Hi,
My processor is LS1046ARDB, i am trying to establish secure boot from QSPI Flash
1. I have created my own ESBC image to be used in place of U-Boot (with minimum necessary processor initializations and UART printing)
2. I have signed this image using CST tool (input file used is attached -input_qspi_secure )
3. Generated Keys (srk.pub &srk.pri) and CSF Header - (hdr_ESBC.out file)
I load
1. CSF Header at 0x40700000
2. My ESBC at 0x40100000
The process i am following is
1. Flashing RCW with SB_EN=1 and BOOT_HO=1
2. With PBI Commands
0957015c 20100000
09ee0200 40700000
09570178 0000e010
09180000 00000008
09570418 0000009e
0957041c 0000009e
09570420 0000009e
09eb1300 80104e20
09eb08dc 00502880
3.Writing SRKH Mirror registers with Hash of Public key (As given from CST)
4. Release core by
Writing 0x00000001 to 0x01EE0204 (Boot Release Register)
I am getting DCFG_CCSR_SCRATCHRW1 = 0000000101
Which as per NXP documents is a hash mismatch
But how can i know where exactly is the problem arising from?
What checks should i perform to see why secure boot is failing?
Thanks,
Rashmitha
> Writing 0x00000001 to 0x01EE0204 (Boot Release Register)
The BRR address is 0x01EE00E4 (refer to the QorIQ LS1046A Reference Manual, 12.3.17 Boot Release Register (BRR))
> I am getting DCFG_CCSR_SCRATCHRW1 = 0000000101
Failure code for the Primary Boot Image is provided in the SCRATCHRW2 - not SCRATCHRW1
Why the value "00_0000_0101" contains 10 hex digits?
Hi ufedor,
BRR address and ScratchRW1 were typing mistakes.
I am using 0x01EE00E4 for BRR
And I am looking at SCRATCHRW2 for Failure Error Code
Value is 0x 0000 0101 8 hex digits
Please refer to the Layerscape Software Development Kit User Guide, Rev. 19.09, 6.1.1.8 Troubleshooting.
Do you see prints on the UART console?
Please provide corrected problem description.
Have you tried to replicate the issue with pre-compiled U-Boot image available at:
LSDK IMAGES
?
I referred to ERROR CODES Section in LSDK 19.09,
My debugger displays value in the below format
Address: 0x1EE0200 03 02 01 00 07 06 05 04
Data: 01 01 00 00==> 0x 00 00 01 01
==> With this i am assuming my error conveys -> ERROR_STATE_NOT_CHECK -> SEC_MON State Machine not in CHECK state at start of ISBC. Some Security violation could have occurred.
What are the possible reasons for this ERROR?
https://community.nxp.com/thread/441386 --> An answer in this post says OTPMK Fuses must be blown.
I do not wish to use Chain of Trust with confidentiality now. I am trying to establish a minimal Chain of trust where ISBC validates ESBC.
Should I disable OTPMK check by some means if i do not wish to use it?
I do not use U-Boot, therefore i cannot see any printing on UART by U-Boot. If the control reaches by ESBC, my custom code prints alphabets on UART, which is not happening now.
I am using QorIQ SDK, havn't installed LSDK.
You wrote:
> Address: 0x1EE0200
This is not SCRATCHRW2 address.
Which debugger you are using?
Please consider that SCRATCHRW2 is 32-bit register - refer to the QorIQ LS1046A Reference Manual, 12.3 DCFG_CCSR register descriptions:
"These registers only support 32-bit accesses."
>Address: 0x1EE0200 03 02 01 00 07 06 05 04
0x1EE0200 is the base address and the numbers written ahead are for offsets
>Which debugger you are using?
My debugger is Lauterbach
I have figured out that my error is because I did not fuse OTPMK (OTPMK_ZERO=1 in SFP HP Status Register)
I am trying to fuse OTPMK now,
But there is a mismatch in the value shown in AN5227 of SFP HP Status Register and the value on my board
As per AN5227, the value should be 88000900
My value is 8800AB00
SECURITY_CONFIG and SSM_STATE have mismatch
QORIQTRUST2.1UG_RevB does not provide explanation for SECURITY_CONFIG values.
What does SECURITY_CONFIG = 1010b (0xA) mean?
Thanks
Rashmitha
You can ignore the value 0xA.
From the QORIQTRUST2.1UG, the register has the following definition:
bit 15-12
SECURITY_CONFIG
Security Configuration
This field reflects the state of inputs from the SFP and RCW.
So the value will change according to your RCW and SFP. But it will not affect fuse programming.
Thanks ufedor
I have another question,
As per LS1046ARM_Reference_Manual, Pg 147
1E8_0000 - 1E8_FFFF -------> Security fuse processor (SFP) ----> Big-endian (byte swapping required)
1. What does the byte swapping required mean? Where should it be done?
But as per https://community.nxp.com/thread/515242
SRKH Register is Little Endian on Layerscape Platform.
2. Could you kindly clarify how should the write operations to SRKH Mirror registers be addressed (If done through AXI bus and not through Core).
3. And what is the endian-ness of OTPMK Mirror Registers?
Regards,
Rashmitha
These questions will be answered in the Community thread