How to get the newest secure boot guid

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to get the newest secure boot guid

Jump to solution
2,020 Views
liuhao1
Contributor II

HI:

I work on imx6.The project want to used secure boot function

I find some guid on nxp web.

how can I get the newest guid about secure boot on imx6 step by step?

such as the newest csttool and the manual of csttool

0 Kudos
1 Solution
1,784 Views
igorpadykov
NXP Employee
NXP Employee

Hi 浩 刘

please look at latest revision AN4581 Secure Boot on i.MX 50, i.MX 53, i.MX 6 and i.MX 7 Series using HABv4

https://www.nxp.com/docs/en/application-note/AN4581.pdf 

Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

View solution in original post

6 Replies
1,784 Views
liuhao1
Contributor II

igorpadykov:

     I followed the  AN4581 and generated a uboot . And burned into the board.
      And with the cmd "
hexdump -e '/4 "0x"' -e '/4 "%X""\n"' SRK_1_2_3_4_fuse.bin" get the date need to burn into uboot

      In uboot programe the fuse with the date above 。just like " prog 3 0 xxxx" etc

      After doing the above actions。I reset the board, I can enterr uboot

     Then input the command “fuse prog 0 6 0x2”,and reboot the board

      There is no more information is output to the serial port

    

My question:

      1. What is the above phenomenon?Is it because the content of the encrypted signature does not match?

      2。If I rediscover a board and follow the above process again, before I write "fuse prog 0 6 0x2". Do I have a way to verify that the hash value in the fuse matches the signature in the current uboot?


0 Kudos
1,784 Views
igorpadykov
NXP Employee
NXP Employee

>1. What is the above phenomenon?Is it because the content of the encrypted signature does not match?

seems yes.

   >   2。If I rediscover a board and follow the above process again, before I write "fuse prog 0 6 0x2".

>Do I have a way to verify that the hash value in the fuse matches the signature in the current uboot?

on burned board it is not possible verify signatures or debug it somehow, I am afraid

Best regards
igor

0 Kudos
1,784 Views
liuhao1
Contributor II

igorpadykov:

  The second question I have above is: I get a new board which is not burned the fuse any more.

   after I burn the value which get form SRK_1_2_3_4_fuse.bin(before write "SRK_1_2_3_4_fuse.bin" to board).Do I have a way to verify that the hash value in the fuse matches the signature in the current uboot.Not on the burned board.

 

I find the AN4581 have a descriptor

CSF
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x877fb000 0x000 0x48000 “/<path_to_u-boot_dir>/u-boot-dtb.imx
"

On the section:“ E.1. Dumping U-boot binary

The description of the document is as follows

od -X -N 0x20 u-boot-dtb.imx:
0000000 402000d1 87800000 00000000 877ff42c
0000020 877ff420 877ff400 8786d000 00000000

IVT address: 0x877ff400
Image length: CSF PTR – IVT Self = 0x8786d000 – 0x877ff400 = 0x6DC00
In CSF [Authenticate Data] field:
Block = 0x877ff400 0x00000000 0x0006DC00 “u-boot-dtb.imx

On my project,the uboot which burn into board is u-boot.imx

And I try the od command

od -X -N 0x20 u-boot.imx
0000000 402000d1 0090742c 00000000 00000000
0000020 00907420 00907400 00000000 00000000

The second line, third paragraph is 00000000

In my project I fill with "Block = 0x877ff400 0x00000000 0x0006DC00 “u-boot-dtb.imx "

what is the matter about this

Thanks

0 Kudos
1,784 Views
liuhao1
Contributor II

igorpadykov:

      Mybe some patchs need be apply to uboot.

      My uboot version is "U-Boot 2014.04-g18b6230-dirty"

      Does this uboot support secureboot?

0 Kudos
1,785 Views
igorpadykov
NXP Employee
NXP Employee

Hi 浩 刘

please look at latest revision AN4581 Secure Boot on i.MX 50, i.MX 53, i.MX 6 and i.MX 7 Series using HABv4

https://www.nxp.com/docs/en/application-note/AN4581.pdf 

Best regards
igor
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

1,784 Views
liuhao1
Contributor II

Thanks

0 Kudos