Hi all,
I'm working on secure boot of ls1021a-iot, I can follow the steps in A0001-Secure-boot.pdf file in LS1021A-Rev2_iot-20150907 using the demo images provided by freescale.
But I'm not sure about something as below, can you help me?
There is a step to burn key hash256 to the fuse on uboot which boot from sd card as below.
=>mm 1e80234
01e80234: 00000000?88888888
01e80238: ffffffff?77777777
01e8023c: ffffffff?66666666
01e80240: ffffffff?55555555
01e80244: ffffffff?44444444
01e80248: ffffffff?33333333
01e8024c: ffffffff?22222222
01e80250: ffffffff?11111111
01e80254: 00000000?.
=>mm 1e80254
01e80254:00000000?6c25e357
01e80258:00000000?fd0bf748
01e8025c:00000000?cd2c1356
01e80260:00000000?58b79c1b
01e80264:00000000?f480db72
01e80268:00000000?2243a6e30
01e8026c:00000000?6a017e1f
01e80270:00000000?a432062e
01e80274:00000000?.
=>mw 1e80020 0x02000000
=>md 1e80020 1
0x00000000
I not sure about the fuse address for ls1021a-iot, I think 01e80234 is the start address for OTPMKR and 01e80254 is the start address for SRKHRn, Is that right? What's the address 1e80020 used for? Is it for the ITS fuse? If it's not, what's the address for ITS fuse? Is there any document about these address?
I have burned the hash of demo public key to the fuse, if I want to burn another hash of a new key what's the address? Is there any document about this?
Thanks in advance.
Solved! Go to Solution.
Have a great day,
QorIQ LS1021A Reference Manual in section 9.7 Security fuse processor (SFP) provides description of fuse registers. It says that 1e80020 is address of Instruction Register (SFP_INGR). The INGR is the target of software commands intended to read or program the SFP fuse array. As the values in the instruction register are not reflected in the fuse array, there is no write protection for this register. When programming the SFP fuse array, polling INST and ERR fields of the INGR provides confirmation that the SFP logic has completed burning fuses.
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Thanks your kindly help.
I found a new problem now, when I use follow the steps in A0001-Secure-boot.pdf, and use the demo images in LS1021A-Rev2_iot-20150907 provided by freescale, I find even if I changed the uboot files to the ones which didn't signed by the right key(the right key's hash value has burned to the fuse), this uboot can still boot up.
But if I didn't write the hdr_uboot_swap.out file to the QSPI flash, the uboot can't boot up.
I use the demo RCW image file to control the secure boot enable and didn't enable ITS.
I didn't understand why the uboot signed by the error key can boot up if the hdr file burns to the QSPI flash.
It seems like the public key didn't validated by the fuse.
Will the uboot run if it didn't pass the verification of ISBC?
Have a great day,
QorIQ LS1021A Reference Manual in section 9.7 Security fuse processor (SFP) provides description of fuse registers. It says that 1e80020 is address of Instruction Register (SFP_INGR). The INGR is the target of software commands intended to read or program the SFP fuse array. As the values in the instruction register are not reflected in the fuse array, there is no write protection for this register. When programming the SFP fuse array, polling INST and ERR fields of the INGR provides confirmation that the SFP logic has completed burning fuses.
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
Would please provide me the link about QorIQ LS1021A Reference Manual which includes section 9.7 Security fuse processor.
Please take a look on Secure Boot/Debug Configuration for LS1.
Adrian