u-boot lf_v2022.04 imx6 broken FIT_SIGNATURE (with CAAM devices, e.g. MX6S)

andreaaizza · ‎10-22-2022

Hi,

wft to https://lore.kernel.org/all/9fb8507f-9a5e-e53a-0d64-e4bcbb6663eb@denx.de/T/

FIT_SIGNATURE verification fails on iMX Solo with u-boot lf_v2022.04. Can you (NXP) please comment and indicate how to fix and be able to secure chain of trust (at least verification) on MX6 Solo devices with latest u-boot?

Harvey021 · ‎10-25-2022

Hi @andreaaizza

Please refer to the link： mx6_mx7_secure_boot.txt\guides\habv4\imx\doc - uboot-imx - i.MX U-Boot (codeaurora.org) for i.mx6Solo.

The LX and i.MX are different from way to authenticate/verify.

Best regards

Harvey

andreaaizza · ‎10-25-2022

Hi,

thanks. That procedure relies on

hab_auth_img

not on FIT_SIGNATURE approach.

Can you confirm what you suggest is not impacted by this latest vulnerability found: https://research.nccgroup.com/2022/10/03/shining-new-light-on-an-old-rom-vulnerability/

Harvey021 · ‎10-30-2022

Hi

This is a known vulnerability and should be resolved using the latest chip version.

Best regards

Harvey

andreaaizza · ‎10-25-2022

Hi NXP,

any feedback? Can you indicate the way to authenticate/verify u-boot and FIT(kernel+dtb) with imx6 Solo?

u-boot lf_v2022.04 imx6 broken FIT_SIGNATURE (with CAAM devices, e.g. MX6S)

u-boot lf_v2022.04 imx6 broken FIT_SIGNATURE (with CAAM devices, e.g. MX6S)

i.MX6S