FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

LS1046ARDB Alternate Image SEC Initialization during Secure boot

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

LS1046ARDB Alternate Image SEC Initialization during Secure boot

‎10-20-2021 11:34 PM
793 Views
Faizanbaig
Contributor IV

Hi,

We are trying to provide an alternate boot image in case authentication of first boot image fails during secure boot. As per LS1046ARM_Reference_Manual, DCFG ScratchRW3 should be written with the CSF header address for alternate boot image. When we test authentication fail for the first image, we get no error in DCFG ScratchRW4 and  the alternate boot image is authenticated successfully. But our SEC Initialization is failing when we try to initialise it using alternate boot image .
Are we missing any additional steps in achieving this? 

Any suggestions regarding this would be appreciated.

Thanks,

Faizanbaig Inamdar

Labels (1)
Labels
Tags (2)
0 Kudos
Reply
4 Replies

‎10-24-2021 08:09 PM
774 Views
yipingwang
NXP TechSupport
NXP TechSupport

What version of LSDK you are using?

Can you share your

input_files/uni_sign/ls1/nor/input_uboot_secure

input_files/uni_sign/ls1/sd_nand/input_uboot_secure

input_files/uni_sign/ls1/sd_nand/input_spl_uboot_secure

 

In the input files you use to sign the image, depends on your situation,

there should be a

SEC_IMAGE Flag for Secondary Image. Required for TA 2.x platforms only

that you can specify the secondary image information.

0 Kudos
Reply

‎10-24-2021 09:52 PM
767 Views
Faizanbaig
Contributor IV
Hi, Thanks for your response, I have set SEC_FLAG to 1 and ISBC is authenticating the alternate image successfully but SEC(Security Engine) initialization module is failing when we execute it through alternate boot image. However,When we flash the same image as primary Image it is successfully initializing the SEC(Security Engine). Could you please provide any help on this? Thanks
0 Kudos
Reply

‎10-26-2021 08:06 PM
752 Views
yipingwang
NXP TechSupport
NXP TechSupport

Where is the SEC_FLAG-=1 flag is set?
I check the Code Signing Tool (CST) input file and there is no such flag. Is it a flag for linux kernel built?
It sounds like this is not secure boot (ISBC/ESBC) related issue. If customer has a console log, a capture of the log of the message leading to "initializing the SEC" will be helpful. i.e. is the error from uboot init or linux init?

0 Kudos
Reply

‎10-26-2021 11:36 PM
748 Views
Faizanbaig
Contributor IV

Thanks for the response, Issue  was with our binary boot image file . 
Now it successfully performs chain of trust from alternate image.

Tags (1)
0 Kudos
Reply