ls1043a is it possible to prototype secure boot without blowing any fuses?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ls1043a is it possible to prototype secure boot without blowing any fuses?

Jump to solution
1,807 Views
endrunner_smw
Contributor III

Between documentation and even cross referencing with some Ai agents I can't get a definitive answer on this.

Can secure boot be setup on LS1043A without blowing any fuses? If yes, how? If no, what are the minimum fuses I have to blow in order to step the process along for secure boot.

I seem to be stuck where I setup secure boot in the RCW for SB_EN = 1 and BOOT_HO = 1, but when connecting to CCS when I try to write in the SRK registers those registers are locked and I can't write to them. And obviously secure boot isn't working.

0 Kudos
Reply
1 Solution
1,554 Views
endrunner_smw
Contributor III

Memory Map for SFP in Qoriq Trust Architecture 2.x has incorrect register range. Tried with other values from LSDUK_Rev21.08 and document 'Setting up Secure Boot on PBL Based Platforms in Prototype Stage', and Secure_boot.pptx. And after entering SRK hash values into registers and releasing the CPU finally got life on the console. I still have errors, but its a step in the right direction

View solution in original post

0 Kudos
Reply
8 Replies
1,693 Views
endrunner_smw
Contributor III

Was reviewing the Secure Boot.pptx by Yiping Wang from August 2024,

In the secure boot troubleshooting section it lists to check the SecMon_HP Status Register (0x1e90014) bits OTPMK_ZERO should be 0. Which I have (0x81D0AB00 is value returned). And to check SFP_SVHESR(0x1e80024) should be 0, mine however returns 0x00068400.

The powerpoint says if this is the case then there was an error in the way I tried to blow the OTPMK fuse. Is this the case? Is this recoverable? I read a document that said as long as the parity bit was 0 then it should be ok, but after seeing this presentation is that not the case?

Should the jump be attached to the board before power on? From documentation it sounds like it should not be, but rather put the jumper on while the system is running, burn the fuses, then remove the jumper while the system is still running before removing power and power cycling.

When I attempt to use CCS to put the SRK hashes in it appears that the registers are locked, because they don't take the values I'm entering. I try to put in the values and then set the board to release the CPU to boot, but I get no activity on the console (minicom).

For my attempt at secure boot on the LS1043A-RDB is my attempt with this board is this board done? It will still boot with a non-secure image as I didn't try setting the ITS fuse.

0 Kudos
Reply
1,760 Views
June_Lu
NXP TechSupport
NXP TechSupport

Secure boot requires the fuse to be blown.

Some secure boot–related documents are not publicly available. Please kindly create a support case at

https://support.nxp.com/s/?language=en_US

to request access to the Trust Architecture documents.

Thanks.

0 Kudos
Reply
1,560 Views
endrunner_smw
Contributor III

My manager has access to the Qoriq Trust Architecture 2.x document, I'm still waiting on my approval from NXP (already got the secure rights access, but that document hasn't been included).

Can you please provide confirmation of the OTPMK and SRKHR offsets?

I see a couple different values between multiple documents.

For OTPMK I see both offsets between 0x21C-0x238, and 0x234-0x250

For SRKHR I see both offsets between 0x23C-0x258, and 0x254-0x270

As you can see there between the two sets they overlap on a couple of registers.

0 Kudos
Reply
1,555 Views
endrunner_smw
Contributor III

Memory Map for SFP in Qoriq Trust Architecture 2.x has incorrect register range. Tried with other values from LSDUK_Rev21.08 and document 'Setting up Secure Boot on PBL Based Platforms in Prototype Stage', and Secure_boot.pptx. And after entering SRK hash values into registers and releasing the CPU finally got life on the console. I still have errors, but its a step in the right direction

0 Kudos
Reply
1,440 Views
endrunner_smw
Contributor III

Marked as solved since I was able to get output on the console, will open a new issue for the SEC/CAAM not initializing

0 Kudos
Reply
1,517 Views
endrunner_smw
Contributor III

endrunner_smw_0-1776212372703.png

If anyone is curious these are the errors I am receiving after putting the SRK hash in and releasing the cpu

0 Kudos
Reply
1,508 Views
kenli
NXP Employee
NXP Employee
Did you eventually use CodeWarrior or U-Boot to fuse the OTPMK? This is mandatory. Later, if you need to verify the SRKH effects, you can skip the actual fusing and just use the mirror registers instead. You'll need CodeWarrior to assist with this—halt the main CPU, configure the mirror registers properly, then release the CPU. Refer to the corresponding sections in the LSDK documentation for detailed descriptions.
Best regards
0 Kudos
Reply
1,483 Views
endrunner_smw
Contributor III

Yes, I used CCS to fuse the OTPMK. Then with BOOT_HO = 1 and SB_EN = 1 in RCW I booted and in CCS set the SRKH mirror registers and released the cpu. That is the screenshot I posted above. Though apparently I still have an issue of SEC/CAAM not initializing?

