- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- Home
- :
- i.MX Security
- :
- Knowledge Base
- :
- i.MX 6SoloLite - Incorrect MMU address in U-Boot code may cause a HAB failure
i.MX 6SoloLite - Incorrect MMU address in U-Boot code may cause a HAB failure
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
i.MX 6SoloLite - Incorrect MMU address in U-Boot code may cause a HAB failure
i.MX 6SoloLite - Incorrect MMU address in U-Boot code may cause a HAB failure
Background:
The High Assurance Boot (HABv4) feature available in i.MX & Vybrid family devices provides an option to extend the root of trust beyond the initial primary boot image. An Application Programming Interface (API) is provided by the on-chip ROM that allows the use of the HAB library to extend the root of trust and authenticate additional software images.
When authenticating images using the hab_rvt.authenticate_image() API function the data caches can be used for a faster authentication.
In devices listed below it is necessary to inform ROM code that caches are enabled prior to calling the hab_rvt.authenticate_image() API function. Otherwise, the ROM will not flush the caches when needed and the authentication may fail. Writing "0x1 to the PU_IROM_MMU_EN_VAR address prior to authenticating an image will notify ROM of the cache state.
- i.MX 6Dual/6Quad
- i.MX 6Solo/6DualLite
- i.MX 6SoloLite
The current U-Boot implementation is checking if the MMU is enabled and writing in PU_IROM_MMU_EN_VAR prior to authenticate an image, details can be found in hab.c code.
More information about HAB API can be found in HABv4 API Reference Manual and in HABv4 RVT Guidelines and Recommendations application note (AN12263).
Issue Description:
The current address 0x00900a18 in hab.c code is not correct for i.MX 6SoloLite device, the correct address for MX6SL_PU_IROM_MMU_EN_VAR is 0x00901c60.
As we are writing in the wrong address the ROM code is not flushing the caches when needed, and the following HAB event is observed in certain scenarios:
--------- HAB Event 1 ----------------- event data: 0xdb 0x00 0x14 0x41 0x33 0x18 0xc0 0x00 0xca 0x00 0x0c 0x00 0x01 0xc5 0x00 0x00 0x00 0x00 0x07 0xe4 STS = HAB_FAILURE (0x33) RSN = HAB_INV_SIGNATURE (0x18) CTX = HAB_CTX_COMMAND (0xC0) ENG = HAB_ENG_ANY (0x00)
Impacted Devices:
- Only i.MX 6SoloLite (All silicon revisions) HAB API users with data cache enabled are impacted by this issue
- The addresses provided for i.MX 6Dual/6Quad and i.MX 6Solo/6DualLite devices are correct hence are not impacted
- This issue does not impact i.MX 6SLL users or any other i.MX devices
Impacted BSP releases:
All U-Boot releases prior to imx_v2019.04_4.19.35_1.1.0 supporting HAB APIs are impacted by this issue. i.MX 6SoloLite HAB API users with data cache enabled must follow the recommendation in this document and update the source code to avoid a possible failure in the secure boot flow.
Please note:
- This issue does not impact the primary boot image authentication.
- This issue does not impact users with data cache disabled.
Software Patch:
This issue can be fixed by updating the MX6SL_PU_IROM_MMU_EN_VAR address in source code, next U-Boot release planned for July 2019 will have a fix in place.
In the meantime users can replace the wrong address 0x00900a18 by the correct one 0x00901c60. The following patch can be used as example.
- U-Boot upstream project [External link]:
[U-Boot] mx6sl: hab: Fix pu_irom_mmu_enabled address - Patchwork
Documentation Update
Table 7. in HABv4 RVT Guidelines and Recommendations application note (AN12263) will be updated in the next release to correct the PU_IROM_MMU_EN_VAR address for i.MX 6SoloLite
The correct entry in Table 7 will be updated as below
| Device | PU_IROM_MMU_EN_VAR address |
|---|---|
| i.MX 6SoloLite | 0x00901C60 |
This issue does not compromise the i.MX security.
