Forum Rule: Always post complete source code & details to reproduce any issue!
Results 1 to 9 of 9

Thread: Teensy 4, signed/encypted boot images

  1. #1

    Teensy 4, signed/encypted boot images

    Hello.

    Is it possible to compile for Teensy 4, generating a signed or encrypted image of the binary?

    I need the binary to be protected so that in commercial applications, nobody can extract it, since being stored in external flash is available to anyone.

    I know the procedure with RT micros using MCUXpresso to create protected bootable images, but I don't know how to do it with Teensy 4.

    Regards.

  2. #2
    Member
    Join Date
    Sep 2017
    Location
    Italia
    Posts
    87
    The only software solution would be to program your own loader using the on-chip encrytion and UID features.
    Or use really strong epoxy resin with an embedded vial of nasty acid, like in the old days...

  3. #3
    Senior Member+ defragster's Avatar
    Join Date
    Feb 2015
    Posts
    13,791
    The 1062 can run from encrypted flash - Paul made some note about implementing that during Beta.

  4. #4
    Senior Member PaulStoffregen's Avatar
    Join Date
    Nov 2012
    Posts
    24,022
    The short answer is no, secure encrypted code isn't supported at this time.

    To expand on that just a bit, while you probably could craft an encrypted firmware image (using NXP's tools... we don't support that from Arduino+Teensyduino), you can't burn the SEC_CONFIG fuse to put the chip into secure mode. Every Teensy 4.0 has this fuse at 0, and BOOT_CFG_LOCK is at 01 (write protect) which prevents any further writing to that group of fuses. We also set MAC_ADDR_LOCK to 01 and MISC_CONF_LOCK to 1 on every Teensy 4.0.

    This is done to prevent Teensy 4.0 from becoming "bricked". There are many ways to burn those boot config fuses which would permanently brick your board. That's far too risky for a product like Teensy which is meant for learning and experimenting and rapid prototyping.

    We may at some point in the future sell a "lockable" version of Teensy 4.0, which would have BOOT_CFG_LOCK at 00. When/if this product is made, it would have a different color PCB (likely red) to be visually distinct from the standard Teensy 4.0.

  5. #5
    Quote Originally Posted by PaulStoffregen View Post

    We may at some point in the future sell a "lockable" version of Teensy 4.0, which would have BOOT_CFG_LOCK at 00. When/if this product is made, it would have a different color PCB (likely red) to be visually distinct from the standard Teensy 4.0.
    I wouldn't mind this variant. Maybe a poll could gauge the community interest in such a product?

  6. #6
    Quote Originally Posted by donperryjm View Post
    I wouldn't mind this variant. Maybe a poll could gauge the community interest in such a product?
    I came across same problem when I ported one of the product to Teensy almost 5-6 months ago.
    I am really waiting for this feature as I have ported my 2 projects now to Teensy4.0 and 1 to 4.1 successfully but holding up new production batches because of encryption/protection.
    @Paul I would say if we can get Teensy 4.0 and 4.1 both with this encryption enabled board that would be really great.

  7. #7
    Yup. One time flash, red silk screen, I'm all in.

  8. #8
    Quote Originally Posted by donperryjm View Post
    Yup. One time flash, red silk screen, I'm all in.
    @Paul:
    This is also a great idea for the production. I am also agree to have ONE TIME FLASH boards as I am happy to loose a board instead of shipping out it without encryption. If we have Special Production Teensy itself. We can do development on normal ones and push out Red Teensies in production.

  9. #9
    Senior Member+ defragster's Avatar
    Join Date
    Feb 2015
    Posts
    13,791
    Encrypted boot is a follow on evolution after new bootloader work on this thread :: Bootloader-Chip-For-Teensy-4-0
    >> Reading through that thread Paul has posted on the current bootloader work and how it might progress. Some progress was made with HAB setup of the 1062 - not this thread or that thread - but another thread : Teensy-4-0-code-security

    That stand alone bootloader will begin to expose the fuses needed to allow such function. Then that functionality needs to be developed given the workings of the 1062 itself.

    That work doesn't alter the current Teensy function, but will be available to begin the cryptic task of {reading the 1062 docs} getting the encryption enabled for red board development and outside users of the PJRC bootloader.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •