{"id":21423840,"url":"https://github.com/ossystems/meta-secure-imx","last_synced_at":"2025-07-20T06:34:01.727Z","repository":{"id":140291753,"uuid":"516498816","full_name":"OSSystems/meta-secure-imx","owner":"OSSystems","description":null,"archived":false,"fork":false,"pushed_at":"2022-07-21T19:40:10.000Z","size":24827,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-07-01T10:48:09.648Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OSSystems.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING.MIT","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-21T19:31:46.000Z","updated_at":"2022-07-21T19:34:26.000Z","dependencies_parsed_at":null,"dependency_job_id":"967e90fc-8c11-407a-b7ac-72053fb0083f","html_url":"https://github.com/OSSystems/meta-secure-imx","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/OSSystems/meta-secure-imx","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OSSystems%2Fmeta-secure-imx","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OSSystems%2Fmeta-secure-imx/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OSSystems%2Fmeta-secure-imx/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OSSystems%2Fmeta-secure-imx/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OSSystems","download_url":"https://codeload.github.com/OSSystems/meta-secure-imx/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OSSystems%2Fmeta-secure-imx/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266076429,"owners_count":23872752,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-22T21:18:27.165Z","updated_at":"2025-07-20T06:34:01.703Z","avatar_url":"https://github.com/OSSystems.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OS Security\n\n## Secure Boot\n\nSecure boot ensures only authenticated software runs on the device and is achieved by verifying digital signatures of the software prior to executing the code. \nTo achieve secure boot SoC support is required. NXP i.MX processors family has support for it, this feature is marketed as High Assurance Boot (HAB).\n\n### Build a chain of Trust\n\nA typical Linux based system has the following components:\n\n* Bootloader\n\n* Kernel, Device Tree\n\n* Root Filesystem + User applications\n\n* Application data\n\n#### Bootloader Authentication\n\nBootloader Authentication is processor specific. However the mechanisms are the same :\n\n* Creating a public/private key pair\n* Signing the bootloader using vendor-specific code signing tools (CST Tool for NXP)\n* Burning the public key (or hash of public key) onto One-Time programmable (OTP) fuse on the processor during Production\n\nThe processor Boot-ROM code on power-on loads the bootloader with the signature/certificates appended to it,\nthen authenticates the software by performing the following steps:\n\n* Verify the public key used in the signature/certificate with the one stored in the OTP fuses\n* Extract the hash of bootloader from the signature using the verified public key\n* Compare the extracted hash with the computed hash of the bootloader. If it matches the boot process is continued if not it stops\n\n\n![HAB Authentication](HAB1.png)\n\n\n##### NXP Signing Tool (CST)\n\nCST Tool can be downloaded from NXP Website at :\nhttps://www.nxp.com/webapp/sps/download/license.jsp?colCode=IMX_CST_TOOL\n\nFor imx8mp\nhttps://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL_NEW\n\nwhich was ```cst-3.3.1.tgz``` when writting this document.