What is the meaning of DCFG_CCSR_SCRATCHRW1 = 0000000101 ?

rashmitharamesh · ‎10-18-2019

Hi,

My processor is LS1046ARDB, i am trying to establish secure boot from QSPI Flash

1. I have created my own ESBC image to be used in place of U-Boot (with minimum necessary processor initializations and UART printing)

2. I have signed this image using CST tool (input file used is attached -input_qspi_secure )

3. Generated Keys (srk.pub &srk.pri) and CSF Header - (hdr_ESBC.out file)

I load

1. CSF Header at 0x40700000

2. My ESBC at 0x40100000

The process i am following is

1. Flashing RCW with SB_EN=1 and BOOT_HO=1

2. With PBI Commands

0957015c 20100000

09ee0200 40700000

09570178 0000e010

09180000 00000008

09570418 0000009e

0957041c 0000009e

09570420 0000009e

09eb1300 80104e20

09eb08dc 00502880

3.Writing SRKH Mirror registers with Hash of Public key (As given from CST)

4. Release core by

Writing 0x00000001 to 0x01EE0204 (Boot Release Register)

I am getting DCFG_CCSR_SCRATCHRW1 = 0000000101

Which as per NXP documents is a hash mismatch

But how can i know where exactly is the problem arising from?

What checks should i perform to see why secure boot is failing?

Thanks,

Rashmitha

chitra.amzarewale@utas.utc.com‌

shivesh.sood@collins.com‌

ufedor · ‎10-18-2019

> Writing 0x00000001 to 0x01EE0204 (Boot Release Register)

The BRR address is 0x01EE00E4 (refer to the QorIQ LS1046A Reference Manual, 12.3.17 Boot Release Register (BRR))

> I am getting DCFG_CCSR_SCRATCHRW1 = 0000000101

Failure code for the Primary Boot Image is provided in the SCRATCHRW2 - not SCRATCHRW1

Why the value "00_0000_0101" contains 10 hex digits?

rashmitharamesh · ‎10-18-2019

Hi ufedor,

BRR address and ScratchRW1 were typing mistakes.

I am using 0x01EE00E4 for BRR

And I am looking at SCRATCHRW2 for Failure Error Code

Value is 0x 0000 0101 8 hex digits

ufedor · ‎10-18-2019

Please refer to the Layerscape Software Development Kit User Guide, Rev. 19.09, 6.1.1.8 Troubleshooting.

Do you see prints on the UART console?

Please provide corrected problem description.

Have you tried to replicate the issue with pre-compiled U-Boot image available at:

LSDK Open Source

LSDK IMAGES

?

rashmitharamesh · ‎10-20-2019

I referred to ERROR CODES Section in LSDK 19.09,

My debugger displays value in the below format

Address: 0x1EE0200 03 02 01 00 07 06 05 04

Data: 01 01 00 00==> 0x 00 00 01 01

==> With this i am assuming my error conveys -> ERROR_STATE_NOT_CHECK -> SEC_MON State Machine not in CHECK state at start of ISBC. Some Security violation could have occurred.

What are the possible reasons for this ERROR?

https://community.nxp.com/thread/441386 --> An answer in this post says OTPMK Fuses must be blown.

I do not wish to use Chain of Trust with confidentiality now. I am trying to establish a minimal Chain of trust where ISBC validates ESBC.

Should I disable OTPMK check by some means if i do not wish to use it?

I do not use U-Boot, therefore i cannot see any printing on UART by U-Boot. If the control reaches by ESBC, my custom code prints alphabets on UART, which is not happening now.

I am using QorIQ SDK, havn't installed LSDK.

ufedor · ‎10-21-2019

You wrote:

> Address: 0x1EE0200

This is not SCRATCHRW2 address.

Which debugger you are using?

Please consider that SCRATCHRW2 is 32-bit register - refer to the QorIQ LS1046A Reference Manual, 12.3 DCFG_CCSR register descriptions:

"These registers only support 32-bit accesses."

rashmitharamesh · ‎10-21-2019

>Address: 0x1EE0200 03 02 01 00 07 06 05 04

0x1EE0200 is the base address and the numbers written ahead are for offsets

>Which debugger you are using?

My debugger is Lauterbach

I have figured out that my error is because I did not fuse OTPMK (OTPMK_ZERO=1 in SFP HP Status Register)

I am trying to fuse OTPMK now,

But there is a mismatch in the value shown in AN5227 of SFP HP Status Register and the value on my board

As per AN5227, the value should be 88000900

My value is 8800AB00

SECURITY_CONFIG and SSM_STATE have mismatch

QORIQTRUST2.1UG_RevB does not provide explanation for SECURITY_CONFIG values.

What does SECURITY_CONFIG = 1010b (0xA) mean?

Thanks

Rashmitha

ufedor · ‎10-22-2019

You can ignore the value 0xA.

From the QORIQTRUST2.1UG, the register has the following definition:

bit 15-12

SECURITY_CONFIG

Security Configuration

This field reflects the state of inputs from the SFP and RCW.

So the value will change according to your RCW and SFP. But it will not affect fuse programming.

rashmitharamesh · ‎10-22-2019

Thanks ufedor‌

I have another question,

As per LS1046ARM_Reference_Manual, Pg 147

1E8_0000 - 1E8_FFFF -------> Security fuse processor (SFP) ----> Big-endian (byte swapping required)

1. What does the byte swapping required mean? Where should it be done?

But as per https://community.nxp.com/thread/515242

SRKH Register is Little Endian on Layerscape Platform.

2. Could you kindly clarify how should the write operations to SRKH Mirror registers be addressed (If done through AXI bus and not through Core).

3. And what is the endian-ness of OTPMK Mirror Registers?

Regards,

Rashmitha

ufedor · ‎10-22-2019

These questions will be answered in the Community thread

https://community.nxp.com/thread/515860

What is the meaning of DCFG_CCSR_SCRATCHRW1 = 0000000101 ?

What is the meaning of DCFG_CCSR_SCRATCHRW1 = 0000000101 ?

QorIQ LS1 Devices