FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

i.mx RT1052 BEE Encrypt issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

i.mx RT1052 BEE Encrypt issue

‎12-17-2020 05:19 AM
1,249 Views
Ric10
Contributor I

Hi,

I am following this guide to encrypt the demo_app iled_blinky:

https://community.nxp.com/t5/i-MX-RT-Knowledge-Base/RT1015-APP-BEE-encryption-operation-method/ta-p/...

I generate the axf file from MCUXpresso using SDK_2.x_MIMXRT1052xxxxB.

I am using external flash: 

https://eu.mouser.com/datasheet/2/949/w25q128jv_dtr_revc_03272018_plus-1489858.pdf

This is the MCU: MIMXRT1052 DVL6B

I am using the MCU Boot Utility as suggested with the following options:

- Boot Device: FLEXSPI NOR Winbond_W25QxxxJV

- Secure Boot Type: BEE Encrypted Image Boot

- Flexible User Keys and Protected Regiorn start from 0x60000000 with 0x2000 length.

- No certificates

When i press the "All in one action button" finally the download image is successful, but the decryption seems not working. (If i use the Unsigned Image Boot the led led blinks as i expected)

During the encryption process the following message is showed: "Fuse SW_GP2 Regions have been burned/locked, it is program-once!" Maybe the private key has not been burned? How can i check it?

Moreover have i to configure something else to enable BEE decryption on the fly?

I attached the files generated during the encryption process, maybe they can be useful.

 

 

bootable_image_iled_blinky.zip
0 Kudos
Reply
3 Replies

‎01-07-2021 04:28 AM
1,200 Views
Ric10
Contributor I

Hi @mjbcswitzerland,

Thnak you a lot for the answer.

I have set the boot pins in this way: BOOT_MODE[1:0] = 00b. I expected the GPIO boot override pins are ignored and the boot ROM code uses the boot eFuse settings only. For completeness I atttach the efuse configuration. The decryption has not worked but i don't understand the reason.

Instead I tryed to set the boot pins BOOT_MODE[1:0] = 0b10, I enabled Encypted-XIP pin and the decryption was ok.

I start to read the documents about uTasket solution.

Thank you

54 KB
0 Kudos
Reply

‎12-17-2020 10:41 AM
1,239 Views
Ric10
Contributor I

Obviously the key has been burned the first time and it is no longer programmable! So how is the decryption not working? I attached the files, the device status and the private key i used the first time to burn.

Best Regards

Bootable_image_iled_blinky.zip
0 Kudos
Reply

‎12-17-2020 11:56 AM
1,236 Views
mjbcswitzerland
Specialist V

Hi

Progamming a key is not adequate to enable on-the-fly decryption. Also the decryption has to be enabled (either in eFUSEs) or via GPIO fuse overrides (and to make its use actually safe - disable various JTAG and ISP capabilities). Probably you need to correctly set the GPIO overrides to enable it in a development environment.

Once you set a key to the eFUSE it can not be changed (apart from blowing further bits from '0' to '1').

For on-the-fly decryption requirements it is suggested to first look at the uTasker loader concept which removes the limitations of the basic solution by allowing AES keys to be changed in the future, makes it compatible on all i.MX Rt 10xx parts (including i.MX RT 1011 with OTFAD) and provides a true turn-key solution for any application. Its documentation and training videos, plus emulation of the BEE and OTFAD processes, allow interested developers to get full under-the-cover understanding so that they can fully access its security. See links and docs below.

Beware that On-the-fly decryption gives an un-deterministic performance hit. The uTasker solution also allows optimal zero-wait state decryption capabilities for projects that can run in internal RAM.

Regards

Mark
[uTasker project developer for Kinetis and i.MX RT]
Contact me by personal message or on the uTasker web site to discuss professional training, solutions to problems or rapid product development requirements

For professionals searching for faster, problem-free Kinetis and i.MX RT 10xx developments the uTasker project holds the key: https://www.utasker.com/iMX/RT1052.html

 

- Boot loader concept including XiP on-the-fly decryption, clone protection or AES256 protected RAM execution.
-- Boot Loader concept flow chart: https://www.utasker.com/docs/iMX/Loader.pdf and usage reference https://www.utasker.com/docs/iMX/uTaskerLoader_TestDrive.pdf
-- Serial Loader features: https://www.utasker.com/docs/uTasker/uTaskerSerialLoader.pdf
-- Building the loader with MCUXpresso: https://www.utasker.com/docs/iMX/MCUXpresso.pdf (and video guide https://youtu.be/p_eUGo6GypY ) - the guide document explains how to use with any application (eg. SDK) and to enabling its operation with On-The-Fly decryption in 5 minutes
-- Building the loader with IAR: https://www.utasker.com/docs/iMX/IAR.pdf (and video guide https://youtu.be/XPCwVndP99s )
-- Building the loader with VisualStudio and GCC: https://www.utasker.com/docs/iMX/GCC.pdf (and video guide https://youtu.be/0UzLLSXABK8 )
Video Guide to encrypting NXP SDK examples to run from XiP memory using on-the-fly decryption and uploading with the µTasker loader: https://www.youtube.com/watch?v=5iT7KP691ls&list=PLWKlVb_MqDQEOCnsNOJO8gd3jDCwiyKKe&index=10
Video Guide to encrypting NXP SDK examples to run at optimal speed in internal RAM and uploading with the µTasker loader:
https://www.youtube.com/watch?v=fnfLQ-nbscI&list=PLWKlVb_MqDQEOCnsNOJO8gd3jDCwiyKKe&index=11
Video Guide for Embedded Artist OEM Module for i.MX RT 1062 showing precise secured application operation analysis: https://youtu.be/o7hQbOqhJoc

 

0 Kudos
Reply