i.

MX 8 Security Overview
John Cotner
Security Architect - Automotive

October 2018 | AMF-AUT-T3363

Company Public – NXP, the NXP logo, and NXP secure connections for a smarter world are trademarks of NXP
B.V. All other product or service names are the property of their respective owners. © 2018 NXP B.V.
"There are only two types of companies: those that have been
hacked, and those that will be. Even that is merging into one
category: Those that have been hacked and will be again."
- Robert Mueller, sixth director of the FBI

“A system is good if it does what it’s supposed to do and secure

if it doesn’t do anything else.”
- Dr. Eugene “Spaf” Spafford, Purdue

COMPANY PUBLIC 1
 Core Security Principles in Automotive Systems
Prevent Detect Reduce Fix
access attacks impact vulnerabilities

Secure M2M Authentication &

Interfaces Firewalling

Firewalling Intrusion Detection

Secure Systems
Separated Functional
(context-aware
Gateway Domains
message filtering) (IDS)
Secure
OTA
Updates
Secure Message Filtering &
Secure Messaging
Networks Rate Limitation

Code / Data Code / Data

Secure Resource Control
Authentication Authentication
Processing (virtualization)
(@ start-up) (@ run-time)

COMPANY PUBLIC 2
i.MX 8 Security

COMPANY PUBLIC 3
i.MX 8 Series Security Architecture Overview
Encrypted External
Public Key (Hashes)
Flash Memory
OTP
Replay Protection
Device Unique Secrets HDMI-TX HDMI-RX MLB

Security State
Flex-SPI DDR Controller

High Assurance
Partitioned Private Key Bus

Crypto Engines

Runtime ROM
Controller
Secure

Security
RAM VPU HDCP HDCP DTCP IEE for On-the-Fly
1.x/2.x 1.x/2.x Decryption/Encryption

domain
domain
Alarms

Busses with Resource Domain, TrustZone Access Controls, and SMMU

Secure Cortex-A System

Monotonic
Sensors

Bus
Tamper

Counter
Detect

Secret

JTAG Debug Cortex M4(s)

RTC
CPUs Controller Masters
(TZ, NS)
Trust Boot ROM MMCAU
Zone

Active

COMPANY PUBLIC 4
Security Features
• SECO Security Microcontroller (Cortex-M0+,133Mhz)
− Isolatedsecurity domain
− Higher protection for root secrets and key management functions
• DTCP (Digital Transport Content Protection) – Authentication engine with
secure interface for key loading
• IEE (Inline Encryption Engine) – Cryptographic protection of data in
external memory
• ADM (Authenticated Debug Module) – Secure debug, Lifecycle handling,
Access and Violation control
• Enhanced CAAM
− 64KB Secure RAM
− Cryptographic acceleration on cryptography Algorithms
− RTIC (Runtime Integrity Checker) : Ensures integrity of the memory contents

COMPANY PUBLIC 5
Security Features (2 of 2)
• SNVS (Secure Non-Volatile Storage)
− Secure State Machine
− 10 external tamper pins that can be configured to support 5 active meshes or 10
passive meshes
− Analog sensors for temperature, voltage, frequency tamper detection
• Encrypted “execute in place” (XIP) capability from QSPI
• xRDC – HW isolation at chip level (Resource Domains)
• Cryptographic binding of resource domain identity for secure storage
− Key storage in external flash
• Fast secure boot
− ECDSA up to 1024 module with SHA-512
• Fast signature verifications using P-256 Elliptic Curve for V2X