\n\n* Certificates/keys generation:\n\ncreate a serial number file that OpenSSL wil use for the certificate serial number:\n\n        $ cd cst-2.3.3/keys\n        $ echo \"12345678\" \u003e serial\n\ncreate a key pass file that contains a passphrase to protect the HAB code signing private keys:\n\n        $ cd cst-2.3.3/keys\n        $ echo 'xm5hg86s$ps' \u003e  key_pass.txt\n        $ echo 'xm5hg86s$ps' \u003e\u003e key_pass.txt\n\ncreate the signature keys/certificates for hab4:\n\n        cst-2.3.3/keys$ ./hab4_pki_tree.sh\n\n       ...\n       Do you want to use an existing CA key (y/n)?: n\n       Do you want to use Elliptic Curve Cryptography (y/n)?: n\n       Enter key length in bits for PKI tree: 4096\n       Enter PKI tree duration (years): 10\n       How many Super Root Keys should be generated? 4\n       Do you want the SRK certificates to have the CA flag set? (y/n)?: y\n\ngenerate the fuse table and binary hash:\n\n        $ cd cst-2.3.3/crts\n        $ ../linux64/bin/srktool -h 4 -t SRK_1_2_3_4_table.bin -e SRK_1_2_3_4_fuse.bin -d sha256 -c \\\n        SRK1_sha256_4096_65537_v3_ca_crt.pem,./SRK2_sha256_4096_65537_v3_ca_crt.pem,./SRK3_sha256_4096_65537_v3_ca_crt.pem,./SRK4_sha256_4096_65537_v3_ca_crt.pem -f 1\n        \n        \n###### IMX.6 based boards\n\nThe hashes table that must be burned into the device to validate the public keys, can be generated from the fuse table above using the script:\n\n        #!/bin/bash\n        #\n        # For iMX6 there are 3 banks available\n        #\n        bank=3\n        word=0\n        if [ $# -ne 1 ]; then\n                echo Usage: $0  /path/to/SRK_1_2_3_4_fuse.bin\n                exit 1\n        fi\n        for ((i=0; i\u003c8; i++))\n        do\n                offset=$((i * 4))\n                printf \"fuse prog -y $bank $word %s\\n\" `hexdump -s $offset -n 4  -e '/4 \"0x\"' -e '/4 \"%X\"\"\\n\"' ${1}`\n                ((word++))\n        done\n\n a call example :\n \n        imx6-hab-cst-sign$ ./imx6-u-boot_fuse_commands.sh /path/to/SRK_1_2_3_4_fuse.bin\n        fuse prog -y 3 0 0x85CB70D5\n        fuse prog -y 3 1 0xE3064103\n        fuse prog -y 3 2 0xF372C459\n        fuse prog -y 3 3 0x94C7ECBD\n        fuse prog -y 3 4 0x3A98FD08\n        fuse prog -y 3 5 0xFBFC10C4\n        fuse prog -y 3 6 0x3007BA2B\n        fuse prog -y 3 7 0xDED88E4C \n        \n###### IMX.8 based boards\n\nget the values for the fuses with\n\n\t$ hexdump -e '/4 \"0x\"' -e '/4 \"%X\"\"\\n\"' \u003c SRK_1_2_3_4_fuse.bin\n\t0x85CB70D5\n\t0xE3064103\n\t0xF372C459\n\t0x94C7ECBD\n\t0x3A98FD08\n\t0xFBFC10C4\n\t0x3007BA2B\n\t0xDED88E4C\n\nwhich leads in the following U-Boot commands:\n\n\t=\u003e fuse prog -y 6 0 0x85CB70D5\n\t=\u003e fuse prog -y 6 1 0xE3064103\n\t=\u003e fuse prog -y 6 2 0xF372C459\n\t=\u003e fuse prog -y 6 3 0x94C7ECBD\n\t=\u003e fuse prog -y 7 0 0x3A98FD08\n\t=\u003e fuse prog -y 7 1 0xFBFC10C4\n\t=\u003e fuse prog -y 7 2 0x3007BA2B\n\t=\u003e fuse prog -y 7 3 0xDED88E4C\n\nOnce it's *absolutely* sure about what has been done so far and that it works, you can “close” the device.\n\nThis step is IRREVERSIBLE, better make sure there is no HAB Events in open mode configuration!!!!\n\nimx.6 case:\n\n        fuse prog 0 6 0x2\n\nimx.8 case:\n\n\t=\u003e fuse prog 1 3 0x02000000\n\n* Signing Process:\n\nThe first stage of HAB is the authentication of U-Boot. CST tool is used to generate the CSF data, which includes public\nkey, certificate, and instruction of authentication process. The CSF data is attached to the original u-boot.img. The process is\ncalled Signature.