| 1 | [[PageOutline]] |
| 2 | |
| 3 | = i.MX6 Security = |
| 4 | The i.MX6 SoC used on the Ventana product family contains built-in security at the hardware level. |
| 5 | |
| 6 | == High Availability Boot (HAB) (Trusted Boot) == |
| 7 | Executing trusted and authentic code on an application processor starts with securely booting the device. The i.MX family of application processors provide this capability with the High Availability Boot (HAB) component of the on-chip ROM. The ROM is responsible for loading the initial program image from the boot medium. HAB enables the ROM to authenticate the program image by using digital signatures. This initial program image is usually a bootloader. |
| 8 | |
| 9 | HAB provides a mechanism to establish a root of trust for the remaining software components and establishes a secure state on the i.MX. |
| 10 | |
| 11 | When using HAB ultimately you will need to blow security keys into the one-time-programmable (OTP) fuses as well as blow a fuse to indicate the board can only boot authenticated firmware images. To do this you need to contact sales@gateworks.com to create a Gateworks special that leaves the BOOT_CFG_LOCK bit un-blown as typically this fuse is blown on the Gateworks test fixture to avoid users accidentally changing the boot config and bricking their boards. |
| 12 | |
| 13 | The process of using HAB is fully documented in [https://www.nxp.com/docs/en/application-note/AN4581.pdf Freescale App Note AN4581.pdf]. |
| 14 | |
| 15 | References: |
| 16 | * [https://www.nxp.com/docs/en/application-note/AN4581.pdf AN4581.pdf - Secure Boot on i.MX50, i.MX53, and i.MX6] |