COMPANY PUBLIC 6
i.MX Product Security Features Overview
Feature i.MX6Q/D/S i.MX6SX i.MX6UL i.MX7S/D i.MX8QM i.MX8QXP
Security Controller (SECO) x x x x ✓ ✓
AES128/192/256, SHA1/256, DES/3DES ✓ ✓ ✓ ✓ ✓ + SHA 384/512 ✓ + SHA 384/512
Elliptic Curve DSA (up to P521/B571)
x x ✓ ✓ ✓ ✓
RSA (up to 4096) High performance High performance
Crypto Accelerator Unit (CAU)
(DES, AES co-processor instruction) x x x x ✓ ✓
Certifiable RNG ✓ ✓ ✓ ✓ ✓ ✓
Run Time Integrity Protection x x ✓ ✓ ✓ ✓
Isolated security applications (e.g. SHE) x x x x ✓ ✓
High Assurance Boot (RSA, ECDSA) ✓RSA ✓RSA ✓RSA ✓RSA ✓ ✓
Encrypted Boot ✓ ✓ ✓ ✓ ✓ ✓
Secure Debug ✓ ✓ ✓ ✓ ✓ Domains ✓ Domains
Always ON domain ✓ ✓ ✓ ✓ ✓ ✓
Secure Storage (non-volatile) ✓ ✓ ✓ ✓ ✓ ✓
Tamper Detection Signal ✓ ✓ ✓ Active ✓ Active ✓ Active ✓ Active
Volt/Temp/Freq Detect x x ✓ ✓ ✓ ✓
Inline Encryption x x ✓ BEE x ✓ IEE ✓ IEE
Manufacturing Protection x x x ✓ ✓ ✓
Resource Domain Isolation x ✓ x ✓ ✓ ✓
Content Protection ✓ 6Q 1.x only x x x ✓ HDCP 1.x/2.x, ✓ DTCP
DTCP

COMPANY PUBLIC 7
SECO

COMPANY PUBLIC 8
SECO Overview
SECO
Manager of the CAAM Watchdog
and other NXP Security- M0+
Reliant Subsystems SCU MU0 OTP
• Energy efficient M0+ core

HAL
HAL
supporting 133MHz ADM
• Interrupt Controller with up to 32 MU1 TCM
IRQs
MU2 low SNVS
• Security controls through ROM
MU3
Authenticated Debug Module The rest of
(ADM) CAAM
the system
• Dedicated 80KB ROM, 80KB TCM Secure RAM
RAM with Error Correct Code high
(ECC)
• Dedicated One-Time
Programmable (OTP) keys
• Fabric switch to Shared
Peripherals, Local Peripherals,
and Private Crypto Key Bus COMPANY PUBLIC 9
SECO Features
• Secure boot (container/image • CAAM management
authentication) − Job Ring assignment
• Services provided to AP/SCU − Secure Memory
cores via Message Unit • SNVS management
interface − HW security state machine management
• Lifecycle configuration • ADM management (locks, timers,
• Fuse programming LC, ...)
• Debug enablement • Power management
• IP secret installation (DTCP • Attestation of SECO FW
keys, HDCP keys, …)

COMPANY PUBLIC 10
SECO enables proper Crypto Key Management
Automotive Security
Specs require
isolated HSM/SHE Host Layer Key Management in
modules for full Dynamic Environment w/focus on
non-secure
Function and Performance
featured crypto key environment
life cycle Application A Application B increases chance of
(Keys managed in (Keys managed in
management and B’s Keys exposure
SECO) software)
specific usage Managed

SECO FW
Robust
A’s Keys
SECO Managed Environment
SECO + Crypto (Full Featured Crypto Key w/focus on
Management) Security Crypto hardware only
Hardware offers
comprehensive and not capable of fully
secure key Security HW controlling key usage
management Crypto Hardware
(Rudimentary Key Designation Feature)

Hardware RoT and HW Controls

COMPANY PUBLIC 11
SHE

COMPANY PUBLIC 12
SHE SECO firmware
• Authenticated as part of the SoC boot process, NXP signed
• Support for all required SHE functionality
• SHE (GPL free) driver provided, ensuring accessibility from any targeted OS/SoC domain
• Off-chip non volatile storage support:
− eMMC w/RPMB partition can be used for implementing SHE Non-Volatile storage
− RPMB (Replay Protected Memory Block) uses Authentication mechanism (HMAC) to protect against:
▪ Anti-roll back attacks
▪ Read/write/erase from CPU applications (or offline attack)
− Data are stored encrypted on the RPMB partition
▪ Key used for the encryption is
• Unique per chip (derived from the i.MX OTPMK, or ZMK)
• Not known outside SECO