\nThe IVT should be modified to contain a pointer to the CSF data. The original u-boot.img image size is around 0x27000 to\n0x28000. For convenience, we first extend its size to 0x2F000 (with fill 0x5A). Then concatenate it with the CSF data. The\ncombined image is again extended to a fixed length (0x31000), which is used as the IVT image size parameter.\nThe new memory layout is shown in the following image layout:\n\n![HAB Layout](HAB2.png)\n\n\nThis process is fully automated in Yocto by using the class uboot-hab-sign.bbclass which is using the default settings:\n\n\n       # HAB Settings\n       HAB_ENABLE= \"1\"\n       HAB_DIR ?= \"${HAB_BASE}/conf/hab\"\n       SRKTAB ?= \"${HAB_DIR}/crts/SRK_1_2_3_4_table.bin\"\n       CSFK ?= \"${HAB_DIR}/crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem\"\n       SIGN_CERT ?= \"${HAB_DIR}/crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem\"\n\nU-Boot is signed then with developement Certificates/keys, For production the local.conf can be used to overwrite those settings by the productive ones.\n\nThe outcome of the process is:\n\n| Image  | imx6 | imx8 |\n|--------|------|------|\n| SPL    | SPL.signed | SPL.signed |\n| U-Boot | u-boot-ivt.img-spi.signed | u-boot.itb.signed |\n\n:warning: In imx8 case, you need to build U-Boot with SPL_FIT_GENERATOR disabled. See more infos [i.MX8M HAB](imx8_hab.md)\n\n## Signed Filesystem\n\nTo extend the chain of Trust to the Applications, the Root Filesystem must be authenticated on each boot to check it's validity using Digital Signature Verification.\nthere are several way to achieve this goal such as dm-verity, dm-integrity, IMA/EVM,...But we chose a simple way to implement it by verifying the wohl Rootfs Partition Signature \nin Initramfs before mounting it:\n\n\n        # +------------+  0x0                     -\n        # |            |                          |\n        # |            |                          |\n        # |            |                          |\n        # |            |                          |\n        # | File       |                          |\n        # | System     |                          |\n        # .            |                          |\n        # .            |                           \u003e PAYLOAD to be signed      ----+\n        # .            |                          |                                |\n        # |            |                          |                                |\n        # |            |                          |                                |\n        # +------------+                          |                                |\n        # |            |                          |                                |\n        # | Fill Data  |                          |                                |\n        # |            |                          |                                |\n        # +------------+ MAGIC_OFFSET(MB Aligned) |                                |\n        # | Magic      |                          |                                |\n        # +------------+ MAGIC_OFFSET + MAGIC_LEN -                                |\n        # |            |                                                           |\n        # | Signature  | \u003c---------------------------------------------------------+\n        # |            |\n        # +------------+\n\n\n1) The rootfs image size is aligned to MB blocks\n\n2) Magic Header is appended to those blocks\n\n3) The sum is then hashed signed and signature is the appended\n\n\nThe class *sign-fs.bbclass*\n\nis automatically performing this process and is using the default settings:\n\n\n        CA_CERT ?