- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
- Home
- :
- QorIQ Processing Platforms
- :
- QorIQ
- :
- [ls1046a] Concerns and questions about using Fuse Provisioning Image to enable secure boot
[ls1046a] Concerns and questions about using Fuse Provisioning Image to enable secure boot
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am trying to create a procedure for enabling secure boot on our products using the fuse provisioning image provided by the TF-A. I am following these 3 guides:
Here is my issue,
In all these guides, it specifies to use the following compile command:
make all fip pbl PLAT=ls1046ardb BOOT_MODE=qspi RCW=../rcw_1600_qspiboot.bin BL33=../uboot_ls1046ardb_tfa.bin fip_fuse FUSE_PROG=1 FUSE_PROV_FILE=../cst/fuse_scr.bin
This command works, however my concern is that it does not enable TRUSTED_BOARD_BOOT. As a result, the BL2 will not be signed with the CSF header. This seems like it would brick the card, assuming that ITS is set? If we provision the fuses, and then reboot with an unsigned BL2, the card will not boot, right? The troubling part is none of these guides emphasize that point.
Imo it seems highly risky to provision the fuses without first having a CST signed BL2 ready for the next boot. There is always the risk that the card loses power or reboots before the user has a chance to correctly download and install a secure BL2 image. It seems reasonable that the BL2 image should be signed with the CSF header as well as be able to provision the fuses.
Therefore, I tried to use this command instead:
make all fip pbl PLAT=ls1046ardb BOOT_MODE=qspi RCW=../rcw_1600_qspiboot.bin BL33=../uboot_ls1046ardb_tfa.bin fip_fuse FUSE_PROG=1 FUSE_PROV_FILE=../cst/fuse_scr.bin TRUSTED_BOARD_BOOT=1
This way, the fuse provisioning will be enabled, and the BL2 will be signed. I also set SB_EN=1 in the rcw, so that the fuse provisioning BL2 will authenticated on the first boot. However, this does not work. I get the following error messages:
ERROR: Failed to add dynamic memory region.
ERROR: Failed to load FUSE PRIV image
ERROR: FUSE Barker code mismatch.
After some debugging, I found out that it was failing to dynamically mmap the memory, because the CSF header requires a dynamic mmap but it fully overlaps with the DRAM0 region. This excerpt is my debug statement in mmap_add_region_check(this is in v2.6 of the qoriq-atf btw):
742 /*
743 * Full VA overlaps are only allowed if both regions are
744 * identity mapped (zero offset) or have the same VA to PA
745 * offset. Also, make sure that it's not the exact same area.
746 * This can only be done with static regions.
747 */
748 if (fully_overlapped_va) {
749
750 #if PLAT_XLAT_TABLES_DYNAMIC
751 if (((mm->attr & MT_DYNAMIC) != 0U) ||
752 ((mm_cursor->attr & MT_DYNAMIC) != 0U)) {
753 ERROR("DEBUG: Dynamic!\n");
754 return -EPERM;
755 }
756 #endif /* PLAT_XLAT_TABLES_DYNAMIC */
DRAM0 starts at 0x8000_0000 but the FUSE_BUF begins at 0x8100_0000:
plat/nxp/common/include/default/plat_default_def.h:#define FUSE_BUF ULL(0x81000000)
This causes a conflict and the FUSE_BUF can't be allocated. As a result, it seems that FUSE_PROG and TRUSTED_BOARD_BOOT cannot both be enabled in the same BL2 image.
What is the intended solution here? Should I just modify the FUSE_BUF addr to be outside of DRAM0? Should I disable PLAT_XLAT_TABLES_DYNAMIC?
Thank you for your help,
James
Solved! Go to Solution.
yipingwang
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fuse Provisioning image is normal boot image not secure boot image, it is used to blow OPTMK and SRKHR keys to fuse array on the target.
FUSE_PROG and TRUSTED_BOARD_BOOT should not be enabled at the same time.
You could deploy secure boot boot image on bank 0 of QSPI NOR flash, and fuse provisioning image on the alternate bank or SD card. After booting from alternate bank or SD card to do fuse provisioning, then reboot the target board to do secure boot.
If you only have one QSPI NOR flash bank, after running fuse provisioning boot image and check the status, please don't reset the target board, please deploy the secure boot image on the NOR flash, then reset the target board.
yipingwang
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fuse Provisioning image is normal boot image not secure boot image, it is used to blow OPTMK and SRKHR keys to fuse array on the target.
FUSE_PROG and TRUSTED_BOARD_BOOT should not be enabled at the same time.
You could deploy secure boot boot image on bank 0 of QSPI NOR flash, and fuse provisioning image on the alternate bank or SD card. After booting from alternate bank or SD card to do fuse provisioning, then reboot the target board to do secure boot.
If you only have one QSPI NOR flash bank, after running fuse provisioning boot image and check the status, please don't reset the target board, please deploy the secure boot image on the NOR flash, then reset the target board.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like we will have to exercise caution and ensure we program the qspi correctly before rebooting.
Would it be possible for us to prepare a fuse provisioning pbl image which contains an unsigned BL2, but which also contains an alternate signed BL2? We would need the pbi to load both BL2's and then load a pointer to the signed one in SCRATCHRW3. This way, in case the card reboots before re-programming the qspi, we have a signed alternate image to fallback on. This seems like a bit of a reach, I'm not sure if there's something I'm overlooking which would prevent this from working.
