Hi all,
I am working on the FS1012A-FRWY EVB. I am able to build all images. I update u-boot, linux and rootfs, so everything was correct.
I tried the secure u-boot, and I loaded it at u-boot prompt via the following commands:
=>tftp $load_addr firmware_ls1012afrwy_512mb_uboot_qspiboot_secure.img
=>sf probe 0:0
=>sf erase 0 +$filesize && sf write $load_addr 0 $filesize
After the "=>reset" I cannot see nothing on the console, any suggestion?
I'm mainly using the following documentation:
LSDKUG_Rev20.12
Thanks in advance.
Please refer to the following procedure to execute secure boot.
First you need to write OTPMK to fuse array under u-boot.
Write OTPMK fuse values on shadow registers
mw.l 1e80234 a29a0b2c
mw.l 1e80238 2c8cd201
mw.l 1e8023c 84027ca8
mw.l 1e80240 8e13c7b9
mw.l 1e80244 a0b9d347
mw.l 1e80248 50ef2622
mw.l 1e8024c 98a92efd
mw.l 1e80250 ed53d1c3
Check OTPMK_ZERO and OTPMK_SYNDROME as 0 in SecMon_HP Status Register
md 1e90014
80000900
Check SFP_SVHESR no parity error.
md 1e80024
00000000
Permanently write OTPMK from the mirror registers into the fuse array
mw 1e80020 0x02000000
After program secure boot image on the custom board, you need to reset the target board, connect CodeWarrior CCS to the target board to program SRKH mirror registers in CodeWarrior CCS environment
ccs::config_server 0 10000
ccs::config_chain {ls1043a dap sap2}
display ccs::get_config_chain
#Check Initial SNVS State and Value in SCRATCH Registers
ccs::display_mem <dap position> 0x1e90014 4 0 4
ccs::display_mem <dap position> 0x1ee0200 4 0 4
#Wrie the SRK Hash Value in Mirror Registers
ccs::write_mem <dap position> 0x1e80254 4 0 <SRKH1>
ccs::write_mem <dap position> 0x1e80258 4 0 <SRKH2>
ccs::write_mem <dap position> 0x1e8025c 4 0 <SRKH3>
ccs::write_mem <dap position> 0x1e80260 4 0 <SRKH4>
ccs::write_mem <dap position> 0x1e80264 4 0 <SRKH5>
ccs::write_mem <dap position> 0x1e80268 4 0 <SRKH6>
ccs::write_mem <dap position> 0x1e8026c 4 0 <SRKH7>
ccs::write_mem <dap position> 0x1e80270 4 0 <SRKH8>
#Get the Core Out of Boot Hold-Off
ccs::write_mem <dap position> 0x1ee00e4 4 0 0x00000001
Please refer to "3. Deploy Secure Boot Images to the Target and Write SRKH Mirror Register" section in https://community.nxp.com/t5/Qonverge-Knowledge-Base/Setting-up-Secure-Boot-on-PBL-Based-Platforms-i... for details.
Please refer to "6.1.1.5 Procedure to run secure boot" in LSDK 20.12 user manual.
I answer to my self:
in the "Layerscape Software Development Kit User Guide, Rev. 20.12, 30 June 2021" at page 55/1348 is reported (3.5 Fixed, Open and closed issues):
| ID | Desccription | Disposition | Opened in | Fixed in |
| QSDK-6529 | On LS1012A RDB and FRWY, RSA verification fails in secure boot. | Fixed | LSDK 20.04 | LSDK 20.12 |
It doesn't seem so!
Hi Yipingwang,
Thanks for your suggestions.
I stil have some doubts concerning your proposal, you wrote:
"
Please refer to the following procedure to execute secure boot.
First you need to write OTPMK to fuse array under u-boot.
Write OTPMK fuse values on shadow registers
mw.l 1e80234 a29a0b2c
mw.l 1e80238 2c8cd201
mw.l 1e8023c 84027ca8
mw.l 1e80240 8e13c7b9
mw.l 1e80244 a0b9d347
mw.l 1e80248 50ef2622
mw.l 1e8024c 98a92efd
mw.l 1e80250 ed53d1c3"
But i don't have a u-boot prompt "=>"
I am able to have /dev/ttyACM0 on my Linux PC, but no prompt!
I programmed the secure boot in the following way:
=>tftp $load_addr firmware_ls1012afrwy_512mb_uboot_qspiboot_secure.img
=>sf probe 0:0
=>sf erase 0 +$filesize && sf write $load_addr 0 $filesize
so this is not the right procedure, isn't it?
Anyway, I could recover from this situation?
Thanks in advance
The procedure deploying image is correct.
You could use CodeWarrior CCS to connect to your target board to program OTPMK and SRKH.
"3. Deploy Secure Boot Images to the Target and Write SRKH Mirror Register" section in https://community.nxp.com/t5/Qonverge-Knowledge-Base/Setting-up-Secure-Boot-on-PBL-Based-Platforms-i... for details.
Thanks yipingwang,
Just to be sure: I am building code for LS1012A-FRWY with flex-builder. To have the u-boot images (non secure and secure) I user the following command:
$ flex-builder -m ls1012afrwy # automatically build all firmware, linux, apps components and LSDK rootfs for ls1012afrwy
is this correct?
I only downloaded the code from www.nxp.com and built it, no code or other modification, therefore you proposal solution should work, isn't it?
Thanks
Please run the following command
$ flex-builder -i mkfw -b qspi -m ls1012afrwy -s
In the console log, you will get "SRK (Public Key) Hash" used to verify secure boot image in flexbuild_lsdk2012/build/images/firmware_ls1012afrwy_512mb_uboot_qspiboot_secure.img