Teensy 4, signed/encypted boot images

Status
Not open for further replies.

LuisHS

Well-known member
Hello.

Is it possible to compile for Teensy 4, generating a signed or encrypted image of the binary?

I need the binary to be protected so that in commercial applications, nobody can extract it, since being stored in external flash is available to anyone.

I know the procedure with RT micros using MCUXpresso to create protected bootable images, but I don't know how to do it with Teensy 4.

Regards.
 
The only software solution would be to program your own loader using the on-chip encrytion and UID features.
Or use really strong epoxy resin with an embedded vial of nasty acid, like in the old days...
 
The short answer is no, secure encrypted code isn't supported at this time.

To expand on that just a bit, while you probably could craft an encrypted firmware image (using NXP's tools... we don't support that from Arduino+Teensyduino), you can't burn the SEC_CONFIG fuse to put the chip into secure mode. Every Teensy 4.0 has this fuse at 0, and BOOT_CFG_LOCK is at 01 (write protect) which prevents any further writing to that group of fuses. We also set MAC_ADDR_LOCK to 01 and MISC_CONF_LOCK to 1 on every Teensy 4.0.

This is done to prevent Teensy 4.0 from becoming "bricked". There are many ways to burn those boot config fuses which would permanently brick your board. That's far too risky for a product like Teensy which is meant for learning and experimenting and rapid prototyping.

We may at some point in the future sell a "lockable" version of Teensy 4.0, which would have BOOT_CFG_LOCK at 00. When/if this product is made, it would have a different color PCB (likely red) to be visually distinct from the standard Teensy 4.0.
 
We may at some point in the future sell a "lockable" version of Teensy 4.0, which would have BOOT_CFG_LOCK at 00. When/if this product is made, it would have a different color PCB (likely red) to be visually distinct from the standard Teensy 4.0.
I wouldn't mind this variant. Maybe a poll could gauge the community interest in such a product?
 
I wouldn't mind this variant. Maybe a poll could gauge the community interest in such a product?

I came across same problem when I ported one of the product to Teensy almost 5-6 months ago.
I am really waiting for this feature as I have ported my 2 projects now to Teensy4.0 and 1 to 4.1 successfully but holding up new production batches because of encryption/protection.
@Paul I would say if we can get Teensy 4.0 and 4.1 both with this encryption enabled board that would be really great.
 
Yup. One time flash, red silk screen, I'm all in.

@Paul:
This is also a great idea for the production. I am also agree to have ONE TIME FLASH boards as I am happy to loose a board instead of shipping out it without encryption. If we have Special Production Teensy itself. We can do development on normal ones and push out Red Teensies in production.
 
Encrypted boot is a follow on evolution after new bootloader work on this thread :: Bootloader-Chip-For-Teensy-4-0
>> Reading through that thread Paul has posted on the current bootloader work and how it might progress. Some progress was made with HAB setup of the 1062 - not this thread or that thread - but another thread : Teensy-4-0-code-security

That stand alone bootloader will begin to expose the fuses needed to allow such function. Then that functionality needs to be developed given the workings of the 1062 itself.

That work doesn't alter the current Teensy function, but will be available to begin the cryptic task of {reading the 1062 docs} getting the encryption enabled for red board development and outside users of the PJRC bootloader.
 
Status
Not open for further replies.
Back
Top