- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- iMX8M mini Secure Boot
iMX8M mini Secure Boot
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
iMX8M mini Secure Boot
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I try to understand how secure boot is working for imx8mmevk board.
I read following documentation :
- introduction_habv4.txt\habv4\imx\doc - uboot-imx - i.MX U-Boot
- mx8m_mx8mm_secure_boot.txt\guides\habv4\imx\doc - uboot-imx - i.MX U-Boot
- MX8M HAB Boot DOC-340643.pdf
- AN12056 - Encrypted Boot on HABv4 and CAAM EnabledDevices.pdf
My issue is about creating flash.bin with the output provided by yocto.
All documentation talks about doing all steps manually, but yocto provides these files. I assume it canbe used to generate flash.bin.
Yocto creates the following directory tmp/deploy/images/imx8mmevk/imx-boot-tools
In this directory, I have following files:
- bl31-imx8mm.bin
- bl31-imx8mm.bin-optee
- fsl-imx8mm-evk.dtb
- lpddr4_pmu_train_1d_dmem.bin
- lpddr4_pmu_train_1d_imem.bin
- lpddr4_pmu_train_2d_dmem.bin
- lpddr4_pmu_train_2d_imem.bin
- mkimage_fit_atf.sh
- mkimage_imx8
- mkimage_uboot
- signed_dp_imx8m.bin
- signed_hdmi_imx8m.bin
- soc.mak
- tee.bin
- u-boot-imx8mmevk.bin-sd
- u-boot-nodtb.bin-imx8mmevk-sd
- u-boot-spl.bin-imx8mmevk-sd
My question : How to create the flash.bin file to be able to flash the EVK board ?
Regards,
Fabrice
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I answer myself,
In Yocto BSP from NXP, tht too mkimage is already built and the recipe imx-boot generates the unsigned flash.bin as a file named imx-boot-<hardware>-sd.bin-flash_evk
This file contains SPL and U-BOOT.
To create a signed image, I follow steps described in mx8m_mx8mm_secure_boot.txt\guides\habv4\imx\doc -...
All Signature part is well explained in Code Signing Tool User Guide.
I was able to create a signed file but no tested yet.
Hope this help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @Fabrice,
It's great to hear that you've successfully signed i.MX 8M Mini's flash.bin and I'm also trying to achieve the same.
But, I'm facing issues now and posted it in here (https://community.nxp.com/thread/539440 ). Hope you can provide some help.
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I look at your csf_spl.txt, and it's similar to mine.
The only thing that differs is that you use absolute path where I use local path as explained in tutorial. I copy flash.bin into cst folder, at the exact place where txt file is (cst-3.3.0/release/linux64).
[Header]
Version = 4.3
Hash Algorithm = sha256
Engine = CAAM
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
[Install SRK]
# Index of the key location in the SRK table to be installed
File = "../crts/SRK_1_2_3_4_table.bin"
Source index = 0
[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Unlock]
# Leave Job Ring and DECO master ID registers Unlocked
Engine = CAAM
Features = MID
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target index = 2
# Key to install
File = "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Authenticate Start Address, Offset, Length and file
Blocks = 0x7e0fc0 0x0 0x2a600 "flash.bin"
Sorry to not helping you much than this.
Fabrice
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your inputs.
I've solved my problem. If you're curious, here's the answer: https://community.nxp.com/thread/539440#comment-1352925
Bio_TICFSL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
