Secure Debug in LS1012A FRWY board

SergioS · ‎03-30-2022

Hello everybody

I've fused a board to manage secure boot and secure debug in order to authorize JTAG via challenge / response operation (mode 1).

Secure boot configuration is good an works fine.

Secure debug doesn't works because both CodeWarrior Development Studio (11.5.5) and CCS console fails to connect.

The behavior in CodeWarrioris is:

- if I do not configure the secure key or I write the wrong key the error is "CCS: secure debug violation. Please specify the unlock key matching the challenge key 0x0000000000000000.". The board reset and u-boot starts good

-if I configure the good key the error is "CCS: timeout during target operation". In this case the board is blocked because u-boot console doesn't response.

If I try to use CCS:

- I ask the challenge: display ccs::read_reg 0 sdcr 1 8

- I send the response: ccs::write_reg 0 sdrr 8 {0x11223344 0x55667799}

- The error is always: "LS1043A: Secure debug violation" (both with the right and bad key)

I've fused the following fuses:

DRV0, DRV1 => (0x11223344 0x55667799)
OSPR1 => 0x00000001
SRKH (0-7)
OTPMK (0-7)

DRV secret has been generated trough SDK tool:

gen_drv_drbg A2 1122334455667788

#----------------------------------------------------#
#------- -------- -------- -------#
#------- CST (Code Signing Tool) Version 2.0 -------#
#------- -------- -------- -------#
#----------------------------------------------------#

DRV[63:0] after Hamming Code is:
1122334455667799
NAME | BITS | VALUE
_________|______________|____________
DRV 0 | 63 - 32 | 11223344
DRV 1 | 31 - 0 | 55667799

Any ideas?

Thanks and regards

Sergio

SergioS · ‎04-21-2022

Hello

I've tried to change endianess but result doesn't change.

In any case I've used the same endianess when I've fused the Super Root Key Hash and it works fine (maybe the output of gen_drv_drbg is wrong)

Below you can see the uboot dump (so with the opposite endianess). As you can see in the meantime I've also fused DCV registers (0x11111111 0x11111111) in order to change default value.

=> md 0x1e80000 100
01e80000: 00000000 00000000 00000000 00000000 ................
01e80010: 00000000 00000000 00000000 00000000 ................
01e80020: 00000000 00000000 61090000 00000000 ...........a....
01e80030: 00000000 00000000 00030300 00000000 ................
01e80040: 00000000 00000000 00000000 00000000 ................
01e80050: 00000000 00000000 00000000 00000000 ................
01e80060: 00000000 00000000 00000000 00000000 ................
01e80070: 00000000 00000000 00000000 00000000 ................
01e80080: 00000000 00000000 00000000 00000000 ................
01e80090: 00000000 00000000 00000000 00000000 ................
01e800a0: 00000000 00000000 00000000 00000000 ................
01e800b0: 00000000 00000000 00000000 00000000 ................
01e800c0: 00000000 00000000 00000000 00000000 ................
01e800d0: 00000000 00000000 00000000 00000000 ................
01e800e0: 00000000 00000000 00000000 00000000 ................
01e800f0: 00000000 00000000 00000000 00000000 ................
01e80100: 00000000 00000000 00000000 00000000 ................
01e80110: 00000000 00000000 00000000 00000000 ................
01e80120: 00000000 00000000 00000000 00000000 ................
01e80130: 00000000 00000000 00000000 00000000 ................
01e80140: 00000000 00000000 00000000 00000000 ................
01e80150: 00000000 00000000 00000000 00000000 ................
01e80160: 00000000 00000000 00000000 00000000 ................
01e80170: 00000000 00000000 00000000 00000000 ................
01e80180: 00000000 00000000 00000000 00000000 ................
01e80190: 00000000 00000000 00000000 00000000 ................
01e801a0: 00000000 00000000 00000000 00000000 ................
01e801b0: 00000000 00000000 00000000 00000000 ................
01e801c0: 00000000 00000000 00000000 00000000 ................
01e801d0: 00000000 00000000 00000000 00000000 ................
01e801e0: 00000000 00000000 00000000 00000000 ................
01e801f0: 00000000 00000000 00000000 00000000 ................
01e80200: 00000000 01000000 11111111 11111111 ................
01e80210: ffffffff ffffffff 09000000 c82ac872 ............r.*.
01e80220: 12536016 00000000 00000000 00000000 .`S.............
01e80230: 00000000 ffffffff ffffffff ffffffff ................
01e80240: ffffffff ffffffff ffffffff ffffffff ................
01e80250: ffffffff b1b700e7 ba975676 89de61ef ........vV...a..
01e80260: ffa5a0fe d1fa1547 1c77f8de f007fa31 ....G.....w.1...
01e80270: b787a6fd 00000000 00000000 00000000 ................
01e80280: 00000000 00000000 ffffffff ffffffff ................
01e80290: ffffffff ffffffff ffffffff ffffffff ................
01e802a0: ffffffff ffffffff 00000000 00000000 ................
01e802b0: 00000000 00000000 00000000 00000000 ................
01e802c0: 00000000 00000000 00000000 00000000 ................
01e802d0: 00000000 00000000 00000000 00000000 ................
01e802e0: 00000000 00000000 00000000 00000000 ................
01e802f0: 00000000 00000000 00000000 00000000 ................
01e80300: 00000000 00000000 00000000 00000000 ................
01e80310: 00000000 00000000 00000000 00000000 ................
01e80320: 00000000 00000000 00000000 00000000 ................
01e80330: 00000000 00000000 00000000 00000000 ................
01e80340: 00000000 00000000 00000000 00000000 ................
01e80350: 00000000 00000000 00000000 00000000 ................
01e80360: 00000000 00000000 00000000 00000000 ................
01e80370: 00000000 00000000 00000000 00000000 ................
01e80380: 00000000 00000000 00000000 00000000 ................
01e80390: 00000000 00000000 00000000 00000000 ................
01e803a0: 00000000 00000000 00000000 00000000 ................
01e803b0: 00000000 00000000 00000000 00000000 ................
01e803c0: 00000000 00000000 00000000 00000000 ................
01e803d0: 00000000 00000000 00000000 00000000 ................
01e803e0: 00000000 00000000 00000000 00000000 ................
01e803f0: 00000000 00000000 00000000 00000000 ................

