Versions Compared

Version Old Version 1 New Version 2
Changes made by

Kamil Możdżyński

Kamil Możdżyński

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To increase the security level, the bootable image can be signed and further encrypted by the CST. The KeyBlob must be generated on the device. The hardware deletes all sensitive keys if any security violation happens, so the sensitive keys cannot be cloned.

Generate i.MX RT bootable image

There are two types of bootable images for i.MX RT devices.

  • Normal boot image: This type of image can boot directly by boot ROM.

  • Plugin boot image: This type of image can be used to load a boot image from devices that are not natively supported by boot ROM.

Both types of images can be unsigned, signed, and encrypted for different production phases and different security level requirements:

  • Unsigned Image: The image does not contain authentication-related data and is used during the development phase.

  • Signed Image: The image contains authentication-related data (CSF section) and is used during the production phase.

  • Encrypted Image: The image contains encrypted application data and authentication-related data and is used during the production phase with the higher security requirements.

The above types of bootable images can be generated by using the elftosb utility. The detailed usage of the elftosb utility is available in elftosb User's Guide.

https://www.nxp.com/docs/en/user-guide/MBOOTELFTOSBUG.pdf

Expand
titleGenerate unsigned normal i.MX RT bootable image

Typically, the unsigned bootable image is generated and programmed to the destination memory during the development phase.
The elftosb utility supports unsigned bootable image generation using options, BD file, and ELF/SREC file generated by toolchain.
Taking the Flashloader project as an example, here are the steps to create a bootable image for Flashloader.

Step 1: Create a BD file. For unsigned image creation, the “constants” block is optional, as shown below.

Code Block
options {
    flags = 0x00;
    startAddress = 0x20000000;
    ivtOffset = 0x400;
    initialLoadSize = 0x2000;
}
sources {
    elfFile = extern(0);
}
section (0)
{
}

After the BD file is created, place it into the same folder that holds elftosb utility executable.

Step 2: Copy Flashloader.srec provided in the release package into the same folder that holds elftosb utility executable.

Step 3: Generate the Bootable image using elftosb utility.

Code Block
elftosb.exe -f imx -V -c imx-unsigned.bd -o ivt_flashloader_unsigned.bin flashloader.srec

Then, there are two bootable images generated by elftosb utility. The first one is ivt_flashloader_unsigned.bin. The memory regions from 0 to ivt_offset are filled with padding bytes (all 0x00s).
The second one is ivt_flashloader_nopadding.bin, which starts from ivtdata directly without any padding before ivt.

Expand
titleGenerate signed normal i.MX RT bootable image

To generate a signed bootable image using elftosb utility, perform the following steps:

Step 1: Create a BD file. The BD file can be as follows

Code Block
options {
    flags = 0x08;
    startAddress = 0x60000000;
    ivtOffset = 0x1000;
    initialLoadSize = 0x2000;
}
sources {
    elfFile = extern(0);
}
constants {
    SEC_CSF_HEADER              = 20;
    SEC_CSF_INSTALL_SRK         = 21;
    SEC_CSF_INSTALL_CSFK        = 22;
    SEC_CSF_INSTALL_NOCAK       = 23;
    SEC_CSF_AUTHENTICATE_CSF    = 24;
    SEC_CSF_INSTALL_KEY         = 25;
    SEC_CSF_AUTHENTICATE_DATA   = 26;
    SEC_CSF_INSTALL_SECRET_KEY  = 27;
    SEC_CSF_DECRYPT_DATA        = 28;
    SEC_NOP                     = 29;
    SEC_SET_MID                 = 30;
    SEC_SET_ENGINE              = 31;
    SEC_INIT                    = 32;
    SEC_UNLOCK                  = 33;
}
section (SEC_CSF_HEADER; 
    Header_Version="4.2", 
    Header_HashAlgorithm="sha256", 
    Header_Engine="DCP", 
    Header_EngineConfiguration=0, 
    Header_CertificateFormat="x509",
    Header_SignatureFormat="CMS"
    )
{
}
section (SEC_CSF_INSTALL_SRK; 
    InstallSRK_Table="keys/SRK_1_2_3_4_table.bin", // "valid file path"
    InstallSRK_SourceIndex=0 
    )
{
}
section (SEC_CSF_INSTALL_CSFK; 
    InstallCSFK_File="crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem", // "valid file path"
    InstallCSFK_CertificateFormat="x509" // "x509"
     )
{
}
section (SEC_CSF_AUTHENTICATE_CSF)
{
}
section (SEC_CSF_INSTALL_KEY; 
    InstallKey_File="crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem", 
    InstallKey_VerificationIndex=0, // Accepts integer or string 
    InstallKey_TargetIndex=2) // Accepts integer or string 
{
}
section (SEC_CSF_AUTHENTICATE_DATA;
    AuthenticateData_VerificationIndex=2, 
    AuthenticateData_Engine="DCP",
    AuthenticateData_EngineConfiguration=0) 
{
}
section (SEC_SET_ENGINE;
    SetEngine_HashAlgorithm = "sha256", // "sha1", "Sha256", "sha512" 
    SetEngine_Engine = "DCP", // "ANY", "SAHARA", "RTIC", "DCP", "CAAM" and "SW" 
    SetEngine_EngineConfiguration = "0") // "valid engine configuration values"
{
}
section (SEC_UNLOCK;
    Unlock_Engine = "SNVS",
    Unlock_features = "ZMK WRITE" 
    )
{
}

After the blank BD file is created, place it into the same folder that holds elftosb utility executable.

Step 2: Copy Flashloader.srec provided in the release package into the same folder that holds elftosb utility executable.

Step 3: Copy the “cst” executable, “crts” folder, and “keys” folder from “<cst_installation_dir>” to the same folder that holds elftosb utility executable.

Step 4: Generate a bootable image using elftosb utility.

Code Block
elftosb.exe -f imx -V -c imx-signed.bd -o ivt_flashloader_signed.bin flashloader.srec

Then, there are two bootable images generated by elftosb utility. The first one is ivt_flashloader_signed.bin. The memory regions from 0 to ivt_offset is filled with padding bytes (all 0x00s). The second one is ivt_flashloader_signed_nopadding.bin, which starts from ivt_offset directly. The CSF section is generated and appended to the unsigned bootable image successfully.