LS1012A-FRWY & Secure Boot

cancel
Showing results for 
Search instead for 
Did you mean: 

LS1012A-FRWY & Secure Boot

435 Views
gabriele_coppol
Contributor II

Hi all,

I'm trying to obtain secure boot - for prototyping - on my ls1012a frwy board, so configuring the rcw and without blowing fuses except the ones for the OTPMK, but I got no prints on the console and the ERROR_STATE_NOT_CHECK error.

I'm mainly using the following documentation:

LSDKUG_Rev19.03

QORIQTRUST2.1UG_RevA

Enabling_Trust_on_LS10xx_AN5281

The .rcw file is the "secure standard" one, with SB_EN=1 and BOOT_HO=1.

I generated the firmware with the following script using lsdk19.03, then uploaded via tftp.

flex-builder -i clean
flex-builder -i clean-rfs
flex-builder -c rcw -m ls1012afrwy
flex-builder -c uboot -m ls1012afrwy -b qspi
flex-builder -c atf -m ls1012afrwy -b qspi -s


flex-builder -c linux -a arm64 -m ls1012afrwy


flex-builder -i mkrfs -a arm64


flex-builder -c optee_os -a arm64 -m ls1012afrwy
flex-builder -c optee_client -a arm64 -m ls1012afrwy
flex-builder -c optee_test -a arm64 -m ls1012afrwy
flex-builder -c dpdk -a arm64 -m ls1012afrwy
flex-builder -c iperf -a arm64 -m ls1012afrwy
flex-builder -c eth-config -a arm64 -m ls1012afrwy
flex-builder -i merge-component -a arm64 -m ls1012afrwy


flex-builder -i signimg -m ls1012afrwy -b qspi


flex-builder -i mkbootpartition -a arm64 -p layerscape -s


flex-builder -i packrfs -a arm64


flex-builder -i mkfw -m ls1012afrwy -b qspi -s

As far as I understood, I should generate an OTPMK with the script

packages/apps/cst/gen_otpmk_drbg -b 2

while the SRKH is the one resulting from the flex-builder process outputs.

I did NOT used the bridge on J37 to enable PROG_SFP, and I want to write the SRKH only in the mirror registers since I'm prototyping.

As expected, the console is stucked since the core is on hold-off.

So, using the CodeWarrior TAP and the CodeWarrior Connection Server, I connected the board:

delete all
config cc cwtap
config allow all
config networktimeout 10
config socketconnectwait 2000
config ptapshelltimeout 80
config self-destruct off
ccs::config_server 0 10000
ccs::config_chain {ls1043a dap sap2}
display ccs::get_config_chain

Note: <platform> is ls1043a because there is written in LSDKUG_Rev19.03 pag.153, in fact ls1012a generates an error.

Note2: in the following I'll use <dap position> =14 according to the output of ccs:get_config_chain command.

I blowed the OTPMK, then resetted the board:

#write OTPMK
ccs::write_mem 14 0x1e80234 4 0 0xe9b95534
ccs::write_mem 14 0x1e80238 4 0 0x8361c702
ccs::write_mem 14 0x1e8023c 4 0 0x10355aab
ccs::write_mem 14 0x1e80240 4 0 0x6322fc4c
ccs::write_mem 14 0x1e80244 4 0 0xc5b29834
ccs::write_mem 14 0x1e80248 4 0 0xb6bc2c3a
ccs::write_mem 14 0x1e8024c 4 0 0xefa49d82
ccs::write_mem 14 0x1e80250 4 0 0x59f23dfa


#write INGR register
ccs::write_mem 14 0x1e80020 4 0 0x02000000

Finally, I tried to write SRKH:

#display status regs
echo "display status regs"
display ccs::display_mem 14 0x1e90014 4 0 4
display ccs::display_mem 14 0x1ee0200 4 0 4
display ccs::display_mem 14 0x1570600 4 0 4

#write srkh
echo "write srkh"
ccs::write_mem 14 0x1e80254 4 0 0x4f3b23d9
ccs::write_mem 14 0x1e80258 4 0 0xaad8364b
ccs::write_mem 14 0x1e8025c 4 0 0x80e678a1
ccs::write_mem 14 0x1e80260 4 0 0x35a766f3
ccs::write_mem 14 0x1e80264 4 0 0x30541a74
ccs::write_mem 14 0x1e80268 4 0 0x1008655a
ccs::write_mem 14 0x1e8026c 4 0 0x8843a724
ccs::write_mem 14 0x1e80270 4 0 0xc75729fd

#display status regs
echo "display status regs"
display ccs::display_mem 14 0x1e90014 4 0 4
display ccs::display_mem 14 0x1ee0200 4 0 4
display ccs::display_mem 14 0x1570600 4 0 4

#release core from hold-off
echo "release core from hold-off"
ccs::write_mem 14 0x1ee00e4 4 0 0x00000001

#display status regs
echo "display status regs"
display ccs::display_mem 14 0x1e90014 4 0 4
display ccs::display_mem 14 0x1ee0200 4 0 4
display ccs::display_mem 14 0x1570600 4 0 4

The monitored registers are:
- at 0x1e90014 there is SecMon state
- at 0x1ee0200 there is SCRATCHRW1 of DCFG
- at 0x1570600 there is SCRATCHRW1 of SCFG

Obviously, the SCRATCHRW2 register will be the second 32b value out of 4 showed.

At the end of this procedure, the core is still on hold-off (I suppose) since there are no prints on the console, but after the last write at 0x1ee00e4, the SCRATCHRW2 register has the 101 error, which corresponds to ERROR_STATE_NOT_CHECK (SEC_MON State Machine not in CHECK state at start of ISBC. Some Security violation could have occurred).

Resetting the board, that register is clean but the board doesn't boot up.

What am I missing, or where am I getting wrong? Do I have to bridge up the J37 connector and set the LDO1CT enable bit?

Thanks in advance.

0 Kudos
2 Replies

79 Views
yipingwang
NXP TechSupport
NXP TechSupport

Hello Gabriele Coppolino,

 

 Blow fuses for LS1012 AFRWY
• J37 to enable PROG_SFP
• Through i2c transactions you need to write to LDO1CT register to change LDO1EN bit in vr5100
• i2c mw 0x08 0x6c 0x10

Reset and check that SNVS is in Check state whether OTPMK  is blown.

Thanks,

Yiping

0 Kudos

79 Views
gabriele_coppol
Contributor II

For completeness, I'm NOT setting the CONFIG_FUSE_PROVISIONING to "yes" in configs/build_lsdk.cfg

0 Kudos