COMPANY PUBLIC 13
SHE driver – OS independent, non-GPL driver
• SHE services generic driver for the i.MX8 chip families
• Easily portable to different OS or Bare metal implementation
• Development details:
− c99 standard, standard Makefile
− Currently supports GCC compiler
− OS depended functions are implemented in a dedicated folder
• Quality:
− Complete test coverage provided with the library
− Driver designed to meet spice level 2 requirements
− CERT and MISRA coding rules enforced
− Coverity used for static code analysis
• SHE Library Integration Document will be made available to ease porting

COMPANY PUBLIC 14
CAAM

COMPANY PUBLIC 15
 Security: Cryptographic Acceleration and Assurance Module
Master Secret

• CAAM
DID TZ
Cryptographic Acceleration StreamID AES Security State SNVS
(128/192/
Job Ring 256)
− Public Key Hardware Accelerator: ECDSA, RSA Manager Page SECO

access permissions
DID TZ 3DES
− Encryption Algorithms: AES, DES/3DES StreamID
Owner GPIO

RSA
− Hashing Algorithms: MD5, SHA256/384/512, … Peripheral Bus Job Ring
(4096)
DID TZ Elliptic
− Message Authentication Codes: HMAC, AES-CMAC, AES- StreamID
Curve System
XCBC-MAC

Access
Control
SMMU
Job Ring (521/571)
Memory
− Authenticated Encryption Algorithms: AES-CCM, AES-GCM DID TZ
SHA-1, DMA
256/512
StreamID
• RNG Job Ring RNG
• Export and Import of cryptographic Blobs
• Secure Memory Controller and Interface Private Bus

− 64KB with 16 partitions at 4KB page size Secure RAM

permissions
− Automatic Zeroization on SNVS Violation Event DID TZ

access
System Bus Partition 0
• Job Rings DID TZ
Partition 1
− descriptor based command interface DID TZ
Partition N-1
− Assigned to apps cores via SCU API
• IP Slave Interface
• Support the system virtualization by Domain ID DID Resource Domain ID TZ TrustZone (NS=0)
(DID) per job ring StreamID Context ID (Stream ID and QoS)
• DMA

COMPANY PUBLIC 16
Secure Storage

COMPANY PUBLIC 17
 Key Storage: Non-VolatileExternal
Blobs Flash

Secure RAM • Key Blobs

A’s Keys A’s Key − Protectskeys between power cycles
Blob
Domain ID* − Keys are encrypted with key derived
Keys
Cipher
Encrypted Keys
from a device unique secret
Permissions 256-bit
Access Control

Privilege
Key Derivation
B’s Key • Cryptographic Bindings
B’s Keys
Domain ID*
Blob Include
Permissions
Domain ID* Privilege − Security State (Trusted, Secure, Other)
Permissions − Access Permissions
Privilege Chip Secret − Privilege (TZ or NS)

i.MX8
− Resource Domain (i.MX8)
* Only i.MX8 has Domain ID binding
− Key Modifier

COMPANY PUBLIC 18
RTIC

COMPANY PUBLIC 19
Runtime Integrity Checker (RTIC)
• Ensures integrity of the memory Peripherals
Config Regs 1
contents S System Controller
Config Regs 2
M Tightly Coupled Memory
• Verifies memory contents during run- Config Regs 3 M
U
time execution / Critical Data Part A
RTIC F
• If memory contents fail to match then a Reference A
I
SRAM
R
security violation is asserted Reference B
E Critical Data Part B
Reference C W
• A security violation changes the security A
L
state of the SoC Reference D
L
Mismatch DRAM
• Virtualized Addresses, TZ and different
Security State Vulnerable Data
Resource Domains supported

COMPANY PUBLIC 20
SNVS

COMPANY PUBLIC 21
Security State and SNVS HP and LP
Security Violations
Security State
Fuses OTP Master
ADM CAAM SJC WDOG Key

• 22SNVS

CAAM Master Key

System
Security Monitor
47 bit counter

Master Key
HP

Sync
Control

48 bit Monotonic Counter

32 bit GP Register 47 bit counter Zeroizable Master
Key (ZMK)
Security Violation
32.768kHz

Tamper
Monotonic Counter
Detectors Power Supply
LP Rollover Glitch
Protection Mechanism
Detectors

