T2080QDS Secure Boot

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

T2080QDS Secure Boot

1,176 Views
ilya_german
Contributor I

Hi,

I been trying to activate the secure boot on the platform for a while now.

I followed the following instructions:

1) QORIQ-SDK-2.0-IC-REV0_T1_T2_T4 Secure Boot demo.

2) Setting up Secure Boot on PBL Based Platforms in Prototype Stage.

For writing the SRK i used lauterbach, attached are  the values of SECMON and SFP registers after the core release.

I receive no prints to the console, please advice me how to continue.

Thanks,

Ilya German

0 Kudos
4 Replies

1,043 Views
ilya_german
Contributor I

Hello,

Please review the steps i made to permenently write the OTPMK registers on t2080QDS:

1) Enable POVDD SW9[8] = 0x1.

2) Short PROG_SFP(J27) jumper.

3) Write OTPMK to mirror registers 0xfe0e821c - 0xfe0e8238.

4) Permenantly write the OTPMK to fuze 0xfe0e8020 = 0x2.

Did i miss anything ?

Thanks,

Ilya

0 Kudos

1,043 Views
yipingwang
NXP TechSupport
NXP TechSupport

Hello Ilya German,

Please refer to the following recommended troubleshooting actions when No print on UART console.

1. Check the status register of sec mon block (location 0xfe314014). Refer to the details of the register from the Reference Manual. Bits OTPMK_ZERO, OTMPK_SYNDROME and PE should be 0 otherwise there is some error in the OTPMK fuse blown by you.
2.  If OTMPK fuse is correct (see Step 1), check the SCRATCHRW2 register for errors. Refer to Section for error codes.
3. If Error code = 0 then check the Security Monitor state in HPSR register of Sec Mon.
Sec Mon in Check State (0x9)
If ITS fuse = 1, then it means ISBC code has reset the board. This may
be due to the following reasons:
Hash of the public key used to sign the ESBC u-boot doesn't match with the value in SRK Hash Fuse
Or
Signature verification of the image failed
Sec Mon in Trusted State (0xd) or Non Secure State (0xb)
Check the entry point field in the ESBC header. It should be 0xcffffffc for the demo.
If entry point is correct, ensure that u-boot image has been compiled with the required secure boot configuration.

In your attachment HPSR is 8000a900, OTPMK_ZERO, OTMPK_SYNDROME and PE files of HPSR is zero, SCRATCHRW2 is zero, HPSR[SSM_ST] is 9, please refer to the proper reason.

If ITS fuse = 1, then it means ISBC code has reset the board. This may
be due to the following reasons:
Hash of the public key used to sign the ESBC u-boot doesn't match with the value in SRK Hash Fuse
Or
Signature verification of the image failed

Thanks,

Yiping

0 Kudos

1,043 Views
ilya_german
Contributor I

Thank you for the quick response !

The ITS fuse = 0, thats weird because i used RCW with SB_EN = 1 and  BOOT_HO =  1(See attached file).

Do you have any idea why the ITS fuse equals 0 ?

rcw_66_15_1800MHz_sb_ho.png

0 Kudos

1,043 Views
yipingwang
NXP TechSupport
NXP TechSupport

Hello Ilya German,

In prototype stage, ITS fuse should be 0. Please refer to the section " Deploy Secure Boot Images to the Target and Write SRKH Mirror Register" inSetting up Secure Boot on PBL Based Platforms in Prototype Stage

You need to permanently write OTPMK key into fuse array.

Thanks,

Yiping

0 Kudos