LS1043A Secure Boot from QSPI

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

LS1043A Secure Boot from QSPI

ソリューションへジャンプ
3,193件の閲覧回数
Teddy1
Contributor II

I am trying to implement Secure Boot on a custom board with a LS1043A and QSPI NOR Flash and I can't manage to have any output in Secure Mode ( SB_EN=1 + BOOT_HOLD=1) with this in RCW set to 0 my board boot.

In document "QorIQ Trust Architecture 2.1 User Guide" chapter 6.1.1 it show a table where Soc LS1043A with RCW in QSPI is in "N/A"

Does this confirm that it is impossible to do some Secure boot in this case ?

 

タグ(3)
0 件の賞賛
返信
1 解決策
3,160件の閲覧回数
yipingwang
NXP TechSupport
NXP TechSupport

Blowing of OTPMK is essential to run secure boot for both Production and Development phases.

Please refer to the attached document for Blowing OTPMK.

元の投稿で解決策を見る

4 返答(返信)
3,169件の閲覧回数
Teddy1
Contributor II

I am  building from scratch with LSDK-20.12 packages : rcw, atf, u-boot and cst from codeaurora repository at tag LSDK-20.12.

  • RCW is simply build with "make" on my custom target with SB_EN=1 and BOOT_HO=1 (inspired from ls1043aqds)
  • U-Boot is build with
make ARCH=arm CROSS_COMPILE=aarch64-zds-linux-gnueabi- -C /home/teddy/tmp/git/u-boot-bare-lsdk2012 -j 4 KBUILD_OUTPUT=/home/teddy/tmp/git/u-boot-bare-lsdk2012_build mrproper ls1043a_ps4c_tfa_defconfig all
  • cst has simply been build with make, a srk.pri/srk.pub key paire generated
  • ATF is build with:
CROSS_COMPILE=aarch64-zds-linux-gnueabi- ARCH=aarch64 make PLAT=ls1043aps4c CSF_HEADER_PREPENDED=1 TRUSTED_BOARD_BOOT=1 CST_DIR=/home/teddy/tmp/git/cst-head_dev all fip pbl RCW=rcw_1200_qspiboot_atf_sb.bin LOG_LEVEL=40 BL33=u-boot.bin

Then I have bl2_qspi_sec.pbl flashed at addresse 0x00 of QSPI and fip.bin  to offset 0x100000 in QSPI.

 

I am working in developpement, so for now not writing all the OTP things, so I use the CCS JTAG probe and do script to set all the SRKH mirror registers and release boot hold.

After boot hold release, there is no message on UART debug console and registers don't show me obvious error of configuration

 

Same process without Secure Boot configured in RCW and ATF build without "CSF_HEADER_PREPENDED=1 TRUSTED_BOARD_BOOT=1" and U-boot build without "CONFIG_NXP_ESBC" lead to a correct non-secure boot.

3,161件の閲覧回数
yipingwang
NXP TechSupport
NXP TechSupport

Blowing of OTPMK is essential to run secure boot for both Production and Development phases.

Please refer to the attached document for Blowing OTPMK.

3,139件の閲覧回数
Teddy1
Contributor II

Yes, even in development mode, when you don't want to blow OTP things, you SHALL blow OTPMK at least.

 

I just booted in trusted boot.

 

Thank you for your support.

0 件の賞賛
返信
3,171件の閲覧回数
yipingwang
NXP TechSupport
NXP TechSupport

Would you please describe in details how you generated QSPI secure boot image?

Do you use CodeWarrior CCS to connect to your target board to input SRKH key? Have you programmed OPTMK on the target board?

0 件の賞賛
返信