External
Tamper Inputs

COMPANY PUBLIC 22
SNVS Features
• Security state machine that transitions to fail state upon security violations and
gates access to internal SoC secrets (OTPMK/ZMK).
• 10 external tamper pins that up to 5 active tampers (5 inputs and 5 outputs) or 10
passive tampers (inputs only)
• Security sensor detection of physical attacks using temperature, voltage,
frequency detection
• Monotonic Counter
• General purpose registers
• Zeroizable master key (ZMK)
• Real time counter
• High Performance and Low power domain

* SNVS features are enabled via SECO/SCU API

COMPANY PUBLIC 23
ADM
Authenticated Debug Module/Secure
Debug

COMPANY PUBLIC 24
Coresight Authentication Supported with Debug Domains
• For i.MX8, Multiple
Debug Domains exist – SECO Debug
System Controller Debug Enable
System Controller Trace Enable
• Supports the Coresight TZ Debug Enable
Authentication Hierarchy SECO
TZ Trace Enable
Normal Debug Enable
SCU Normal Trace Enable
• Debug Apps Core with
SECO locked down, for TrustZone
example
Normal World

• M4’s can be disabled

too

COMPANY PUBLIC 25
Secure Debug - JTAG Challenge/Response
App Cores Trustzone and Normal World Debugging
Command,
JTAG Password
TDI Chip Unique ID[63:0] Chip Unique ID
Response[127:0] ||
Selection[1:0] 66

Debug Pass/Fail Fuses Valid

Password TZ Pass/Fail OCOTP_CTRL
JTAGC
Server TDO Chip Unique ID,
Pass/Fail ADM TrustZone Debug Secret TrustZone Debug
Secret (128 bits)
Normal Debug Secret Normal Debug
JTAG Password
Secret (128 bits)
Response[127:0] ||
Selection[1:0]

Debug Enable

1. User requests debug through JTAG interface

2. SOC responds with chip unique ID
3. Server finds corresponding secret (TZ or normal world)
4. User submits secret through JTAG interface
5. Secure JTAG module compares secret to pre-configured secret
6. If a match, debug is enabled (for TZ or normal world)

COMPANY PUBLIC 26
Enabling Debug on SCU and SECO
• System Controller Debug or SECO Debug require Signed Commands to open debug on Closed parts (with no fuse DEBUG disablement)

• SECO receives a signed message through MUs.

• Message payload specifies the target subsystem and permission (DBGEN, NIDEN…)

• Once signature is validated, SECO enables the debug to the desired sub system with the requested permissions.

SCU, SECO Secure Boot Authentication

SCU or SECO SCU or SECO
Secure Boot Secure Boot
Digest Hash Digest Hash

Software
(SHA-256) Passes! Software
(SHA-256)
Failed!
Image
(with Compare DEBUG Image
(with Compare No
Digest Hash Digest Hash
Debug
Enable)
Digest Hash
enabled Debug
Enable)
Digest Hash
DEBUG

Signature decryption Signature decryption

Public Key Public Key

Ok Ok
Digest Hash Verification Digest Hash Verification
(SHA-256) (SHA-256)

COMPANY PUBLIC 27
Life cycle update
• The life cycle update procedure involves
ADM and SECO. FWS NOF OCF

• ADM implement a fuse programming mask

to allow transition to certain life cycle only
(as indicated in the figure). Only certain
fuses can be blown based on the current life
cycle.

• Attempt to update life cycle without involve

ADM will result in a life cycle mismatch.

• SECO provide two separate API (MU FFR PFR NFR

messages):
− Update life cycle

− Return life cycle (signed message)

COMPANY PUBLIC 28
IEE
Inline Encryption Engine

COMPANY PUBLIC 29
IEE
• DDR encryption and decryption in AES-XTS mode
• QSPI flash decryption (also execute-in-place (XIP) ) IEE users on chip
in AES-CTR mode Apps M4(s)
Cores
• I/O DMA direct encrypted storage and retrieval (AES-
CTR 128)
• Multi-core resource domain separation M
R
C
• Transparency to software during encrypted access M
R
DDR DRAM

(i.e. no configuration, control, or interrupts) C

UART, etc... I/O M

• Secure on-chip key loading using private bus DMA
R
C
Fabric
Switch

between CAAM and IEE SRAM

Inline
• Differential power analysis (DPA) resistance Encryption External
Engine QSPI Flash
• Tamper detection response which key is erased and
access to IEE is blocked

