Security advisory: High Assurance Boot (HABv4) bypass
The NXP i.MX53 System-on-Chip, main processor used in the USB armory Mk I board  design, suffers from vulnerabilities that allow bypass of the optional High Assurance Boot function (HABv4). The HABv4  enables on-chip internal boot ROM authentication of the initial bootloader with a digital signature, establishing the first trust anchor for further code authentication. This functionality is commonly known as Secure Boot  and it can be activated by users who require authentication of the bootloader (e.g. U-Boot) to further maintain, and verify, trust of executed code. Quarkslab reported  to NXP, and subsequently to Inverse Path, two different techniques for bypassing HABv4 by means of exploiting validation errors in the SoC internal boot ROM , which are exposed before bootloader authentication takes place. While the two vulnerabilities have been initially reported for the i.MX6 SoC, Inverse Path evaluated that both issues also apply to the i.MX53 SoC, used on the USB armory Mk I.
Technical details under embargo until July 18th, by mutual agreement between
reported and NXP.