RT1021 secure boot: Why do both BEE_KEY_0SEL and BEE_KEY_1SEL need to be set?

rshipman · ‎12-08-2021

Hi,

See document: Security Reference Manual for the i.MX RT102x Processor, Rev. 0, 07/2020
Section: 3.6.2.1 Encrypted XIP on Serial NOR via FlexSPI Interface

It says:

"Both BEE_KEY_SEL fuses needs to be blown with valid value (2 or 3) even though one of them is not used."

Questions:

Is this sentence correct?
If so, what is the reason please? E.g. is it to prevent security attacks/hacks, or a silicon limitation?
Can BEE_KEY_0SEL and BEE_KEY_1SEL be different?

Many thanks and kind regards,

Ronnie

kerryzhou · ‎12-08-2021

Hi @rshipman ,

About the BEE, you also can check my document:

https://community.nxp.com/t5/i-MX-RT-Knowledge-Base/RT1015-APP-BEE-encryption-operation-method/ta-p/...

Now answer your questions:

Is this sentence correct?

--Answer:No, use which engine, enable which engine.

Eg, use Engine 0, then just burn fuse BEE_KEY_0SEL, to BEE_KEY_1SEL, leave it as default.

As the fuse area is the special area, bit just can be modified from 0 to 1, can't write back to 0.

2. If so, what is the reason please? E.g. is it to prevent security attacks/hacks, or a silicon limitation?

--Answer: No, don't need to burn both when you just use one engine.

3. Can BEE_KEY_0SEL and BEE_KEY_1SEL be different?

--Answer: BEE_KEY_0SEL for engine0, BEE_KEY_1SEL for engine1

BEE_KEY_0SEL for engine 0

BEE_KEY_1SEL for engine 1:

Wish it helps you!

Best Regards,

Kerry

RT1021 secure boot: Why do both BEE_KEY_0SEL and BEE_KEY_1SEL need to be set?

RT1021 secure boot: Why do both BEE_KEY_0SEL and BEE_KEY_1SEL need to be set?

i.MXRT