Use cases include:

• Execute-in-place code decryption from QSPI
primarily
• Encryption of sensitive data at rest
• Ciphering of I/O serial data
• CAAM still used for higher importance data
COMPANY PUBLIC 30
XRDC

COMPANY PUBLIC 31
Resource Partitioning on i.MX 8
Partition 0 Partition 1 Partition 2
What is a Partition: SCU Safety Multimedia
• A collection of resources (master / slave DID=3, non-secure
DID=2, secure DID=0, non-secure
peripherals, memory regions)
• Has a domain ID and a security attribute
• Cores, peripherals and memory can belong
to more than one partition SCU CM4 CPU GPU0

How Partitioning Works: IMAGING IMAGING

• The system controller commits peripherals I2C Audio Pixel VPU Pixel
DMA0 DMA1
and memory regions into a specific
domains. (This is customer defined)
• Any communication between domains are UART CAN0
MIPI DISP_1
MIPI
forced to use messaging protocols CSI_0 CSI_1
• If a domain peripheral tries to access other
domains illegally, a bus error will occur.
LVDS DISP_0 DSI CAN1

Benefits of Partitioning:
• Reporting of immediate illegal accesses
helps track down hard to find race
conditions before they go to production.
(AKA Sandbox Methods) DDR 0 DDR 1 DDR 2
• Provides security on a finished product:
protects system critical SoC peripherals
from less trusted apps
COMPANY PUBLIC 32
Secure boot & code signing

COMPANY PUBLIC 33
SoC Code Signing and Secure Boot
• The application core Code Signing Authentication
and system controller Secure Environment (OEM) OEM Trusted
Device Boot
boot can be signed Message
Digest Hash
Digest Hash BOOT
with separate super (SHA-384) (SHA-384)
RELOAD
root keys Software PKI Private Software Compare IMAGE
Image Key Fuse Box Image Digest Hash Authentication
Public Key
encryption
Hash (SRK) Digest Hash
• Security Controller
boot authenticates its PKI Public
Key
firmware using its own Signature Signature decryption

super root key PKI Certs Public Key

Ok
PKI Public Key
Digest Hash Verification
(SHA-384)

• M4 firmware can be Flash

included in the Manufacturing Software

Image + Signature + Public
Fuse Box Public Key Hash
(SRK)
Security Controller Key stored in Boot Media
signature

COMPANY PUBLIC 34
i.MX 8 Signed Boot Flow – user actions
Assemble all files in the
expected layout by the
boot ROM.

The Code Singing Tools

Boot package file, will sign only the second Boot package file,
ready to be copied container, generating the ready to be copied
to the boot medium. CSF real signature data. to the boot medium.
First container files: For “OEM Closed”
For “OEM Open”
- SECO FW, NXP signed devices. devices.

Unsigned Signed
mkimage_imx8 Code Signing Tools
Second container files: boot package boot package
- SCU FW (including DCD)
- M4 image
- AP IPL/ATF&UBOOT

Notes:
- The first container is provided by NXP already signed. NXP keys are provisioned in the SoC.
- The DCD functionality is built into the SCU FW, we no longer have a separate file.
- The signing keys for the second container are customer specific.
- The CSF file will use a similar, but updated syntax as on past i.MX solutions.
- The customer SRKs will need to be programmed in the i.MX 8 fuses. COMPANY PUBLIC 35
i.MX 8QX/QM – Algorithms and keys
Algorithms Keys
• RSA – 1024, 2048, 3072, 4096 • Support up to 4 Super Root Keys
bit keys (SRKs)
• ECDSA - p256, p384, p521
• Any SRK may be revoked
• SHA-256, 384, 512 bit*
• Hash of SRKs stored in fuses
• AES-CCM – 128, 192, 256 bit
keys** • The public keys are included in
the container
* Currently supported: ECDSA-P384 / SHA384 – sole allowed
configuration for primary container • 2 Root of Trust (NXP and OEM)
** Not supported for the primary container. Encryption not available
in the current versions of the SECO FW.

