Secure Debug in LS1012A FRWY board

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

Secure Debug in LS1012A FRWY board

2,016 次查看
SergioS
Contributor II

Hello everybody

I've fused a board to manage secure boot and secure debug in order to authorize JTAG via challenge / response operation (mode 1).

Secure boot configuration is good an works fine.

Secure debug doesn't works because both CodeWarrior Development Studio (11.5.5) and CCS console fails to connect.

The behavior in CodeWarrioris is:

- if I do not configure the secure key or I write the wrong key the error is "CCS: secure debug violation. Please specify the unlock key matching the challenge key 0x0000000000000000.". The board reset and u-boot starts good

-if I configure the good key the error is "CCS: timeout during target operation". In this case the board is blocked because u-boot console doesn't response.

If I try to use CCS:

- I ask the challenge: display ccs::read_reg 0 sdcr 1 8

- I send the response: ccs::write_reg 0 sdrr 8 {0x11223344 0x55667799}

- The error is always: "LS1043A: Secure debug violation" (both with the right and bad key)

I've fused the following fuses:

  • DRV0, DRV1 => (0x11223344 0x55667799)
  • OSPR1 => 0x00000001
  • SRKH (0-7)
  • OTPMK (0-7)

DRV secret has been generated trough SDK tool:

gen_drv_drbg A2 1122334455667788

#----------------------------------------------------#
#------- -------- -------- -------#
#------- CST (Code Signing Tool) Version 2.0 -------#
#------- -------- -------- -------#
#----------------------------------------------------#

DRV[63:0] after Hamming Code is:
1122334455667799
NAME | BITS | VALUE
_________|______________|____________
DRV 0 | 63 - 32 | 11223344
DRV 1 | 31 - 0 | 55667799

 

Any ideas?

Thanks and regards

Sergio

 

 

 

 

标签 (1)
标记 (4)
0 项奖励
回复
4 回复数

1,941 次查看
SergioS
Contributor II

Hello

I've tried to change endianess but result doesn't change.

In any case I've used the same endianess when I've fused the Super Root Key Hash and it works fine (maybe the output of gen_drv_drbg is wrong)

Below you can see the uboot dump (so with the opposite endianess). As you can see in the meantime I've also fused DCV registers (0x11111111 0x11111111) in order to change default value.

=> md 0x1e80000 100
01e80000: 00000000 00000000 00000000 00000000 ................
01e80010: 00000000 00000000 00000000 00000000 ................
01e80020: 00000000 00000000 61090000 00000000 ...........a....
01e80030: 00000000 00000000 00030300 00000000 ................
01e80040: 00000000 00000000 00000000 00000000 ................
01e80050: 00000000 00000000 00000000 00000000 ................
01e80060: 00000000 00000000 00000000 00000000 ................
01e80070: 00000000 00000000 00000000 00000000 ................
01e80080: 00000000 00000000 00000000 00000000 ................
01e80090: 00000000 00000000 00000000 00000000 ................
01e800a0: 00000000 00000000 00000000 00000000 ................
01e800b0: 00000000 00000000 00000000 00000000 ................
01e800c0: 00000000 00000000 00000000 00000000 ................
01e800d0: 00000000 00000000 00000000 00000000 ................
01e800e0: 00000000 00000000 00000000 00000000 ................
01e800f0: 00000000 00000000 00000000 00000000 ................
01e80100: 00000000 00000000 00000000 00000000 ................
01e80110: 00000000 00000000 00000000 00000000 ................
01e80120: 00000000 00000000 00000000 00000000 ................
01e80130: 00000000 00000000 00000000 00000000 ................
01e80140: 00000000 00000000 00000000 00000000 ................
01e80150: 00000000 00000000 00000000 00000000 ................
01e80160: 00000000 00000000 00000000 00000000 ................
01e80170: 00000000 00000000 00000000 00000000 ................
01e80180: 00000000 00000000 00000000 00000000 ................
01e80190: 00000000 00000000 00000000 00000000 ................
01e801a0: 00000000 00000000 00000000 00000000 ................
01e801b0: 00000000 00000000 00000000 00000000 ................
01e801c0: 00000000 00000000 00000000 00000000 ................
01e801d0: 00000000 00000000 00000000 00000000 ................
01e801e0: 00000000 00000000 00000000 00000000 ................
01e801f0: 00000000 00000000 00000000 00000000 ................
01e80200: 00000000 01000000 11111111 11111111 ................
01e80210: ffffffff ffffffff 09000000 c82ac872 ............r.*.
01e80220: 12536016 00000000 00000000 00000000 .`S.............
01e80230: 00000000 ffffffff ffffffff ffffffff ................
01e80240: ffffffff ffffffff ffffffff ffffffff ................
01e80250: ffffffff b1b700e7 ba975676 89de61ef ........vV...a..
01e80260: ffa5a0fe d1fa1547 1c77f8de f007fa31 ....G.....w.1...
01e80270: b787a6fd 00000000 00000000 00000000 ................
01e80280: 00000000 00000000 ffffffff ffffffff ................
01e80290: ffffffff ffffffff ffffffff ffffffff ................
01e802a0: ffffffff ffffffff 00000000 00000000 ................
01e802b0: 00000000 00000000 00000000 00000000 ................
01e802c0: 00000000 00000000 00000000 00000000 ................
01e802d0: 00000000 00000000 00000000 00000000 ................
01e802e0: 00000000 00000000 00000000 00000000 ................
01e802f0: 00000000 00000000 00000000 00000000 ................
01e80300: 00000000 00000000 00000000 00000000 ................
01e80310: 00000000 00000000 00000000 00000000 ................
01e80320: 00000000 00000000 00000000 00000000 ................
01e80330: 00000000 00000000 00000000 00000000 ................
01e80340: 00000000 00000000 00000000 00000000 ................
01e80350: 00000000 00000000 00000000 00000000 ................
01e80360: 00000000 00000000 00000000 00000000 ................
01e80370: 00000000 00000000 00000000 00000000 ................
01e80380: 00000000 00000000 00000000 00000000 ................
01e80390: 00000000 00000000 00000000 00000000 ................
01e803a0: 00000000 00000000 00000000 00000000 ................
01e803b0: 00000000 00000000 00000000 00000000 ................
01e803c0: 00000000 00000000 00000000 00000000 ................
01e803d0: 00000000 00000000 00000000 00000000 ................
01e803e0: 00000000 00000000 00000000 00000000 ................
01e803f0: 00000000 00000000 00000000 00000000 ................

