mrlb wrote: ↑2024-05-31 0:48 Hello,
Is there any way to encrypt flash to prevent image file is read?

Hello, there are various solutions for flash encryption available in the market. A common approach is to use Secure Boot with the main control chip to boot the encrypted image. However, RV1103/RV1106 uses OP-TEE V2 for related encryption, which seems to differ from traditional encryption schemes. We have not conducted related testing. If needed, please refer to the relevant documentation.

Hello:

This is very important. It is a dealbreaker to switch development from pi pico 2 to luckfox boards. For pico 2 it is clearly documented on how to write to OTP and they provide scripts to sign and encrypt firmware. The chips used in luckfox certainly do have OTP and even crypto hardware but without a proper documentation/software it is useless. We are talking about many commercial developers that would be eager to switch if security is provided. We developers could take our chances to change some sources but is quite risky to play with OTP fuses considering there is no emulator.

hi tradingfuturo：
We have released the RK Provision OTP guidance document in our wikihttps://files.luckfox.com/wiki/Luckfox-Pico/PDF/doc.7z, if commercial developers need more technical support, they can contact our commercial staff

Thanks for the document, however seems to be for other chips different to the ones in the boards Pico and Lyra. I purchased both for evaluations pico max and lyra B but still unable to secure boot them and encrypt flash content. I am going to investigate how to contact your team. If possible please forward the contact. I have around 700 clients I could potentially sell them boards loaded with firmware.

Contact Information Click on the following link: https://www.luckfox.com/index.php?route ... on/contact

tradingfuturo wrote: ↑2025-01-18 20:31 Thanks for the document, however seems to be for other chips different to the ones in the boards Pico and Lyra. I purchased both for evaluations pico max and lyra B but still unable to secure boot them and encrypt flash content. I am going to investigate how to contact your team. If possible please forward the contact. I have around 700 clients I could potentially sell them boards loaded with firmware.

Hello!
Were you able to enable OPTEE and run rk_test?

Not yet. Support sent me the documentation from Rockchip but an application to generate the keys is missing (and sources fo kernel for lyra are not available yet, for pico they are). I am working in some other things as their engineers work in that area to gain time as it has some details. They should have started. Basically, the bootloader from the chip burns a sha256 hash of the public key (RSA public key) in OTP memory if a signed binary is loaded. From there on binaries are checked. First the hash is compared for the public key (likely to save space from OTP memory since is only 256 bits while RSA is far larger) then signature verified. The same key is used for the whole chain. But also read of the key to use in LUKS would be missing to be able to do this. Only verified boot, but the point is to do both encrypt the flash image, and signed boot. To prevent code injection, dumping of the secret key and decryption of the flash content. Very much waiting for this, since the chip seems to be quite good. It is tricore with good performance and I have multicore versions of the algorithms to deploy.
 

gkirill wrote: ↑2025-01-31 12:47

tradingfuturo wrote: ↑2025-01-18 20:31 Thanks for the document, however seems to be for other chips different to the ones in the boards Pico and Lyra. I purchased both for evaluations pico max and lyra B but still unable to secure boot them and encrypt flash content. I am going to investigate how to contact your team. If possible please forward the contact. I have around 700 clients I could potentially sell them boards loaded with firmware.

Hello!
Were you able to enable OPTEE and run rk_test?