0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2344112%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3Els1043a%20is%20it%20possible%20to%20prototype%20secure%20boot%20without%20blowing%20any%20fuses%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2344112%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EBetween%20documentation%20and%20even%20cross%20referencing%20with%20some%20Ai%20agents%20I%20can't%20get%20a%20definitive%20answer%20on%20this.%3C%2FP%3E%3CP%3ECan%20secure%20boot%20be%20setup%20on%20LS1043A%20without%20blowing%20any%20fuses%3F%20If%20yes%2C%20how%3F%20If%20no%2C%20what%20are%20the%20minimum%20fuses%20I%20have%20to%20blow%20in%20order%20to%20step%20the%20process%20along%20for%20secure%20boot.%3C%2FP%3E%3CP%3EI%20seem%20to%20be%20stuck%20where%20I%20setup%20secure%20boot%20in%20the%20RCW%20for%20SB_EN%20%3D%201%20and%20BOOT_HO%20%3D%201%2C%20but%20when%20connecting%20to%20CCS%20when%20I%20try%20to%20write%20in%20the%20SRK%20registers%20those%20registers%20are%20locked%20and%20I%20can't%20write%20to%20them.%20And%20obviously%20secure%20boot%20isn't%20working.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2345075%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20ls1043a%20is%20it%20possible%20to%20prototype%20secure%20boot%20without%20blowing%20any%20fuses%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2345075%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010.5pt%3B%22%3ESecure%20boot%20requires%20the%20fuse%20to%20be%20blown.%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010.5pt%3B%22%3ESome%20secure%20boot%E2%80%93related%20documents%20are%20not%20publicly%20available.%20Please%20kindly%20create%20a%20support%20case%20at%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010.5pt%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.nxp.com%2Fs%2F%3Flanguage%3Den_US%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.nxp.com%2Fs%2F%3Flanguage%3Den_US%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010.5pt%3B%22%3Eto%20request%20access%20to%20the%20Trust%20Architecture%20documents.%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010.5pt%3B%22%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2345590%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20ls1043a%20is%20it%20possible%20to%20prototype%20secure%20boot%20without%20blowing%20any%20fuses%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2345590%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EWas%20reviewing%20the%20Secure%20Boot.pptx%20by%20Yiping%20Wang%20from%20August%202024%2C%3C%2FP%3E%3CP%3EIn%20the%20secure%20boot%20troubleshooting%20section%20it%20lists%20to%20check%20the%20SecMon_HP%20Status%20Register%20(0x1e90014)%20bits%20OTPMK_ZERO%20should%20be%200.%20Which%20I%20have%20(0x81D0AB00%20is%20value%20returned).%20And%20to%20check%20SFP_SVHESR(0x1e80024)%20should%20be%200%2C%20mine%20however%20returns%200x00068400.%3C%2FP%3E%3CP%3EThe%20powerpoint%20says%20if%20this%20is%20the%20case%20then%20there%20was%20an%20error%20in%20the%20way%20I%20tried%20to%20blow%20the%20OTPMK%20fuse.%20Is%20this%20the%20case%3F%20Is%20this%20recoverable%3F%20I%20read%20a%20document%20that%20said%20as%20long%20as%20the%20parity%20bit%20was%200%20then%20it%20should%20be%20ok%2C%20but%20after%20seeing%20this%20presentation%20is%20that%20not%20the%20case%3F%3C%2FP%3E%3CP%3EShould%20the%20jump%20be%20attached%20to%20the%20board%20before%20power%20on%3F%20From%20documentation%20it%20sounds%20like%20it%20should%20not%20be%2C%20but%20rather%20put%20the%20jumper%20on%20while%20the%20system%20is%20running%2C%20burn%20the%20fuses%2C%20then%20remove%20the%20jumper%20while%20the%20system%20is%20still%20running%20before%20removing%20power%20and%20power%20cycling.%3C%2FP%3E%3CP%3EWhen%20I%20attempt%20to%20use%20CCS%20to%20put%20the%20SRK%20hashes%20in%20it%20appears%20that%20the%20registers%20are%20locked%2C%20because%20they%20don't%20take%20the%20values%20I'm%20entering.%20I%20try%20to%20put%20in%20the%20values%20and%20then%20set%20the%20board%20to%20release%20the%20CPU%20to%20boot%2C%20but%20I%20get%20no%20activity%20on%20the%20console%20(minicom).%3C%2FP%3E%3CP%3EFor%20my%20attempt%20at%20secure%20boot%20on%20the%20LS1043A-RDB%20is%20my%20attempt%20with%20this%20board%20is%20this%20board%20done%3F%20It%20will%20still%20boot%20with%20a%20non-secure%20image%20as%20I%20didn't%20try%20setting%20the%20ITS%20fuse.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2350376%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20ls1043a%20is%20it%20possible%20to%20prototype%20secure%20boot%20without%20blowing%20any%20fuses%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2350376%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EMy%20manager%20has%20access%20to%20the%20Qoriq%20Trust%20Architecture%202.x%20document%2C%20I'm%20still%20waiting%20on%20my%20approval%20from%20NXP%20(already%20got%20the%20secure%20rights%20access%2C%20but%20that%20document%20hasn't%20been%20included).