Issue in Booting After Enabling Secure Boot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Issue in Booting After Enabling Secure Boot

Jump to solution
2,454 Views
pranavmadhu
Contributor IV

Hi,

I'm working on LS1021AIOT rev 2 board. I'm trying to enable secure boot feature in our board. I did the following steps.

1. Enabled SB_EN bit on rcw, and byte swapped the obtained pbl. (Make SCRATCHRW1=0x40090000 ie csf hearder location on NOR Flash).

2. Generated public and private keys.

3. generated CSF header and key hash for u-boot. (using uni_sign utility in cst directory).

4. Placed jumpers on j14, j19, & j20.

5. Generated OTPMK0 - OTPMK7, and written to OTPMK registers of ls1 (0x01e80234).

6. Programmed SRKH register in big endian mode with value obtained from hash key (0x01e0254).

7. Write content of mirror register to fuse array by programming SFP_INGR register (0x01e80020).

8. Check the status of fuse array programming by reading the status of SFP_INGR register. the value obtained was 0x0, programmed successfully.

9. Switch of the board and removed jumpers j19, & j20 and booted board from SD card.

10. Flashed the byte swapped rcw (SB_EN=1) to NOR addr 0x0, u-boot to addr 0x10000 and CSF header for u-boot to addr 0x90000.

11. Reboot the board

But now we  are not getting any console prints on booting from QSPI NOR with secure boot enabled, also unable to boot from SD card in non secured mode (in rcw SB_EN = 0 for SD card).

The RCW  in QSPI NOR is detected by the board, as the red LED(D6) indicator has turned off. But while booting from SD card, the rcw is not detecting as the red LED(D6) is blinking, but it is possible to boot another LS1021aiot board using the same SD card (in Non secure mode).

Is that a chip errata of ls1021aiot silicon revision 2?

Can anybody help me in solving these issue?

Thanking you in advance,

Pranav

1 Solution
1,881 Views
addiyi
NXP Employee
NXP Employee

For booting in normal mode, make sure SB_EN=0 in RCW or/and ITS it is also 0.

Adrian

View solution in original post

7 Replies
1,881 Views
prabinca4u
Contributor III

Hi Adrian

Is this SFP_OSPR (0x01e8_0200 :OEM Security Policy Register) is a fuse register, I didn’t get any information regarding whether it is fuse register or not from the data sheet.what is the significance of ITS(intent to secure) bit in this register, is it going into 0 value on restarting the board or it is also fuse register bit.

1,881 Views
addiyi
NXP Employee
NXP Employee

I think Yiping's response form https://community.freescale.com/message/616758?et=watches.email.outcome#616758 will help you.

Adrian

0 Kudos
Reply
1,881 Views
addiyi
NXP Employee
NXP Employee

Please refer to this doc.

Adrian

1,881 Views
pranavmadhu
Contributor IV

Thank You Adrian,

Is it possible to clear the registers SRKH, OTPMK using codewarriorTAP?

0 Kudos
Reply
1,881 Views
addiyi
NXP Employee
NXP Employee

Once you permanently fuse the shadow registers, you can't clear them even a CodeWarrior TAP is used.

Adrian

1,881 Views
pranavmadhu
Contributor IV

We  have enabled secure boot, but normal booting is also not happening while boot from sd card.

1,882 Views
addiyi
NXP Employee
NXP Employee

For booting in normal mode, make sure SB_EN=0 in RCW or/and ITS it is also 0.

Adrian