LS1043A Secure Boot from QSPI

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

LS1043A Secure Boot from QSPI

Jump to solution
3,289 Views
Teddy1
Contributor II

I am trying to implement Secure Boot on a custom board with a LS1043A and QSPI NOR Flash and I can't manage to have any output in Secure Mode ( SB_EN=1 + BOOT_HOLD=1) with this in RCW set to 0 my board boot.

In document "QorIQ Trust Architecture 2.1 User Guide" chapter 6.1.1 it show a table where Soc LS1043A with RCW in QSPI is in "N/A"

Does this confirm that it is impossible to do some Secure boot in this case ?

 

Tags (3)
0 Kudos
Reply
1 Solution
3,256 Views
yipingwang
NXP TechSupport
NXP TechSupport

Blowing of OTPMK is essential to run secure boot for both Production and Development phases.

Please refer to the attached document for Blowing OTPMK.

View solution in original post

4 Replies
3,265 Views
Teddy1
Contributor II

I am  building from scratch with LSDK-20.12 packages : rcw, atf, u-boot and cst from codeaurora repository at tag LSDK-20.12.

  • RCW is simply build with "make" on my custom target with SB_EN=1 and BOOT_HO=1 (inspired from ls1043aqds)
  • U-Boot is build with
make ARCH=arm CROSS_COMPILE=aarch64-zds-linux-gnueabi- -C /home/teddy/tmp/git/u-boot-bare-lsdk2012 -j 4 KBUILD_OUTPUT=/home/teddy/tmp/git/u-boot-bare-lsdk2012_build mrproper ls1043a_ps4c_tfa_defconfig all
  • cst has simply been build with make, a srk.pri/srk.pub key paire generated
  • ATF is build with:
CROSS_COMPILE=aarch64-zds-linux-gnueabi- ARCH=aarch64 make PLAT=ls1043aps4c CSF_HEADER_PREPENDED=1 TRUSTED_BOARD_BOOT=1 CST_DIR=/home/teddy/tmp/git/cst-head_dev all fip pbl RCW=rcw_1200_qspiboot_atf_sb.bin LOG_LEVEL=40 BL33=u-boot.bin

Then I have bl2_qspi_sec.pbl flashed at addresse 0x00 of QSPI and fip.bin  to offset 0x100000 in QSPI.

 

I am working in developpement, so for now not writing all the OTP things, so I use the CCS JTAG probe and do script to set all the SRKH mirror registers and release boot hold.

After boot hold release, there is no message on UART debug console and registers don't show me obvious error of configuration

 

Same process without Secure Boot configured in RCW and ATF build without "CSF_HEADER_PREPENDED=1 TRUSTED_BOARD_BOOT=1" and U-boot build without "CONFIG_NXP_ESBC" lead to a correct non-secure boot.

3,257 Views
yipingwang
NXP TechSupport
NXP TechSupport

Blowing of OTPMK is essential to run secure boot for both Production and Development phases.

Please refer to the attached document for Blowing OTPMK.

3,235 Views
Teddy1
Contributor II

Yes, even in development mode, when you don't want to blow OTP things, you SHALL blow OTPMK at least.

 

I just booted in trusted boot.

 

Thank you for your support.

0 Kudos
Reply
3,267 Views
yipingwang
NXP TechSupport
NXP TechSupport

Would you please describe in details how you generated QSPI secure boot image?

Do you use CodeWarrior CCS to connect to your target board to input SRKH key? Have you programmed OPTMK on the target board?

0 Kudos
Reply