%3C%2FP%3E%3CP%3ECan%20you%20please%20provide%20confirmation%20of%20the%20OTPMK%20and%20SRKHR%20offsets%3F%3C%2FP%3E%3CP%3EI%20see%20a%20couple%20different%20values%20between%20multiple%20documents.%3C%2FP%3E%3CP%3EFor%20OTPMK%20I%20see%20both%20offsets%20between%200x21C-0x238%2C%20and%200x234-0x250%3C%2FP%3E%3CP%3EFor%20SRKHR%20I%20see%20both%20offsets%20between%200x23C-0x258%2C%20and%200x254-0x270%3C%2FP%3E%3CP%3EAs%20you%20can%20see%20there%20between%20the%20two%20sets%20they%20overlap%20on%20a%20couple%20of%20registers.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2350397%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20ls1043a%20is%20it%20possible%20to%20prototype%20secure%20boot%20without%20blowing%20any%20fuses%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2350397%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EMemory%20Map%20for%20SFP%20in%20Qoriq%20Trust%20Architecture%202.x%20has%20incorrect%20register%20range.%20Tried%20with%20other%20values%20from%20LSDUK_Rev21.08%20and%20document%20'Setting%20up%20Secure%20Boot%20on%20PBL%20Based%20Platforms%20in%20Prototype%20Stage'%2C%20and%20Secure_boot.pptx.%20And%20after%20entering%20SRK%20hash%20values%20into%20registers%20and%20releasing%20the%20CPU%20finally%20got%20life%20on%20the%20console.%20I%20still%20have%20errors%2C%20but%20its%20a%20step%20in%20the%20right%20direction%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2351031%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20ls1043a%20is%20it%20possible%20to%20prototype%20secure%20boot%20without%20blowing%20any%20fuses%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2351031%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22endrunner_smw_0-1776212372703.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22endrunner_smw_0-1776212372703.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22endrunner_smw_0-1776212372703.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22endrunner_smw_0-1776212372703.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cspan%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22endrunner_smw_0-1776212372703.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cimg%20src%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F382364iACD16E5A672B5CBA%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22endrunner_smw_0-1776212372703.png%22%20alt%3D%22endrunner_smw_0-1776212372703.png%22%20%2F%3E%3C%2Fspan%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EIf%20anyone%20is%20curious%20these%20are%20the%20errors%20I%20am%20receiving%20after%20putting%20the%20SRK%20hash%20in%20and%20releasing%20the%20cpu%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2351769%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20ls1043a%20is%20it%20possible%20to%20prototype%20secure%20boot%20without%20blowing%20any%20fuses%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2351769%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EYes%2C%20I%20used%20CCS%20to%20fuse%20the%20OTPMK.%20Then%20with%20BOOT_HO%20%3D%201%20and%20SB_EN%20%3D%201%20in%20RCW%20I%20booted%20and%20in%20CCS%20set%20the%20SRKH%20mirror%20registers%20and%20released%20the%20cpu.%20That%20is%20the%20screenshot%20I%20posted%20above.%20Though%20apparently%20I%20still%20have%20an%20issue%20of%20SEC%2FCAAM%20not%20initializing%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2351061%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20ls1043a%20is%20it%20possible%20to%20prototype%20secure%20boot%20without%20blowing%20any%20fuses%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2351061%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3EDid%20you%20eventually%20use%20CodeWarrior%20or%20U-Boot%20to%20fuse%20the%20OTPMK%3F%20This%20is%20mandatory.%20Later%2C%20if%20you%20need%20to%20verify%20the%20SRKH%20effects%2C%20you%20can%20skip%20the%20actual%20fusing%20and%20just%20use%20the%20mirror%20registers%20instead.%20You'll%20need%20CodeWarrior%20to%20assist%20with%20this%E2%80%94halt%20the%20main%20CPU%2C%20configure%20the%20mirror%20registers%20properly%2C%20then%20release%20the%20CPU.%20Refer%20to%20the%20corresponding%20sections%20in%20the%20LSDK%20documentation%20for%20detailed%20descriptions.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2353151%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20ls1043a%20is%20it%20possible%20to%20prototype%20secure%20boot%20without%20blowing%20any%20fuses%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2353151%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EMarked%20as%20solved%20since%20I%20was%20able%20to%20get%20output%20on%20the%20console%2C%20will%20open%20a%20new%20issue%20for%20the%20SEC%2FCAAM%20not%20initializing%3C%2FP%3E%3C%2FLINGO-BODY%3E