Secure Boot Guide

OzTheWizard · ‎07-06-2021

Hello @all,

I'm writing to gather information needed to preform secure boot on LS1012A. LSDK User Guide contains information but is written in ambiguous fashion. There is no strict guide "how to" with steps.

UNDERSTANDING

2 ways of running secure boot:

development mode - Setting the SB_EN bit in the RCW.
production mode - Blowing the Intent To Secure (ITS) fuse.

QUESTIONS:

Which images/binaries should be build? Guide?
Which of them should be signed?
What are steps needed to be preformed in U-boot at first run of secure boot?
Can OTPMK and SRKH be set without using payed IDE tools (CodeWarrior)? Guide?
At what stage is SB_EN set?

yipingwang · ‎07-07-2021

1. Please generate secure firmware image with the following command.

$ flex-builder -i mkfw -m ls1012ardb -b qspi -s

2. Flex-builder has already generated the whole secure firmware image including all images secure headers, you could deploy firmware_ls1012ardb_uboot_qspiboot_secure.img to the target board directly.

3. No need specific steps.

4. You could write OTPMK to fuse array under u-boot.

Write OTPMK fuse values on shadow registers

mw.l 1e80234 a29a0b2c

mw.l 1e80238 2c8cd201

mw.l 1e8023c 84027ca8

mw.l 1e80240 8e13c7b9

mw.l 1e80244 a0b9d347

mw.l 1e80248 50ef2622

mw.l 1e8024c 98a92efd

mw.l 1e80250 ed53d1c3

Check OTPMK_ZERO and OTPMK_SYNDROME as 0 in SecMon_HP Status Register

md 1e90014

80000900

Check SFP_SVHESR no parity error.

md 1e80024

00000000

Permanently write OTPMK from the mirror registers into the fuse array

mw 1e80020 0x02000000

Please program SRKH mirror registers in CodeWarrior CCS environment

ccs::config_server 0 10000

ccs::config_chain {ls1043a dap sap2}

display ccs::get_config_chain
#Check Initial SNVS State and Value in SCRATCH Registers
ccs::display_mem <dap position> 0x1e90014 4 0 4
ccs::display_mem <dap position> 0x1ee0200 4 0 4
#Wrie the SRK Hash Value in Mirror Registers
ccs::write_mem <dap position> 0x1e80254 4 0 <SRKH1>
ccs::write_mem <dap position> 0x1e80258 4 0 <SRKH2>
ccs::write_mem <dap position> 0x1e8025c 4 0 <SRKH3>
ccs::write_mem <dap position> 0x1e80260 4 0 <SRKH4>
ccs::write_mem <dap position> 0x1e80264 4 0 <SRKH5>
ccs::write_mem <dap position> 0x1e80268 4 0 <SRKH6>
ccs::write_mem <dap position> 0x1e8026c 4 0 <SRKH7>
ccs::write_mem <dap position> 0x1e80270 4 0 <SRKH8>
#Get the Core Out of Boot Hold-Off
ccs::write_mem <dap position> 0x1ee00e4 4 0 0x00000001

5. SB_EN is set during development stage.

GeekFork · ‎11-28-2021

Hi Yiping,

I am trying to study and deploy secure boot in LX2160ardb platform. I am not sure about some descriptions in the guide. Could you help to answer these questions?

1. I have no codewarrior at hand, so I add some new codes in bl2_main() fucntion. OPTMK/SRKH registers are written here. It looks work well. If don't care to rebuild bl2 bin file repeatedly, does this method have other potential issue?

2. For the SFP_INGR_REG (1e80020), though the guide says "after writing this register, Fuses will be burnt, which cannot be undo...", my test seems show that I can write to update OPTMK/SRKH register time and again. Is there something wrong in my operation? I always connect the "SFP Power" jumper(j9) in the board when doing test.

3. Where is the correct position to find the SRKH values? Currently I build the xxx_secure.img with flexbuild and then get the "SRK (Public Key) Hash" information after this build line "Header File Created: ./build/lx2160ardb/release/bl2_sd_sec.pbl". Then I write these SRK value to SRKH registers. Is this correct?

Thanks!

-Jerry

pb3 · ‎08-01-2024

Hi I've stumbled upon the same issue, I do not have access to CodeWarrior nor to NXP debugger. Was your approach with writing mirror registers in bl2 satisfying?
Or did you approach the other way?

I would be grateful for any hint, since guys from NXP are not willing to share any reasonable solution that would not require their hardware.

GeekFork · ‎09-29-2024

“Was your approach with writing mirror registers in bl2 satisfying?”， yes, this is a way to verify secure boot with SRKH and something else. This is a way in product debug and solution verification period.