About CCS log, I don't know how retrieve verbose logs. Below you can see the input / output of the CCS window:

(bin) 78 % delete all
(bin) 79 % config cc cwtap:192.168.40.234
(bin) 80 % ccs::config_server 0 10000
(bin) 81 % ccs::config_chain "ls1043a dap sap2"
LS1043A: Secure debug violation
(bin) 82 % display ccs::read_reg 0 sdcr 1 8
sdcr=0x11111111 11111111
(bin) 83 % ccs::write_reg 0 sdrr 8 {0x44332211 0x99776655}
Secure debug violation
(bin) 84 %
<DEVICE RESET>
(bin) 84 %
(bin) 84 %
(bin) 84 % delete all
(bin) 85 % config cc cwtap:192.168.40.234
(bin) 86 % ccs::config_server 0 10000
(bin) 87 % ccs::config_chain "ls1043a dap sap2"
LS1043A: Secure debug violation
(bin) 88 % display ccs::read_reg 0 sdcr 1 8
sdcr=0x11111111 11111111
(bin) 89 % ccs::write_reg 0 sdrr 8 {0x11223344 0x55667799}
Secure debug violation

 Regards

Sergio

0 项奖励
回复

1,973 次查看
yipingwang
NXP TechSupport
NXP TechSupport

Can you confirm this is LS1043 or LS1012A issue?
The thread said LS1012A, but the log shows LS1043A.
i.e.
The error is always: "LS1043A: Secure debug violation" (both with the right and bad key)

0 项奖励
回复

1,951 次查看
SergioS
Contributor II

Hello

Yes I confirm that the target is a LS1012A board but when I configure the chain the dut  is LS1043A:

ccs::config_chain "ls1043a dap sap2"

DUT ls1012a does not exists and I've seen different examples that ls1043a should be used for ls1012a target

So I think that the bug can be applied to both boards.

Regards

 

 

 

 

0 项奖励
回复

1,943 次查看
yipingwang
NXP TechSupport
NXP TechSupport

It looks like the customer provide the key with the wrong endianness.
ccs::write_reg 0 sdrr 8 {0x11223344 0x55667799}
should be
ccs::write_reg 0 sdrr 8 {0x44332211 0x99776655}

If this does not work, can customer provide the CCS console log, and the memory dump of SFP regsiters from uboot.
i.e.
md 0x1e80000 100
md 0x1e80200 100

0 项奖励
回复