CodeWarrior Development ToolsのトピックRe: LS1021a-iot board secure boot ?

LS1021a-iot board secure boot ?

dhruvalkumarpat — Tue, 21 Mar 2017 19:32:57 GMT

Hi All,

I was trying to do a secure boot on ls1021aiot based board. It progressed really well but I have following question during the process.

1) On our board we have PBL, Bootscript, U-boot and all the secure headers for bootscript, u-boot, dtb and uImage are stored on QSPI based flash. We have eMMC with 3 partition, which has a rootfs on it. At /boot mount point on each partition on emmc emmc we have uImage and devicetree.dtb file. For verification I fetch those images to DDR in bootscript.

Logs for secure boot at u-boot looks as shown below.

U-Boot 2015.01+ls1+QCAFS_3.1.2.20170223.2106.ga (Mar 16 2017 - 10:23:55)

CPU: Freescale LayerScape LS1020E, Version: 2.0, (0x87081020)
Clock Configuration:
CPU0(ARMV7):800 MHz,
Bus:300 MHz, DDR:600 MHz (1200 MT/s data rate),
Reset Configuration Word (RCW):
00000000: 06060010 00000000 00000000 10000000
00000010: 20000000 0840b920 50610a00 20046000
00000020: 00000000 00000000 00000000 0002ef00
00000030: 20004d00 24849340 00000000 00000000
Board: Cromwell
I2C: ready
DRAM: 512 MiB
Using SERDES1 Protocol: 32 (0x20)
MMC: FSL_SDHC: 0
Using default environment

EEPROM: Invalid ID (ff ff ff ff)
PCIe1: Root Complex no link, regs @ 0x3400000
PCIe2: Root Complex x1 gen1, regs @ 0x3500000
01:00.0 - 168c:0033 - Network controller
PCIe2: Bus 00 - 01
In: serial
Out: serial
Err: serial
PAM:
Version: PAM VER 40.08
Setting MAC address from PAM
ethaddr: 2C:A5:39:00:18:90
eth1addr: 2C:A5:39:00:18:91
SEC0: RNG instantiated
SATA link 0 timeout.
AHCI 0001.0300 1 slots 1 ports ? Gbps 0x1 impl SATA mode
flags: 64bit ncq pm clo only pmp fbss pio slum part ccc
scanning bus for devices...
Found 0 device(s).
SCSI: Net: eTSEC1 is in sgmii mode.
eTSEC2 is in sgmii mode.
eTSEC1, eTSEC2
Diags: Initializing "pdiag" executor

================================================================================
Power-On Self Test
Parallel Wireless, Inc.
(c) Copyright 2014

Power-On Self Test Complete
================================================================================

Hit any key to stop autoboot: 0
esbc_validate command successful
## Executing script at 40001000
4328352 bytes read in 295 ms (14 MiB/s)
18481 bytes read in 105 ms (171.9 KiB/s)
esbc_validate command successful
esbc_validate command successful
## Booting kernel from Legacy Image at 80008000 ...
Image Name: Linux-3.12.37-rt51+ls1+ga86bdb4
Created: 2017-02-11 15:21:18 UTC
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 4328288 Bytes = 4.1 MiB
Load Address: 80008000
Entry Point: 80008000
Verifying Checksum ... OK
## Flattened Device Tree blob at 82800000
Booting using the fdt blob at 0x82800000
Loading Kernel Image ... OK
Loading Device Tree to 9ef26000, end 9ef2d830 ... OK

Starting kernel ...

Currently I am using Boot Hold to load SRKH and CCS logs are as shown below

(bin) 1 % source FUSE_SRKH.tcl
Chain Position 0: LS1020A
Chain Position 1: CoreSight ATB Funnel
Chain Position 2: CoreSight TMC
Chain Position 3: CoreSight TMC
Chain Position 4: CoreSight TMC
Chain Position 5: CoreSight CTI
Chain Position 6: CoreSight CTI
Chain Position 7: CoreSight CTI
Chain Position 8: CoreSight ATB Funnel
Chain Position 9: Cortex-A7
Chain Position 10: Cortex-A7 PMU
Chain Position 11: Cortex-A7
Chain Position 12: Cortex-A7 PMU
Chain Position 13: CoreSight CTI
Chain Position 14: CoreSight CTI
Chain Position 15: Cortex-A7 ETM
Chain Position 16: Cortex-A7 ETM
Chain Position 17: DAP
Chain Position 18: SAP2
+0 +4 +8 +C
[0x01E90014] 8000A900 80000000 00000000 00000000
+0 +4 +8 +C
[0x01EE0200] 00300040 00000000 00000000 00000000
+0 +4 +8 +C
***

