Since the LS1043A can come with either SEC enabled, or SEC disabled.
Is it a hard requirement that SEC be enabled for Secure Boot?
If we have an LS1043A that already has SEC disabled from NXP can Secure Boot still be achieved? Documentation is unclear, but seems like Secure Boot is still available even if SEC is not. Is this correct?
Hi,
If the LS1043A silicon lacks the SEC engine, it is physically incapable of triggering the ROM-based logic required to start a secure chain. The Arm CoT/mbedtls path in LSDK is not a "workaround" for missing hardware; it is simply a different software architecture for chips that do have the necessary security hardware.
regards
Ok, so a LS1043ASN7MNLB is not capable of secure boot with arm trusted firmware, correct?
A LS1043ASEN7MNLB would be capable of secure boot with arm trusted firmware, because it has the SEC enabled, correct?
Now you said that for the non-SEC chip it is not capable of a 'hardware-rooted' secure boot. Does that mean a software version / 'software-rooted' of secure boot could work? In the LSDK 21.08 it does also mention instead of NXP CoT there is Arm CoT that utilizes mbedtls. However, it looks like in the documentation that it does not support the LS1043A chip.
Just trying to get some clarification.
Thank you for the reply.
Hello,
No, it is not correct that Secure Boot is available if the SEC engine is disabled. For the LS1043A, having the SEC engine (security acceleration) enabled is a hard requirement for establishing a hardware-rooted Secure Boot.
Regards