= \"${HAB_DIR}/crts/CA1_sha256_4096_65537_v3_ca_crt.pem\"\n        ROOT_CERT ?= \"${HAB_DIR}/crts/SRK1_sha256_4096_65537_v3_ca_crt.pem\"\n        SIGN_KEY ?= \"${HAB_DIR}/keys/IMG1_1_sha256_4096_65537_v3_usr_key.pem\"\n        PASS_FILE ?= \"${HAB_DIR}/keys/key_pass.txt\"\n\nadded to machine conf or local conf will generate the signed rootfs in deploy folder:\n\n        IMAGE_FSTYPES = \"squashfs.signed\"\n\nOn boot the initramfs is performing the reverse process to verify the digital signature of the rootfs:\n\n\n        # +------------+  0x0 (MMC_PART_START) ----\n        # |            |                          |\n        # |            |                          |\n        # |            |                          |\n        # |            |                          |\n        # | File       |                          |\n        # | System     |                          |\n        # .            |                          |\n        # .            |                           \u003e PAYLOAD to be verified    ----+\n        # .            |                          |                                |\n        # |            |                          |                                |\n        # |            |                          |                                |\n        # +------------+                          |                                |\n        # |            |                          |                                |\n        # | Fill Data  |                          |                                |\n        # |            |                          |                                |\n        # +------------+ MAGIC_OFFSET(MB Aligned) |                                |\n        # | Magic      |                          |                                |\n        # +------------+ MAGIC_OFFSET + MAGIC_LEN -                                |\n        # |            |                                                           |\n        # | Signature  | \u003c---------------------------------------------------------+\n        # |            |\n        # +------------+\n\n\n### encrypted rootfs (read only squashfs)\n\nAs rootfs we use a read-only squashfs (ramdisk). The rootfs is crypted\nwith dm-crypt with AES-128-GCM.\n\nThe class *crypt-fs.bbclass*\nperforms the needed steps to crypt the FS image.\n\nAs it is not a good idea to store the key in plain, we use the\nDCP or CAAM for crypting the raw key and get a key blob we can store\nin the SPI NOR.\n\nThe blob is stored on a project specific device. The user of the layer\nshould provide a /etc/default/initramfs file, that loads the blob\nand copies it into /tmp/key.blob. This is used by the ramdisk to setup\nthe encryptded rootfs.\n\nTo create and store the blob:\n\n\tkeyctl add symmetric \"rootfskey\" \"\u003cengine\u003e load_plain \u003ckey hex text\u003e\" @s\n\nFor example:\n\n\tkeyctl add symmetric \"rootfskey\" \"caam load_plain 0102030405060708AABBCCDDEEFF12AA\" @s\n\tkeyctl show -x\n\nYou get an id for the key.\n\nThen export the blob:\n\n\tkeyctl pipe \u003ckey id\u003e \u003e /tmp/blob\n\nAnd copy the resulting blob on a persistent device. The real key is never exposed and it is\ndecrypted with the unique key of the device, so this procedure must be done for each produced\ndevice in the factory.\n\n#### raw key definitions\n\ndefine for example your raw key for the rootfs image:\n\nENC_KEY_RAW ?= \"fdf6842566d47e47d6874da561fec433\"\n\nso the ```crypt-fs``` can use it. This key *never* should be lost!