FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Fuse programming security on LS1028A

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Fuse programming security on LS1028A

‎07-29-2025 04:43 AM
370 Views
pb3
Contributor II

Hi

I'm browsing the following document https://docs.nxp.com/bundle/LLDPUG_L6.1.36_2.1.0/page/topics/fuse_programming_scenarios.html and have some questions regarding fuse programming on LS1028A platform.

Suppose that all fuse programming will happen in remote contractor.

Looking at the programming scenarions:

- in the stage 1 I build a fip that fuses SRKH and some other non sensitive fuses, so that the next image will be validated against secure boot procedure.

- in the stage 2 I build another fip that fuses sensitive values like OTPMK, WP and so on

My questions are the following:

- what's Minimal OTPMK and what's its purpose on LS1028A? I thought that on this platform there is only one OTPMK that should be considered sensitive

- if I create "secure fip" for the stage 2, how can I prevent my contract manufacturer from extracting sensitive values from fip binary? Correct me if I'm wrong but if the contract manufacturer knows the structure of fuse programming fip, they can easily extract values like OTPMK

0 Kudos
Reply
2 Replies

Monday
116 Views
tomzy_0
Contributor I

@Oswalag

Hello,

I would like to follow up on one of the OP’s questions. What is a minimal OTPMK? I have access to the mentioned document (QorIQ TA 3.0 User Guide), but it does not contain much information about this. Maybe I am missing something, could you point to specific section? From what I understand:

* If we want to perform the Secure Boot process, the processor needs to be in the Secure or Trusted state.
* The processor can be in the Secure or Trusted state only if the OTPMK is fused.
* Once the OTPMK is fused, there is no way to read it back or rewrite it, since `ERROR_OTPMK_ALREADY_BLOWN` will be thrown.

I also went through the ATF code where the fuse FIP can be generated. It looks like we can create one with a minimal OTPMK inside, ready to be fused, which basically sets a number of bits to 1.
https://github.com/nxp-qoriq/atf/blob/lf_v2.10/drivers/nxp/sfp/fuse_prov.c#L162

Does this mean that we can fuse a minimal OTPMK, then reboot the platform - which should force the Secure Boot process on the next boot (if ITS or SB_EN is set) - and then fuse the final OTPMK in a verified environment (assuming that the Secure Boot process has completed successfully)?

So basically, the minimal OTPMK is just an OTPMK value that can be overwritten?

Looking forward to your reply.

Regards

0 Kudos
Reply

‎07-29-2025 10:15 PM
353 Views
Oswalag
NXP TechSupport
NXP TechSupport

Hello,

The requested information is available in the document "QorIQ Trust Architecture 3.0 User
Guide", it is available under NDA, please let me know if you have it and I'll share it with you. 

0 Kudos
Reply