SECURE BOOT LS1021A-IOT BOARD

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SECURE BOOT LS1021A-IOT BOARD

5,558 Views
prabinca4u
Contributor III

Hi All

I’m working REV2 LS1021A-IOT board, And trying to boot from QSPI with secure boot enabled, I’m able to boot from QSPI with non secure boot. But when I enabled SECURE BOOT in RCW I'm not getting the console in minicom.

Following are steps that I did for qspi boot with secure boot

1.Generated u-boot (for QSPI in big endian mode, so on compiling u-boot for QSPI, itself we are getting byte swapped u-boot), uImage , DTB and rootfs.

2.Generated pub and pri key with CST tool.

3.Generated CSF header for u-boot, uImage and DTB and rootfs.

4.Generated values of one time programmable register using cst tool and flashed into OTPMKR0 to OTPMKR7.

5.Wrote value HASH KEY into   SFP_SRKHRn register in big endian mode.

6.Imported rcw_1000_qspiboot.bin into QCVS tool and RCW.SBEN=1 and build to generate new PBL.bin

7.Byte swapped PBL.bin using byteswap.tcl

8.programmed PBL.bin u.boot and u-boot-csf.out into QSPI.

My doubt is why we are not getting console when enabling secure boot.The PBI Command in PBL.bin loads u-boot in the QSPI. so when enabling secure boot do I need to do any further editing in PBI commads for loading u-boot and its CSF header (Because scratch register meanings are different for non secure and secure boot).

Labels (1)
14 Replies

4,238 Views
dhruvalkumarpat
Contributor III

Hi PRABIN CA , 

Did you get secure boot working,. I am also trying to get the same working on ls1021aiot based boards. I thought you might be able to help me. 

1. Did you need to byte swapped ESBC u-boot header , kernekl header boot script header and PPA header before using them ? 

2. Did you sing the u-boot.bin before byte swapping or you signed byte swapped  u-boot image. Did you do the same with RCW ? 

I appreciate response from any one . 

Thanks in Advance !!

0 Kudos
Reply

4,238 Views
prabinca4u
Contributor III

Hi Dhruvalkuma

Please get the docs from NXP.

1. SECURE BOOT ON LS1021A-IOT REV.2

2. Secure Boot on T1040RDB, TWR-LS1021A and IOT-LS1021A

It is clear, how to do with each images.

Thanks

Prabin CA

4,238 Views
dhruvalkumarpat
Contributor III

Also, What are the pbi command that needs to be used my current command points to stored u-boot image location? 

0 Kudos
Reply

4,238 Views
prabinca4u
Contributor III

Hi ,

I think the DOCS are confidential, you have to contact NXP for this.

For PBI, if you are booting from QSPI, then the RCW with correct PBI command will be there. You can find the location u-boot in PBI command by opening RCW in PBI editor tool.

Have you ever booted from QSPI succesfully (Non secure QSPI boot) ?

0 Kudos
Reply

4,238 Views
dhruvalkumarpat
Contributor III

While doing a secure boot I came across following errors.

Hit any key to stop autoboot: 0
ERROR :: 800 :: RSA verification failed
## Executing script at 40001000
Bad data crc
Core is entering spin loop.

So I believe that my system is passing the ISBC phase and ESBC phase. But its not able to verify bootscript and hence failed. I am doing following thing into a boot script.


 setenv bdev mmcblk0
setenv bpart 1
setenv baudrate 115200
setenv othbootargs mtdoops.mtddev=MTDoops
setenv loadaddr 80008000
setenv fdtaddr 82800000
setenv bootfile uImage
setenv fdtfile cromwell.dtb
setenv bootargs root=/dev/${bdev}p$bpart rootdelay=5 rw console=$consoledev,$baudrate $othbootargs;
ext2load mmc 0:$bpart $loadaddr /boot/$bootfile
ext2load mmc 0:$bpart $fdtaddr /boot/$fdtfile
esbc_validate 0x40150000
esbc_validate 0x40170000
bootm $loadaddr - $fdtaddr

What could cause this error. I will appreciate any pointer or help .

Thanks in Advance !!!

0 Kudos
Reply

4,238 Views
dhruvalkumarpat
Contributor III

Yes we have our system up and running from QSPI. QSPI holds u-boot , pbi and environment in our product.

0 Kudos
Reply

4,238 Views
dhruvalkumarpat
Contributor III

Thank you so much for replying and giving info about this docs.How did you approached them for this document? Do they come with SDK ? I looked on their website but they are not available for download . 