\n\n### DCP usage\n\nsee implementation details in *dcp_overview.pdf*\n\n### order of execution\n\nWe first crypt the FS image, than sign it, so on boot we first\ncheck the signature and if the signature is OK, we encrypt the\nFS image.\n\nSee the initrd script: *recipes-core/initrdscripts/files/initramfs-init.sh*\n\n### setup\n\nIntentionally using this meta layer as it is will fail your build.\n\nYou must add the keys for HAB boot, signed FS somehow to your yocto build\nsetup.\n\nThis can be done by simply adding another meta layer, which contains all the needed\nkeys.\n\nAdd this meta layer to your build and you use the default keys from there.\n\nOf course, do not use them in your product!\n\n# Example usage of `meta-secure-imx` layer with imx6ull based BSP\n\n## Introduction\nThis section of the documentation describes the integration of this meta layer\nwith BSP meta layer.\n\nIt is important to also use the `meta-security` and `meta-mainline-common` from\n[1] to get the newest stable kernels.\n\n## Available initramfs images:\n1. `factory-image-fit` - it is responsible for the factory setup of the iMX\nbased board:\n  - Fuse MAC address from tftp accessible `imx6ull-\u003cboard\u003e-mac.txt`\n  - Fuse SRK from tftp accessible `SRK_1_2_3_4_fuse.bin`\n  - Create rootfs encryption blob - it needs to download (temporarily only)\n\tthe `imx6ull-\u003cboard\u003e-rootfs-enc-key.txt` with encryption key (it is the same\n\tas the one passed to `ENC_KEY_RAW` and will **NOT** be stored on the board)\n  - Enable secure booting (a.k.a locking the board) -\u003e PERMANENT\n  - Sets the eMMC boot areas as RO (read only) -\u003e PERMANENT.\n\nIt needs to be build separately with: `bitbake factory-image-fit`\n\n2. `crypt-image-initramfs` is the fitImage with initramfs (and kernel), which:\n  - Will read the keyblob from persistent memory\n  - Setup dm-crypt to decrypt the rootfs\n  - Switch root to boot from it\n\nIt is build when `virtual/kernel` is build (the\n`INITRAMFS_IMAGE = \"crypt-image-initramfs\"` is added to machine.conf file)\n\n## Enhancements to `meta-\u003cboard\u003e-bsp` layer\n\n1. `recipes-core/images/factory-image-fit.bbappend` - set correct load address\nfor the imx6ull SoC\n\n```\ndo_assemble_fit_prepend() {\n\tsed -i \"s|ITS_KERNEL_LOAD_ADDR|0x87800000|g\" ${B}/rescue.its.in\n\tsed -i \"s|ITS_KERNEL_ENTRY_ADDR|0x87800000|g\" ${B}/rescue.its.in\n}\n```\n\n2. `recipes-core/initrdscripts/initramfs-init_%.bbappend`\n```\nFILESEXTRAPATHS_prepend := \"${THISDIR}/files:\"\n\nSRC_URI += \" \\\n  file://initramfs \\\n\"\n\nINITFUNCTIONS_INSTALL_DIR ?= \"${sysconfdir}/default\"\n\ndo_install_append () {\n\tinstall -d ${D}${sysconfdir}\n\tinstall -d ${D}${INITFUNCTIONS_INSTALL_DIR}\n\tinstall -m 0755 ${WORKDIR}/initramfs ${D}${INITFUNCTIONS_INSTALL_DIR}\n}\n\nFILES_${PN} += \" \\\n  ${INITFUNCTIONS_INSTALL_DIR}/initramfs \\\n\"\n```\n\n3. `recipes-core/initrdscripts/files/initramfs`  - set board specific bash\nfunctions and variables\n\n```\n# Board specific defines\n#\nimx_soc=\"imx6ull\"\nkeystoredev=\"mmc\"\nkeystoremmcdev=\"1\"\nkeystoremmcpart=\"boot0\"\nboard=\"\u003cboard\u003e\"\n\n# dcp blob has 138 bytes\nkeysize=\"138\"\n\n# eMMC boot0 part offset (in LBAs)\n# Provide 512B to store the blob\n# 4MiB - 512B (and converted to LBA)\nkeyoffset=\"8191\"\n\nkeyblobpath=\"/tmp/dmcrypt.blob\"\n\n# We use rootfs encryption with signed key\nVERIFYROOTFS=\"no\"\n\nCRYPT_KEY_FILE=\"imx6ull-\u003cboard\u003e-rootfs-enc-key.txt\"\nMAC_ADDR_FILE=\"imx6ull-\u003cboard\u003e-mac.txt\"\n\n# Fuse nvmem offsets for