secure boot failed on t2080qds

yi_li · ‎06-28-2016

I'm working on secure boot for T2080QDS.I walked the steps,but I failed.All files come from SDK, and signed header by cst.

Steps like that:

set SW#6[OFF,OFF,OFF,OFF]

1.download u-boot,the file come from sdk2.0

=>tftp 1000000 u-boot-secure-boot-2016.01+fslgit-r0.bin

=>erase 0xEBF40000 +c0000

=>cp.b 1000000 0xEBF40000 c0000

2.download rcw,the file come from sdk2.0

=>tftp 1000000 rcw_66_15_1800MHz_sb.bin

=>erase 0xEC000000 +b0

=>cp.b 1000000 0xEC000000 b0

3.download uboot_header,the file come from uni_sign

=>tftp 1000000 hdr_uboot.out

=>erase ECB00000 +700

=>cp.b 1000000 ECB00000 700

4.write SRK Hash Value,the value come from uni_sign,the hign bit set low address.

mm 0xfe0e823c

fe0e823c: 00000000 ? e814394d

fe0e8240: 00000000 ? eb4b3c5e

fe0e8244: 00000000 ? a74d8688

fe0e8248: 00000000 ? 0c92fa19

fe0e824c: 00000000 ? 58173dfa

fe0e8250: 00000000 ? 67a8f87b

fe0e8254: 00000000 ? 89750515

fe0e8258: 00000000 ? 34487261

5.write OTPMKR, the value come from gen_otpmk_drbg,the hign bit set low address.

mm 0xfe0e821c

fe0e821c: 00000000 ? e814394d

fe0e8220: FFFFFFFF? eb4b3c5e

fe0e8224: FFFFFFFF? a74d8688

fe0e8228: FFFFFFFF? 0c92fa19

fe0e822c: FFFFFFFF? 58173dfa

fe0e8230: FFFFFFFF ? 67a8f87b

fe0e8234: FFFFFFFF? 89750515

fe0e8238: FFFFFFFF? 34487261

6.write FSL_UID and OEM_UID

mm 0xfe0e825c

fe0e825c: 00000000 ? 99999999

mm 0xfe0e8270

fe0e8270: 00000000 ? 00000001

shutdown device,and set SW#6[OFF,ON,OFF,OFF],boot this device,no message output.

Error code at address 0xfe314014 is 8800AB00

SECMON_HPSR field descriptions

Field

Description

0

ZMK_ZERO

Zeroizable Master Key is Equal to Zero. When set, this bit triggers “bad key” violation if theZMKis selected

for use

NOTE: The reset value of this bit depends on the value in the LPZMKR.

0 The ZMK is not zero

1 The ZMK is zero

1–3

-

This field is reserved.

Reserved

4

OTPMK_ZERO

One Time Programmable Master Key = 0 Error

0 The OTPMK is not zero

1 The OTPMK is zero

5–6

-

This field is reserved.

Reserved

7

PE

OTPMK Parity Error. This bit is set to '1' for any odd number of errors in the OTPMK, including errors in

the error detection bits themselves. If any of the OTPMK_SYNDROME bits are set, and the OTRMK Parity

Error = 0, then the OTPMK has 2 or more errors and the failing bit position cannot be determined.

8–15

OTPMK_

SYNDROME

This value indicates the error location in case of a single-bit error in the OTPMK. For example, syndrome

word 10010110 indicates that key bit 150 has an error.

16–19

-

This field is reserved.

Reserved

20–23

SSM_ST

Security monitor state. This field contains the encoded state of the security monitor's internal state

machine. The encoding of the possible states are:

0000 Init

1001 Check

1011 Non-Secure

1101 Trusted

1111 Secure

0011 Soft Fail

0001 Hard Fail

24–31

-

This field is reserved.

Reserved

Looks like security monitor state is "1011 Non-Secure".

Error code at address 0xfe0e0200 is 00000101

0x101

ERROR_STATE_NOT_CHECK

SEC_MON State Machine not in CHECK state at start of ISBC. Some Security violation could have occurred.

The RCW that I used comes from SDK, and it truly enable secure boot.

When I rebooted the device,All "mm" values was gone.

Please give me some advice,Or point some error.

Thank you very much.