About CCS log, I don't know how retrieve verbose logs. Below you can see the input / output of the CCS window:

(bin) 78 % delete all
(bin) 79 % config cc cwtap:192.168.40.234
(bin) 80 % ccs::config_server 0 10000
(bin) 81 % ccs::config_chain "ls1043a dap sap2"
LS1043A: Secure debug violation
(bin) 82 % display ccs::read_reg 0 sdcr 1 8
sdcr=0x11111111 11111111 
(bin) 83 % ccs::write_reg 0 sdrr 8 {0x44332211 0x99776655}
Secure debug violation
(bin) 84 % 
<DEVICE RESET>
(bin) 84 % 
(bin) 84 % 
(bin) 84 % delete all
(bin) 85 % config cc cwtap:192.168.40.234
(bin) 86 % ccs::config_server 0 10000
(bin) 87 % ccs::config_chain "ls1043a dap sap2"
LS1043A: Secure debug violation
(bin) 88 % display ccs::read_reg 0 sdcr 1 8
sdcr=0x11111111 11111111 
(bin) 89 % ccs::write_reg 0 sdrr 8 {0x11223344 0x55667799}
Secure debug violation

Regards

Sergio

yipingwang · ‎04-14-2022

Can you confirm this is LS1043 or LS1012A issue?
The thread said LS1012A, but the log shows LS1043A.
i.e.
The error is always: "LS1043A: Secure debug violation" (both with the right and bad key)

SergioS · ‎04-19-2022

Hello

Yes I confirm that the target is a LS1012A board but when I configure the chain the dut is LS1043A:

ccs::config_chain "ls1043a dap sap2"

DUT ls1012a does not exists and I've seen different examples that ls1043a should be used for ls1012a target

So I think that the bug can be applied to both boards.

Regards

yipingwang · ‎04-20-2022

It looks like the customer provide the key with the wrong endianness.
ccs::write_reg 0 sdrr 8 {0x11223344 0x55667799}
should be
ccs::write_reg 0 sdrr 8 {0x44332211 0x99776655}

If this does not work, can customer provide the CCS console log, and the memory dump of SFP regsiters from uboot.
i.e.
md 0x1e80000 100
md 0x1e80200 100

Secure Debug in LS1012A FRWY board

Secure Debug in LS1012A FRWY board

QorIQ LS1 Devices