i.MX RT10xx Secure Boot/HAB with Secure Provisioning Tool

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

i.MX RT10xx Secure Boot/HAB with Secure Provisioning Tool

ソリューションへジャンプ
1,100件の閲覧回数
MulattoKid
Contributor IV

Hi,

I'm looking to verify my understanding of how the Secure Provisioning Tool works:

  1. Given an ELF file without any flash config, and IVT, the Secure Provisioning Tool will generate these based on the selected configuration in the tool itself. It will then extract the binary from the ELF file, and add these generated blocks to the front of the binary. The binary can now be flashed, and if e.g. the Secure Provisioning Tool was configured to generate a Secure Boot/HAB binary, the boot ROM will initiate HAB validation when the MCU boots. Is my understanding correct?
  2. How are the fuses that lock down the they keys that can be used for signing a binary configured, does it happen automatically the first time a binary with HAB enabled is attempted booted?

Kind regards,
Daniel

0 件の賞賛
返信
1 解決策
1,086件の閲覧回数
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @MulattoKid ,

  Share you some document, it will help you understand your issues, it is from the commander line method, in fact, the SPT tool also merge the commander line method to the GUI method:

My HAB document:

https://community.nxp.com/t5/i-MX-RT-Knowledge-Base/RT1050-HAB-Encrypted-Image-Generation-and-Analys...

1. Given an ELF file without any flash config, and IVT, the Secure Provisioning Tool will generate these based on the selected configuration in the tool itself. It will then extract the binary from the ELF file, and add these generated blocks to the front of the binary. The binary can now be flashed, and if e.g. the Secure Provisioning Tool was configured to generate a Secure Boot/HAB binary, the boot ROM will initiate HAB validation when the MCU boots. Is my understanding correct?

=>Answer:  You understand is correct, the SPT tool will help to generate the image from IVT+BD+HAB data +app, then download the FCB at first, then download the secured or signed imaged from IVT aea.

2. How are the fuses that lock down the they keys that can be used for signing a binary configured, does it happen automatically the first time a binary with HAB enabled is attempted booted?

=>Answer: If you check my document in the above, you will find, it will use this method do burn your fuse:

kerryzhou_0-1710471917902.png

 

In fact, modify the fuse area directly.

 

Wish it helps you!

If you still have question about it, please kindly let me know.

If your question is solved, please help me to mark the correct answer, just to close this case, thanks.

Any new issues, welcome to create the new question post.

Best Regards,

Kerry

元の投稿で解決策を見る

0 件の賞賛
返信
6 返答(返信)
1,087件の閲覧回数
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @MulattoKid ,

  Share you some document, it will help you understand your issues, it is from the commander line method, in fact, the SPT tool also merge the commander line method to the GUI method:

My HAB document:

https://community.nxp.com/t5/i-MX-RT-Knowledge-Base/RT1050-HAB-Encrypted-Image-Generation-and-Analys...

1. Given an ELF file without any flash config, and IVT, the Secure Provisioning Tool will generate these based on the selected configuration in the tool itself. It will then extract the binary from the ELF file, and add these generated blocks to the front of the binary. The binary can now be flashed, and if e.g. the Secure Provisioning Tool was configured to generate a Secure Boot/HAB binary, the boot ROM will initiate HAB validation when the MCU boots. Is my understanding correct?

=>Answer:  You understand is correct, the SPT tool will help to generate the image from IVT+BD+HAB data +app, then download the FCB at first, then download the secured or signed imaged from IVT aea.

2. How are the fuses that lock down the they keys that can be used for signing a binary configured, does it happen automatically the first time a binary with HAB enabled is attempted booted?

=>Answer: If you check my document in the above, you will find, it will use this method do burn your fuse:

kerryzhou_0-1710471917902.png

 

In fact, modify the fuse area directly.

 

Wish it helps you!

If you still have question about it, please kindly let me know.

If your question is solved, please help me to mark the correct answer, just to close this case, thanks.

Any new issues, welcome to create the new question post.

Best Regards,

Kerry

0 件の賞賛
返信
1,081件の閲覧回数
MulattoKid
Contributor IV

Hi @kerryzhou,

Thanks a lot for your response, that clarifies a lot!

Kind regards,
Daniel

0 件の賞賛
返信
1,075件の閲覧回数
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @MulattoKid ,

  You are always welcome!

  If you meet any issues in the future, welcome to create the case, and let us know.

Best Regards,

kerry

0 件の賞賛
返信
1,070件の閲覧回数
MulattoKid
Contributor IV

Oh, one thing I forgot to confirm: flashing the signed binary itself can be done in the regular internal boot mode, but for the files that modify the fuse map it's required to be in serial downloader mode, correct?

0 件の賞賛
返信
1,066件の閲覧回数
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @MulattoKid ,

   Yes, all need to in the serial download mode, and also need to use the signed flashloader if you already do the HAB signed.

 

Wish it helps you!

If you still have question about it, please help to create the new question post, thanks.

Best Regards,

Kerry

1,063件の閲覧回数
MulattoKid
Contributor IV

Great, thanks!