ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

OTPMK and secure boot

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 
解決済み
ソリューションへジャンプ

OTPMK and secure boot

ソリューションへジャンプ
‎05-06-2016 06:34 AM
3,904件の閲覧回数
vsiles
Senior Contributor I

Hi everyone,

I'm trying to achieve secure boot on a LS1021a board. Every document I read on the subject says to program the OTPMK and SRKHR fuses at the same time, prior to triggering the secure boot. From what I understand in the documentation, only the SRKHR is used during the secure boot.

 

Can I achieve secure boot by only programming the SRKHR fuses, and leave the OTPMK for later ?

 

Best,

Vincent

ラベル(1)
ラベル
タグ(2)
0 件の賞賛
返信
1 解決策

ソリューションへジャンプ
‎05-06-2016 06:58 AM
2,659件の閲覧回数
addiyi
NXP Employee
NXP Employee

The OTPMK registers are set by OEMs to configure a 256-bit secret value that becomes available for use by the SEC module to derive the AES blob keys when the security monitor is in the Trusted state or Secure state. The 256-bit secret value is stored in a

series of eight 32-bit registers OTPMKR0-OTPMKR7. The primary purpose of the OTPMK is encryption and decryption of  additional secret keys (also usable only by the SEC module) that can be used to protect arbitrary data.

You can do all the fuse programming using ccs or uboot. Also, for avoiding SRKH programming, only ccs is used and if you have CMSIS-DAP connection you can use it with no cost.

Adrian

元の投稿で解決策を見る

0 件の賞賛
返信
11 返答(返信)

ソリューションへジャンプ
‎05-08-2016 11:42 PM
2,659件の閲覧回数
vsiles
Senior Contributor I

Thank you !

0 件の賞賛
返信

ソリューションへジャンプ
‎05-06-2016 08:36 AM
2,659件の閲覧回数
vsiles
Senior Contributor I

addiyi​ Could you point me to the right place to download and install ccs, I have trouble finding information about it ?

Best,

Vincent

0 件の賞賛
返信

ソリューションへジャンプ
‎05-08-2016 10:58 PM
2,659件の閲覧回数
addiyi
NXP Employee
NXP Employee

You can pick www.nxp.com/cw4net, and install for example CodeWarrior for ARMv7. Then under Freescale\CW4NET_v2016.01\Common\CCS\bin\, you can start ccs.exe.

Adrian

0 件の賞賛
返信

ソリューションへジャンプ
‎05-06-2016 07:01 AM
2,659件の閲覧回数
vsiles
Senior Contributor I

I didn't know about ccs and CMSIS-DAP, I'll give it a try. Thank you !

0 件の賞賛
返信

ソリューションへジャンプ
‎05-06-2016 06:41 AM
2,659件の閲覧回数
addiyi
NXP Employee
NXP Employee

Programming OTPMK is mandatory. SRKH programming can be avoided, but you have to use the steps from Secure Boot/Debug Configuration for LS1

Adrian

0 件の賞賛
返信

ソリューションへジャンプ
‎05-06-2016 06:51 AM
2,659件の閲覧回数
vsiles
Senior Contributor I

I don't have any license for Code Warrior, so I can't follow the trick to use CW Tap to program the SFP registers.

I only found evaluation version of CW for windows but I'm working on Linux.

Could you explain when the OTPMK is needed for secure boot ?

Best,

V.

0 件の賞賛
返信

ソリューションへジャンプ
‎05-06-2016 06:58 AM
2,660件の閲覧回数
addiyi
NXP Employee
NXP Employee

The OTPMK registers are set by OEMs to configure a 256-bit secret value that becomes available for use by the SEC module to derive the AES blob keys when the security monitor is in the Trusted state or Secure state. The 256-bit secret value is stored in a

series of eight 32-bit registers OTPMKR0-OTPMKR7. The primary purpose of the OTPMK is encryption and decryption of  additional secret keys (also usable only by the SEC module) that can be used to protect arbitrary data.

You can do all the fuse programming using ccs or uboot. Also, for avoiding SRKH programming, only ccs is used and if you have CMSIS-DAP connection you can use it with no cost.

Adrian

0 件の賞賛
返信

ソリューションへジャンプ
‎05-09-2016 01:40 AM
2,659件の閲覧回数
vsiles
Senior Contributor I

Dear addiyi

Thank you for the support. I have a (hopefully) final question here: Since using the ccs::reset_to_debug seems to stop after the PBL and ISBC execution, I get core0 in debug mode too late to program the SRKHn registers. I tried to change my RCW so that neither core0 nor core1 is running, in order to get be able to program the SRKHn registers "early enough", but both cores are now in reset mode instead of debug mode and the write_mem command fails with a "Core not in debug" message.

How would you program the SRKHn register using ccs in order to test secure boot ? Is is possible to switch core 0 from reset to debug and stop it before the ISBC ? Can I control where core 0 stops after a reset_to_debug using only ccs ?

0 件の賞賛
返信

ソリューションへジャンプ
‎05-09-2016 02:14 AM
2,659件の閲覧回数
addiyi
NXP Employee
NXP Employee

When cores are in debug, you can access memory using cmsisdap chain_pos and space 0.

(bin) 59 % display ccs::get_config_chain

Chain Position 0: LS1020A

Chain Position 1: CoreSight ATB Funnel

Chain Position 2: CoreSight TMC

Chain Position 3: CoreSight TMC

Chain Position 4: CoreSight TMC

Chain Position 5: CoreSight CTI

Chain Position 6: CoreSight CTI

Chain Position 7: CoreSight CTI

Chain Position 8: CoreSight ATB Funnel

Chain Position 9: Cortex-A7

Chain Position 10: Cortex-A7 PMU

Chain Position 11: Cortex-A7

Chain Position 12: Cortex-A7 PMU

Chain Position 13: CoreSight CTI

Chain Position 14: CoreSight CTI

Chain Position 15: Cortex-A7 ETM

Chain Position 16: Cortex-A7 ETM

Chain Position 17: CMSISDAP

(bin) 60 % display ccs::read_mem 17 0x1080000 4 0 1

                   +0       +4       +8       +C

[0x01080000] 00000000

Adrian

0 件の賞賛
返信

ソリューションへジャンプ
‎05-09-2016 01:44 AM
2,659件の閲覧回数
vsiles
Senior Contributor I

I saw this but don't know how to use it yet

:ccs::set_hwbp

wrong # args: should be "::ccs::set_hwbp chain_pos [reservation_id] {bp_info}"

Also, most of hwbp related commands return "Unimplemented" so it doesn't seem to be the right direction.

0 件の賞賛
返信

ソリューションへジャンプ
‎05-06-2016 06:53 AM
2,659件の閲覧回数
vsiles
Senior Contributor I

And if it is relevant, I'd like to secure boot from SD card, not from flash

0 件の賞賛
返信