imx6ull\nIMX_FUSE_SEC_CONFIG_IDX=\"6\"\nIMX_FUSE_SEC_CONFIG_VAL=\"\\x2\\x0\\x0\\x0\"\n\nIMX_FUSE_SRK_IDX=\"24\"\nIMX_FUSE_SRK_SIZE=\"8\"\n\nIMX_FUSE_MAC0_IDX=\"34\"\nIMX_FUSE_MAC1_IDX=\"35\"\n\n# From u-boot envs\nget_root_dev_path () {\n\tmmc_part=$(fw_printenv -n mmcdev)\n\troot_part=$(fw_printenv -n rootpart)\n\n\tROOT_DEV=\"/dev/mmcblk${mmc_part}p${root_part}\"\n}\n\nload_key_blob () {\n\ttfile=\"/tmp/keytmp\"\n\tdd if=/dev/mmcblk${keystoremmcdev}${keystoremmcpart} of=${tfile} bs=512 skip=${keyoffset} count=1 2\u003e/dev/null\n\tdd if=${tfile} of=${keyblobpath} bs=1 count=${keysize} 2\u003e/dev/null\n\n\trm ${tfile}\n}\n\nimx_fuse_read () {\n\tidx=${1}\n\tcount=${2}\n\n\t[ -z ${idx} ] \u0026\u0026 return 1\n\t[ -z ${count} ] \u0026\u0026 return 1\n\n\tocotp_patch=$(find /sys/bus/ -name \"imx-ocotp0\")\n\t[ -z ${ocotp_patch} ] \u0026\u0026 { echo \"No FUSE support!\"; return 1; }\n\tocotp_file=${ocotp_patch}/nvmem\n\n\tdd if=${ocotp_file} bs=4 count=${count} skip=${idx} 2\u003e/dev/null | hexdump -e '\"0x%04x\\n\"'\n}\n\nimx_fuse_write () {\n\tidx=${1}\n\tfile=${2}\n\n\t[ -z ${idx} ] \u0026\u0026 return 1\n\t[ -z ${file} ] \u0026\u0026 return 1\n\n\tocotp_patch=$(find /sys/bus/ -name \"imx-ocotp0\")\n\t[ -z ${ocotp_patch} ] \u0026\u0026 { echo \"No FUSE support!\"; return 1; }\n\tocotp_file=${ocotp_patch}/nvmem\n\n\t# Below is a test code to check if we are going to correctly write fuses\n\t#hexdump ${ocotp_file}\n\t#dd if=/dev/zero of=/tmp/foo bs=64 count=1 2\u003e/dev/null\n\t#dd if=${file} of=/tmp/foo bs=4 seek=${idx} 2\u003e/dev/null\n\t#hexdump /tmp/foo\n\n\t# Real code to program fuses\n\tdd if=${file} of=${ocotp_file} bs=4 seek=${idx} 2\u003e/dev/null\n}\n\n# imx6ull FUSE information\n# static const char *imx6ull_otp_desc[][8] = {\n# BANK8(LOCK, CFG0, CFG1, CFG2, CFG3, CFG4, CFG5, CFG6),\n# BANK8(MEM0, MEM1, MEM2, MEM3, MEM4, ANA0, ANA1, ANA2),\n# BANK8(OTPMK0, OTPMK1, OTPMK2, OTPMK3, OTPMK4, OTPMK5, OTPMK6, OTPMK7),\n# BANK8(SRK0, SRK1, SRK2, SRK3, SRK4, SRK5, SRK6, SRK7),\n# BANK8(SJC_RESP0, SJC_RESP1, MAC0, MAC1, MAC2, CRC, GP1, GP2),\n# BANK8(SW_GP0, SW_GP1, SW_GP2, SW_GP3, SW_GP4,  MISC_CONF,  FIELD_RETURN, SRK_REVOKE),\n# BANK8(ROM_PATCH0, ROM_PATCH1, ROM_PATCH2, ROM_PATCH3, ROM_PATCH4, ROM_PATCH5, ROM_PATCH6, ROM_PATCH7),\n# BANK8(GP30, GP31, GP32, GP33, GP40, GP41, GP42, GP43),\n#};\n\nfactory_get_file () {\n\tfile=\"${1}\"\n\t[ -z ${file} ] \u0026\u0026 { echo \"File to get not provided!\"; return 1; }\n\n\ttftp -g -r ${file} -l /tmp/${file} 192.168.0.1\n}\n\nset_ro_on_mmcboot() {\n     dev=\"${1}\"\n     bootpart=\"${2}\"\n     mmcboot=\"mmcblk${dev}boot${bootpart}\"\n\n     [ -b /dev/${mmcboot} ] || { echo \"No ${mmcboot}!\"; return 1; }\n\n     echo \"Setting ${mmcboot} to RO !\"\n     # Please use the -p switch to set RO for boot area permanently,\n     # otherwise the RO is only till next boot.\n     mmc writeprotect boot set /dev/mmcblk${dev} ${bootpart}\n}\n\n# Board specific quirks:\n#\nboard_factory_setup () {\n\techo \"Set booting from /dev/mmcblk1boot0\"\n\tmmc bootpart enable 1 0 /dev/mmcblk1\n\n\tset_ro_on_mmcboot 1 0 || { echo \"FAIL!\"; return 1; }\n\tset_ro_on_mmcboot 1 1 || { echo \"FAIL!\"; return 1; }\n}\n\n```\n\nThe `iMX7/8` will have different offsets for eFUSE registers, but\nthe overall idea for read/write functions can be reused.\n\n\nLinks:\n------\n\n[1] - https://source.denx.de/denx/meta-mainline-common\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossystems%2Fmeta-secure-imx","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fossystems%2Fmeta-secure-imx","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossystems%2Fmeta-secure-imx/lists"}