original one ( in step 1)

    3) bootup process: after a reboot, MCU will run the image, but once it runs code belonging to the special ranges must be decrypted firstly.

Answer: The PC side use the unsigned image, then it should add the BEE encrypted code, then download the encrypted code directly. You have checked AN12079, you can find when generate the .sb files, it is using:

elftosb.exe -f kinetis -V -c program_flexspinor_image_hyperflash_encrypt.bd -o boot_image.sb ivt_application_unsigned_nopadding.bin

It means, the boot_image.sb already the encrypted code, then use the MFGtool, just need to download the code.

pastedImage_3.png

You can find when do the download, it just download  the flashloader, the fuse and the .sb files.

This is my understanding. If you have the interest, you also can try the BEE encrypted operation details, then check each steps generated files, and compare with your last downloaded and flash readout memory. You can check my HAB operation process, may useful to your understanding:

RT1050 HAB Encrypted Image Generation and Analysis 

BEE is simliar.

  When do the BEE boot, the spcial ranges which is encrypted must do decrypted at first. BEE is runing while decrypted directly. Not like the HAB encrypted, which will copy to the internal RAM, and do the decrypted, then run from RAM driectly.

2. My bootloader did have done the HAB signature and run in flash as XIP, yes, flashloader was signed as well, but it did run as XIP. So according to your answers, it seems APP couldn't do signature encryption, because it needs a signed flashloader to work together, and only ROM code can do that, am I right?

Answer:  Please note, HAB signature and encrypted just to the Non XIP code. If it is the XIP code, you need to use the BEE. Non XIP code means the real app code in the internal RAM. The signed flashloader needs the ROM code to do it.

Wish it helps you!

Have a great day,
Kerry

 

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

 

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

1,638 Views
ffloree
Contributor III

Thank you Kerry! I have got all answers.

0 Kudos