https://community.nxp.com/t5/Layerscape/Fuse-programming-security-on-LS1028A/m-p/2257158#M16322 <P><a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/199933">@Oswalag</a><BR /><BR /></P><P>Hello,</P><P>I would like to follow up on one of the OP’s questions. What is a minimal OTPMK? I have access to the mentioned document (QorIQ TA 3.0 User Guide), but it does not contain much information about this. Maybe I am missing something, could you point to specific section? From what I understand:</P><P>* If we want to perform the Secure Boot process, the processor needs to be in the Secure or Trusted state.<BR />* The processor can be in the Secure or Trusted state only if the OTPMK is fused.<BR />* Once the OTPMK is fused, there is no way to read it back or rewrite it, since `ERROR_OTPMK_ALREADY_BLOWN` will be thrown.</P><P>I also went through the ATF code where the fuse FIP can be generated. It looks like we can create one with a minimal OTPMK inside, ready to be fused, which basically sets a number of bits to 1.<BR /><A href="https://github.com/nxp-qoriq/atf/blob/lf_v2.10/drivers/nxp/sfp/fuse_prov.c#L162" target="_blank">https://github.com/nxp-qoriq/atf/blob/lf_v2.10/drivers/nxp/sfp/fuse_prov.c#L162</A></P><P>Does this mean that we can fuse a minimal OTPMK, then reboot the platform - which should force the Secure Boot process on the next boot (if ITS or SB_EN is set) - and then fuse the final OTPMK in a verified environment (assuming that the Secure Boot process has completed successfully)?<BR /><BR />So basically, the minimal OTPMK is just an OTPMK value that can be overwritten?<BR /><BR />Looking forward to your reply.<BR /><BR />Regards</P> Mon, 08 Dec 2025 11:34:16 GMT tomzy_0 2025-12-08T11:34:16Z https://community.nxp.com/t5/Layerscape/Fuse-programming-security-on-LS1028A/m-p/2142711#M15946 <P>Hi</P><P>I'm browsing the following document <A href="https://docs.nxp.com/bundle/LLDPUG_L6.1.36_2.1.0/page/topics/fuse_programming_scenarios.html" target="_blank">https://docs.nxp.com/bundle/LLDPUG_L6.1.36_2.1.0/page/topics/fuse_programming_scenarios.html</A>&nbsp;and have some questions regarding fuse programming on LS1028A platform.</P><P>Suppose that all fuse programming will happen in remote contractor.</P><P>Looking at the programming scenarions:</P><P>- in the stage 1 I build a fip that fuses SRKH and some other non sensitive fuses, so that the next image will be validated against secure boot procedure.</P><P>- in the stage 2 I build another fip that fuses sensitive values like OTPMK, WP and so on</P><P>My questions are the following:</P><P>- what's Minimal OTPMK and what's its purpose on LS1028A? I thought that on this platform there is only one OTPMK that should be considered sensitive</P><P>- if I create "secure fip" for the stage 2, how can I prevent my contract manufacturer from extracting sensitive values from fip binary? Correct me if I'm wrong but if the contract manufacturer knows the structure of fuse programming fip, they can easily extract values like OTPMK</P> Tue, 29 Jul 2025 11:43:24 GMT https://community.nxp.com/t5/Layerscape/Fuse-programming-security-on-LS1028A/m-p/2142711#M15946 pb3 2025-07-29T11:43:24Z https://community.nxp.com/t5/Layerscape/Fuse-programming-security-on-LS1028A/m-p/2143213#M15951 <P>Hello,</P> <P>The requested information is available in the document "QorIQ Trust Architecture 3.0 User<BR />Guide", it is available under NDA, please let me know if you have it and I'll share it with you.&nbsp;</P> Wed, 30 Jul 2025 05:15:07 GMT https://community.nxp.com/t5/Layerscape/Fuse-programming-security-on-LS1028A/m-p/2143213#M15951 Oswalag 2025-07-30T05:15:07Z https://community.nxp.com/t5/Layerscape/Fuse-programming-security-on-LS1028A/m-p/2257158#M16322 <P><a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/199933">@Oswalag</a><BR /><BR /></P><P>Hello,</P><P>I would like to follow up on one of the OP’s questions. What is a minimal OTPMK? I have access to the mentioned document (QorIQ TA 3.0 User Guide), but it does not contain much information about this. Maybe I am missing something, could you point to specific section? From what I understand:</P><P>* If we want to perform the Secure Boot process, the processor needs to be in the Secure or Trusted state.<BR />* The processor can be in the Secure or Trusted state only if the OTPMK is fused.<BR />* Once the OTPMK is fused, there is no way to read it back or rewrite it, since `ERROR_OTPMK_ALREADY_BLOWN` will be thrown.</P><P>I also went through the ATF code where the fuse FIP can be generated. It looks like we can create one with a minimal OTPMK inside, ready to be fused, which basically sets a number of bits to 1.<BR /><A href="https://github.com/nxp-qoriq/atf/blob/lf_v2.10/drivers/nxp/sfp/fuse_prov.c#L162" target="_blank">https://github.com/nxp-qoriq/atf/blob/lf_v2.10/drivers/nxp/sfp/fuse_prov.c#L162</A></P><P>Does this mean that we can fuse a minimal OTPMK, then reboot the platform - which should force the Secure Boot process on the next boot (if ITS or SB_EN is set) - and then fuse the final OTPMK in a verified environment (assuming that the Secure Boot process has completed successfully)?<BR /><BR />So basically, the minimal OTPMK is just an OTPMK value that can be overwritten?<BR /><BR />Looking forward to your reply.<BR /><BR />Regards</P> Mon, 08 Dec 2025 11:34:16 GMT https://community.nxp.com/t5/Layerscape/Fuse-programming-security-on-LS1028A/m-p/2257158#M16322 tomzy_0 2025-12-08T11:34:16Z