OTPMK and secure boot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OTPMK and secure boot

Jump to solution
3,069 Views
vsiles
Senior Contributor I

Hi everyone,

I'm trying to achieve secure boot on a LS1021a board. Every document I read on the subject says to program the OTPMK and SRKHR fuses at the same time, prior to triggering the secure boot. From what I understand in the documentation, only the SRKHR is used during the secure boot.

 

Can I achieve secure boot by only programming the SRKHR fuses, and leave the OTPMK for later ?

 

Best,

Vincent

Labels (1)
Tags (2)
0 Kudos
1 Solution
1,824 Views
addiyi
NXP Employee
NXP Employee

The OTPMK registers are set by OEMs to configure a 256-bit secret value that becomes available for use by the SEC module to derive the AES blob keys when the security monitor is in the Trusted state or Secure state. The 256-bit secret value is stored in a

series of eight 32-bit registers OTPMKR0-OTPMKR7. The primary purpose of the OTPMK is encryption and decryption of  additional secret keys (also usable only by the SEC module) that can be used to protect arbitrary data.

You can do all the fuse programming using ccs or uboot. Also, for avoiding SRKH programming, only ccs is used and if you have CMSIS-DAP connection you can use it with no cost.

Adrian

View solution in original post

0 Kudos
11 Replies
1,824 Views
vsiles
Senior Contributor I

Thank you !

0 Kudos
1,824 Views
vsiles
Senior Contributor I

addiyi​ Could you point me to the right place to download and install ccs, I have trouble finding information about it ?

Best,

Vincent

0 Kudos
1,824 Views
addiyi
NXP Employee
NXP Employee

You can pick www.nxp.com/cw4net, and install for example CodeWarrior for ARMv7. Then under Freescale\CW4NET_v2016.01\Common\CCS\bin\, you can start ccs.exe.

Adrian

0 Kudos
1,824 Views
vsiles
Senior Contributor I

I didn't know about ccs and CMSIS-DAP, I'll give it a try. Thank you !

0 Kudos
1,824 Views
addiyi
NXP Employee
NXP Employee

Programming OTPMK is mandatory. SRKH programming can be avoided, but you have to use the steps from Secure Boot/Debug Configuration for LS1

Adrian

0 Kudos
1,824 Views
vsiles
Senior Contributor I

I don't have any license for Code Warrior, so I can't follow the trick to use CW Tap to program the SFP registers.

I only found evaluation version of CW for windows but I'm working on Linux.

Could you explain when the OTPMK is needed for secure boot ?

Best,

V.

0 Kudos
1,825 Views
addiyi
NXP Employee
NXP Employee

The OTPMK registers are set by OEMs to configure a 256-bit secret value that becomes available for use by the SEC module to derive the AES blob keys when the security monitor is in the Trusted state or Secure state. The 256-bit secret value is stored in a

series of eight 32-bit registers OTPMKR0-OTPMKR7. The primary purpose of the OTPMK is encryption and decryption of  additional secret keys (also usable only by the SEC module) that can be used to protect arbitrary data.

You can do all the fuse programming using ccs or uboot. Also, for avoiding SRKH programming, only ccs is used and if you have CMSIS-DAP connection you can use it with no cost.

Adrian

0 Kudos
1,824 Views
vsiles
Senior Contributor I

Dear addiyi

Thank you for the support. I have a (hopefully) final question here: Since using the ccs::reset_to_debug seems to stop after the PBL and ISBC execution, I get core0 in debug mode too late to program the SRKHn registers. I tried to change my RCW so that neither core0 nor core1 is running, in order to get be able to program the SRKHn registers "early enough", but both cores are now in reset mode instead of debug mode and the write_mem command fails with a "Core not in debug" message.

How would you program the SRKHn register using ccs in order to test secure boot ? Is is possible to switch core 0 from reset to debug and stop it before the ISBC ? Can I control where core 0 stops after a reset_to_debug using only ccs ?

0 Kudos
1,824 Views
addiyi
NXP Employee
NXP Employee

When cores are in debug, you can access memory using cmsisdap chain_pos and space 0.

(bin) 59 % display ccs::get_config_chain

Chain Position 0: LS1020A

Chain Position 1: CoreSight ATB Funnel

Chain Position 2: CoreSight TMC

Chain Position 3: CoreSight TMC

Chain Position 4: CoreSight TMC

Chain Position 5: CoreSight CTI

Chain Position 6: CoreSight CTI

Chain Position 7: CoreSight CTI

Chain Position 8: CoreSight ATB Funnel

Chain Position 9: Cortex-A7

Chain Position 10: Cortex-A7 PMU

Chain Position 11: Cortex-A7

Chain Position 12: Cortex-A7 PMU

Chain Position 13: CoreSight CTI

Chain Position 14: CoreSight CTI

Chain Position 15: Cortex-A7 ETM

Chain Position 16: Cortex-A7 ETM

Chain Position 17: CMSISDAP

(bin) 60 % display ccs::read_mem 17 0x1080000 4 0 1

                   +0       +4       +8       +C

[0x01080000] 00000000

Adrian

0 Kudos
1,824 Views
vsiles
Senior Contributor I

I saw this but don't know how to use it yet

:ccs::set_hwbp

wrong # args: should be "::ccs::set_hwbp chain_pos [reservation_id] {bp_info}"

Also, most of hwbp related commands return "Unimplemented" so it doesn't seem to be the right direction.

0 Kudos
1,824 Views
vsiles
Senior Contributor I

And if it is relevant, I'd like to secure boot from SD card, not from flash

0 Kudos