Programming SRKH

***
[0x01E90014] 8000A900 80000000 00000000 00000000
+0 +4 +8 +C
[0x01EE0200] 00300040
+0 +4 +8 +C
[0x01EE0204] 00000000
+0 +4 +8 +C
[0x01E90014] 8000A900 80000000 00000000 00000000

My Question is once I get to linux and If I check HPSR I can see SSM is in non-secure mode is it expected ?

(bin) 40 % ccs::display_mem 18 0x1e90014 4 0 4

+0 +4 +8 +C
[0x01E90014] 8000AB00 00002000 00000000 00000000
(bin) 41 %

2) We do lot of testing at u-boot but with secure boot the console won't be available for diagnostics. Is there a way to get console access at u-boot during secure boot ?

Re: LS1021a-iot board secure boot ?

yipingwang — Thu, 30 Mar 2017 11:16:46 GMT

Hello Dhruvalkumar Patel,

1. The value of "0x01E90014" is not totally correct, SSM bit is Non Secure State (0xb) should be abnormal status. Please refer to the document Secure Boot/Debug Configuration for LS1. After program OTPMK, please check whether SecMon_HP Status register value is valid, after write SRKH mirror registers through CCS, please check DCFG_CCSR_SCRATCHRW2. In addition, please refer to the trouble shooting section in the document Setting up Secure Boot on PBL Based Platforms in Prototype Stage.

2. In secure boot mode, u-boot cannot be stopped, please use CCS to connection to the target board to read SecMon_HP and SCRATCHRW2 to do troubling shooting step by step.

If further assistance is needed, please feel free to let me know.

Have a great day,
Yiping

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

Re: LS1021a-iot board secure boot ?

dhruvalkumarpat — Thu, 30 Mar 2017 15:56:08 GMT

Hello yipingwang

It does validate images as shown below.

Hit any key to stop autoboot: 0
esbc_validate command successful
## Executing script at 40001000
4328352 bytes read in 401 ms (10.3 MiB/s)
18481 bytes read in 158 ms (113.3 KiB/s)
esbc_validate command successful
esbc_validate command successful
01e90014: 8000ab00 00002000 00000000 00000000 ..... ..........
01ee0204: 41030000 00000000 00000000 00000000 ...A............
Disabling PAM watchdog
## Booting kernel from Legacy Image at 80008000 ...

But after validating status SecMon status is non-secure and SCRATCHWR2 shows error code but system still boot to linux. Few things to not here is that we have our rootfs stored in emmc. On our system emmc is partitioned into 3. Each partition has a rootfs. Images (uImage and dtb) are loaded from active partition by bootscript and then validated. We don't have ramfs file system. Will that impact anything ?

Thank you

Dhruval

Re: LS1021a-iot board secure boot ?

dhruvalkumarpat — Thu, 30 Mar 2017 17:51:30 GMT

Also, in LS1020A referance manual HPSR status for SYS_SECURITY_CFG should be 011 while in my case its 010 which I don't understand.

SYS_SECURITY_CFG will normally reset to 011b in a chip in the field. It will reset to 000b only in a chip in the Fabrication
facility. After the Freescale-programmable fuses have been blown at the Fabrication facility SYS_SECURITY_CFG will
reset to 001b. The OEM is expected to blow the OEM-programmable fuses, after which SYS_SECURITY_CFG will reset
to 011b.

As I am in development phase I haven't fused ITS instead I am using SB_EN and BO in rcw to do my development. Do you know which are the mandatory fuses for secure boot other than programming OTPMKn ?