0 Kudos
Reply

4,238 Views
alleny
Contributor I

Hi  , can anybody tell me how to boot from QSPI?

I have REV2 LS1021A-IOT board, And trying to boot from QSPI , I’m not able to boot from QSPI .

I download u-boot to 0 address of QSPI,just show below:
=> sf probe
=> sf erase 0x0 0x100000
=> fatload mmc 0:1 0x85000000 u-boot-ls1021aiot-swap-2014.07-r0.bin

=> sf write 0x85000000 0x0 0x80000

and after reset ,I can not boot the board, information was printed just like below, Please refer to the info just show below:
=>
U-Boot SPL 2014.07+ls1+g659b6a2 (Apr 07 2015 - 18:49:22)
Card did not respond to voltage select!
spl: mmc init failed: err - -17
### ERROR ### Please RESET the board ###

0 Kudos
Reply

4,238 Views
prabinca4u
Contributor III

Hi Allen

Please remember following while booting from QSPI

1.U-boot for QSPI (Need to compile it for QSPI)

2.RCW for QSPI (According PBL command in yor RCW, you need to flash u-boot.

This is not like SD card boot. You need to generate both RCW and u-boot for QSPI.

0 Kudos
Reply

4,238 Views
yipingwang
NXP TechSupport
NXP TechSupport

Hello PRABIN CA,

Please refer to the following check points.

1. Check SM_HP Status Register(SECMON_HPSR), please refer to LS1021 Reference Manual for details. Bits OTPMK_ZERO, OTPMK_SYNDROME and PE should be 0, otherwise there is some error in the OTPMK fuse blown by you.

2.  If OTMPK fuse is correct (see Step 1), check the SCRATCHRW2 register for errors. Refer to Section for error codes.

If Error code = 0 then check the Security Monitor state(SSM_ST) in SECMON_HPSR register.

Sec Mon in Check State (0x9)

If ITS fuse = 1, then it means ISBC code has reset the board. This may be due to the following reasons:

Hash of the public key used to sign the ESBC u-boot doesn't match with the value in SRK Hash Fuse.

Or Signature verification of the image failed.

Sec Mon in Trusted State (0xd) or Non Secure State (0xb)

Check the entry point field in the ESBC header. It seems that this value should be 0x40010000 for QSPI u-boot.

3. If entry point is correct, ensure that u-boot image has been compiled with the required secure boot configuration. It is needed to define CONFIG_SECURE_BOOT in include/configs/ls1021aiot.h in u-boot source code.


Have a great day,
Yiping

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

4,238 Views
prabinca4u
Contributor III

Hi yiping , thanks for your reply

please find the inline answers

1.There is no way to check these bit status, because we are not getting the console, with CW tap we can read these bits right? .

2.CW tap may need to check this status also?. ITS bit is a fuse bit?... with CW tap shall we can reset its value to 0, for disabling secure boot other than in RCW ? .

The content of ESBC header that I have set in the PBI commands is the location where I have flashed the CSF header of U-boot (The loaction is 0x40090000). From the CSF header I have set the boot entry (the location where I have flashed the U-boot is 0x40010000).

3.#ifdef CONFIG_SECURE_BOOT is there but not defined in ls1021aiot.h, with which value to be I have define this macro.

Thanks

4,238 Views
yipingwang
NXP TechSupport
NXP TechSupport

Hello PRABIN CA,

1. You could use CodeWarrior to create a bareboard project and use "Attach" launch configuration to connect to the target, then read the register values from debugger shell window.

Or from CCS console directly.

%config cc cwtap

% ccs::config_chain {ls1021 dap sap2}

% display ccs::get_config_chain

%ccs::read_mem <chain_pos > <address> <size> <space> <count>

2. In the prototyping phase, please don't blow the ITS fuse, please use RCW with SB_EN=1 instead, because it cannot be changed back after fuse ITS.

3. You could enable secure boot in the file configs/ls1021aiot_qspi_defconfig.

CONFIG_SYS_EXTRA_OPTIONS="QSPI_BOOT,SECURE_BOOT"

Or define the micro CONFIG_SECURE_BOOT in the header file directly.

Please continue to check other registers mentioned above.


Have a great day,
Yiping

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

4,238 Views
prabinca4u
Contributor III

Thanks a lot yiping let me try this

4,238 Views
prabinca4u
Contributor III

And adding one more point at the time of fusing I have checked the status of SM_HP register and I got the value as 0x8000a900

implies OTPMK_ZERO= 0

            OTPMK_SYNDROME=0

             PI=0

Plase help me with above data’s

0 Kudos
Reply