COMPANY PUBLIC 36
Manufacturing protection

COMPANY PUBLIC 37
Chip Distribution with Primary Manufacturer Authenticated
See Manufacturer
Registration details
channel used to on next slide
Manufacturing • Signed configuration,
software,
download keys,
proprietary software
• Primary Manufacturer and data (that is then
Protection SRK (to be fused on the
chip)
BLOB’ed)

Chip information
signed with MP
private key, derived
from chip and
Primary
Chip Manufacturer’s SRK
unique ID Provisioned
MP root
secret(s) Product

Product Device
Distributor

Wafer Tester Contract manufacturer

Chip distributor

Chip fabrication Chip distribution Device Manufacture Device

Distribution

COMPANY PUBLIC 38
Enablement

COMPANY PUBLIC 39
Enablement
• BSP
− Linux and drivers
− SECO Firmware (NXP signed)
− SCU Firmware and porting kit
− ARM Trusted Firmware (ATF)
− Open Trusted Execution Environment (OP-TEE)

• Tools
− Image creation tool
− Code signing tool
− Manufacturing tool
− JTAG debug scripts (Lauterbach, ARM DS-5)

• Documents
− Security Reference Manual (>1000 pages)
− SECO FW API (30 pages)
− SCU FW API (100 pages)
COMPANY PUBLIC 40
 Cortex A Clusters
Normal World Secure World
Security Applications/libraries

Infrastructure User
Chromium

mode
/ Crypsetup AWS Open
NSS keytool
SSL
Target: EL0

A solid i.MX security Provisionning

foundation for enablement SW Tee lib
Manufacturing
protection

Linux/Android OP-TEE OS
Unified across i.MX families Secure Resource
Consistent API and user experience Super Dm-verity/Dm-integrity Dm-crypt data path manager
visor
Enables most HW capabilities mode
/ SECO SNVS SNVS OCOTP SCU SECO TZASC CSU
Solid secure foundation for: EL1
CAAM TZ
I.MX Driver Driver Driver Driver Driver Driver
I.MX BSP Driver Driver Driver driver
• Key storage BSP Power PMIC I2C/SP CAAM RDC XRDC
• Certificate/key enclave in TEE mgt Driver IDriver Driver Driver Driver

• IOT device authentication

Hyper
• Device identity protection visor/

• IP protection EL2

i.MX8 QM/QX Monitor Monitor code

only mode (OP-TEE secure monitor for i.MX6/7
/
EL3
ARM Trusted Firmware for i.MX8)
i.MX 6/7/8m

COMPANY PUBLIC 41
 Cortex A Clusters
Normal World Secure World
Security MW Applications/libraries
Target: Chromium
Comprehensive i.MX security User
mode
Open
architecture /
EL0
Crypsetup AWS NSS
SSL
keytool
Secure OTA NFC Lib
PKCS11 (multiple token)
Higher level, industry standard PKCS11 TPM
CA
Certificate
Remote
Provisionning
Manufacturing
NXP SE Service Service attestation
security API provided (PKCS11) SECO lib CAAM lib TEE lib generation protection
lib

Linux/Android OP-TEE OS
Seamless integration with existing TA
authentication
Storage with
Secure Resource
Super key blob
Dm-verity/Dm-integrity Dm-crypt data path manager
Linux applications visor
With SRK encryption

Encrypted storage mode

/ SNVS OCOTP SCU SECO TZASC CSU
SECO SNVS CAAM TZ
Secure Keystore EL1 I.MX Driver Driver Driver Driver Driver Driver
I.MX BSP Driver Driver Driver driver
BSP
HSM fully leveraging HW platform Power PMIC I2C/SP CAAM RDC XRDC
mgt Driver IDriver Driver Driver Driver
- With CAAM
- With SECO Hyper
Extended set of Trusted Apps: visor/
EL2
- TPM
- OTA i.MX8 QM/QX Monitor Monitor code
- Attestation only mode (OP-TEE secure monitor for i.MX6/7
/
EL3
ARM Trusted Firmware for i.MX8)
Security MW i.MX 6/7/8m

COMPANY PUBLIC 42
 www.nxp.com
NXP, the NXP logo, and NXP secure connections for a smarter world are trademarks of NXP B.V. All other product or service names are the property of their respective owners. © 2018 NXP B.V.