Yi.

input_uboot_nor_secure like that:

*/

---------------------------------------------------

# Specify the platform. [Mandatory]

# Choose Platform - 1010/1040/2041/3041/4080/5020/5040/9131/9132/9164/4240/C290

PLATFORM=4240

# ESBC Flag. Specify ESBC=0 to sign u-boot and ESBC=1 to sign ESBC images.(default is 0)

ESBC=0

---------------------------------------------------

# Entry Point/Image start address field in the header.[Mandatory]

# (default=ADDRESS of first file specified in images)

ENTRY_POINT=cffffffc

---------------------------------------------------

# Specify the file name of the keys seperated by comma.

# The number of files and key select should lie between 1 and 4 for 1040 and C290.

# For rest of the platforms only one key is required and key select should not be provided.

# USAGE (for 4080/5020/5040/3041/2041/1010/913x): PRI_KEY = <key1.pri>

# USAGE (for 1040/C290/9164/4240): PRI_KEY = <key1.pri>, <key2.pri>, <key3.pri>, <key4.pri>

# PRI_KEY (Default private key :srk.pri) - [Optional]

PRI_KEY=srk.pri

# PUB_KEY (Default public key :srk.pub) - [Optional]

PUB_KEY=srk.pub

# Please provide KEY_SELECT(between 1 to 4) (Required for 1040/C290/9164/4240 only) - [Optional]

KEY_SELECT=

---------------------------------------------------

# Specify SG table address, only for (2041/3041/4080/5020/5040) with ESBC=0 - [Optional]

SG_TABLE_ADDR=

---------------------------------------------------

# Specify the target where image will be loaded. (Default is NOR_16B) - [Optional]

# Only required for Non-PBL Devices (1010/1040/9131/9132i/C290)

# Select from - NOR_8B/NOR_16B/NAND_8B_512/NAND_8B_2K/NAND_8B_4K/NAND_16B_512/NAND_16B_2K/NAND_16B_4K/SD/MMC/SPI

IMAGE_TARGET=

---------------------------------------------------

# Specify IMAGE, Max 8 images are possible. DST_ADDR is required only for Non-PBL Platform. [Mandatory]

# USAGE : IMAGE_NO = {IMAGE_NAME, SRC_ADDR, DST_ADDR}

IMAGE_1={u-boot.bin,cff40000,ffffffff}

IMAGE_2={,,}

IMAGE_3={,,}

IMAGE_4={,,}

IMAGE_5={,,}

IMAGE_6={,,}

IMAGE_7={,,}

IMAGE_8={,,}

---------------------------------------------------

# Specify OEM AND FSL ID to be populated in header. [Optional]

# e.g FSL_UID=11111111

FSL_UID=

OEM_UID=

---------------------------------------------------

# Specify the file names of csf header and sg table. (Default :hdr.out) [Optional]

OUTPUT_HDR_FILENAME=hdr_uboot.out

# Specify the file names of hash file and sign file.

HASH_FILENAME=img_hash.out

INPUT_SIGN_FILENAME=sign.out

# Specify the signature size.It is mandatory when neither public key nor private key is specified.

# Signature size would be [0x80 for 1k key, 0x100 for 2k key, and 0x200 for 4k key].

SIGN_SIZE=0x100

---------------------------------------------------

# Specify the output file name of sg table. (Default :sg_table.out). [Optional]

# Please note that OUTPUT SG BIN is only required for 2041/3041/4080/5020/5040 when ESBC flag is not set.

OUTPUT_SG_BIN=

---------------------------------------------------

# Following fields are Required for 4240/9164/1040/C290 only

# Specify House keeping Area

# Required for 4240/9164/1040/C290 only when ESBC flag is not set. [Mandatory]

HK_AREA_POINTER=bff00000

HK_AREA_SIZE=00010000

---------------------------------------------------

# Following field Required for 4240/9164/1040/C290 only

# Specify Secondary Image Flag. (0 or 1) - [Optional]

# (Default is 0)

SEC_IMAGE=

---------------------------------------------------

Pavel · ‎07-03-2016

Look at the following page from Community:

https://community.nxp.com/thread/399971

This page contains command sequence for secure boot. Compare recommended command sequence and your command sequence.

Have a great day,
Pavel Chubakov

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

yi_li · ‎07-04-2016

This is not correct answer.I know the process.

I set the J27,it works.but I have another problem.

I burned all images, and reboot this board, no print on UART console. I followed steps on SDK 2.0>Boot Loaders>U-Boot>Secure Boot>Troubleshooting, the status register of sec mon block is 8000AD00, and Sec Mon in Trusted State is 0xd. The address 0xfe0e0204 is 00000000.

I am sure the entry point field in the ESBC header is 0xcffffffc,and u-boot is right. Because I rebuild the u-boot use commands: bitbake u-boot -c cleansstate, bitbake u-boot -c patch, bitbake u-boot.

I don't kwon what to do next.