FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

question about fuse address

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

question about fuse address

Jump to solution
‎05-03-2016 05:22 AM
2,017 Views
hillmanhuo
Contributor II

Hi all,

     I'm working on secure boot of ls1021a-iot, I can follow the steps in A0001-Secure-boot.pdf file in  LS1021A-Rev2_iot-20150907 using the demo images provided by freescale.

     But I'm not sure about something as below, can you help me?

     There is a step to burn key hash256 to the fuse on uboot which boot from sd card as below.

=>mm 1e80234

01e80234: 00000000?88888888

01e80238: ffffffff?77777777

01e8023c: ffffffff?66666666

01e80240: ffffffff?55555555

01e80244: ffffffff?44444444

01e80248: ffffffff?33333333

01e8024c: ffffffff?22222222

01e80250: ffffffff?11111111

01e80254: 00000000?.

=>mm 1e80254

01e80254:00000000?6c25e357

01e80258:00000000?fd0bf748

01e8025c:00000000?cd2c1356

01e80260:00000000?58b79c1b

01e80264:00000000?f480db72

01e80268:00000000?2243a6e30

01e8026c:00000000?6a017e1f

01e80270:00000000?a432062e

01e80274:00000000?.

=>mw 1e80020 0x02000000

=>md 1e80020 1

0x00000000

I not sure about the fuse address for ls1021a-iot, I think 01e80234 is the start address for OTPMKR and 01e80254 is the start address for SRKHRn, Is that right? What's the address 1e80020 used for? Is it for the ITS fuse? If it's not, what's the address for ITS fuse? Is there any document about these address?

I have burned the hash of demo public key to the fuse, if I want to burn another hash of a new key what's the address? Is there any document about this?

Thanks in advance.

Labels (1)
Labels
Reply
1 Solution

Jump to solution
‎05-04-2016 01:59 AM
1,491 Views
r8070z
NXP Employee
NXP Employee

Have a great day,

QorIQ LS1021A Reference Manual in section 9.7 Security fuse processor (SFP) provides description of fuse registers. It says that 1e80020 is address of Instruction Register (SFP_INGR). The INGR is the target of software commands intended to read or program the SFP fuse array. As the values in the instruction register are not reflected in the fuse array, there is no write protection for this register. When programming the SFP fuse array, polling INST and ERR fields of the INGR provides confirmation that the SFP logic has completed burning fuses.

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

View solution in original post

Reply
4 Replies

Jump to solution
‎05-04-2016 05:30 AM
1,491 Views
hillmanhuo
Contributor II

Thanks your kindly help.

I found a new problem now, when I use follow the steps in A0001-Secure-boot.pdf, and use the demo images in  LS1021A-Rev2_iot-20150907 provided by freescale, I find even if I changed the uboot files to the ones which didn't signed by the right key(the right key's hash value has burned to the fuse), this uboot can still boot up.

But if I didn't write the hdr_uboot_swap.out file to the QSPI flash, the uboot can't boot up.

I use the demo RCW image file to control the secure boot enable and didn't enable ITS.

I didn't understand why the uboot signed by the error key can boot up if the hdr file burns to the QSPI flash.

It seems like the public key didn't validated by the fuse.

Will the uboot run if it didn't pass the verification of ISBC?

0 Kudos
Reply

Jump to solution
‎05-04-2016 01:59 AM
1,492 Views
r8070z
NXP Employee
NXP Employee

Have a great day,

QorIQ LS1021A Reference Manual in section 9.7 Security fuse processor (SFP) provides description of fuse registers. It says that 1e80020 is address of Instruction Register (SFP_INGR). The INGR is the target of software commands intended to read or program the SFP fuse array. As the values in the instruction register are not reflected in the fuse array, there is no write protection for this register. When programming the SFP fuse array, polling INST and ERR fields of the INGR provides confirmation that the SFP logic has completed burning fuses.

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

Reply

Jump to solution
‎05-05-2016 12:56 AM
1,491 Views
hillmanhuo
Contributor II

Would please provide me the link about QorIQ LS1021A Reference Manual which includes section 9.7 Security fuse processor.

0 Kudos
Reply

Jump to solution
‎05-04-2016 12:12 AM
1,491 Views
addiyi
NXP Employee
NXP Employee

Please take a look on Secure Boot/Debug Configuration for LS1.

Adrian

Reply