ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

What does SECURED/UNSECURED in the "blhost get-property 17" response mean for RT685

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 
解決済み
ソリューションへジャンプ

What does SECURED/UNSECURED in the "blhost get-property 17" response mean for RT685

ソリューションへジャンプ
‎11-16-2021 12:58 PM
930件の閲覧回数
scott-kooy
Contributor III

We would like to confirm that the BOOT_CFG[0] is SECURE_BOOT_EN (bits 21:20) is set to Enabled.  I assume this means that the RT685 is secured.

In my experimentation I wrote the OTP fuses for BOOT_CFG[0], MASTER_KEY, and RKTH.

See following batch file that writes the OPT fuses: (I read back the values of the OTP with the Secure Provisioning Tool to confirm values were written correctly)

@echo ### Burn fuse: BOOT_CFG[0] ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x60 00900005 lock
if errorlevel 1 exit 2

@echo ### Burn fuse: OTP_MASTER_KEY[31:0] ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x70 62469820 lock
if errorlevel 1 exit 2

@echo ### Burn fuse: OTP_MASTER_KEY[63:32] ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x71 763D5D72 lock
if errorlevel 1 exit 2

@echo ### Burn fuse: OTP_MASTER_KEY[95:64] ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x72 A4EF6715 lock
if errorlevel 1 exit 2

@echo ### Burn fuse: OTP_MASTER_KEY[127:96] ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x73 BB0D28CB lock
if errorlevel 1 exit 2

@echo ### Burn fuse: OTP_MASTER_KEY[159:128] ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x74 269855E1 lock
if errorlevel 1 exit 2

@echo ### Burn fuse: OTP_MASTER_KEY[191:160] ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x75 74880D07 lock
if errorlevel 1 exit 2

@echo ### Burn fuse: OTP_MASTER_KEY[223:192] ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x76 1FBAB14D lock
if errorlevel 1 exit 2

@echo ### Burn fuse: OTP_MASTER_KEY[255:224] ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x77 085C7C51 lock
if errorlevel 1 exit 2

@echo ### Burn fuse: RKTH_255_224 ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x78 D99DB08E lock
if errorlevel 1 exit 2

@echo ### Burn fuse: RKTH_223_192 ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x79 DEF7EBB2 lock
if errorlevel 1 exit 2

@echo ### Burn fuse: RKTH_191_160 ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x7a E238EE04 lock
if errorlevel 1 exit 2

@echo ### Burn fuse: RKTH_159_128 ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x7b 178B0CBF lock
if errorlevel 1 exit 2

@echo ### Burn fuse: RKTH_127_96 ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x7c B91F5F62 lock
if errorlevel 1 exit 2

@echo ### Burn fuse: RKTH_95_64 ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x7d 5DAFD6D4 lock
if errorlevel 1 exit 2

@echo ### Burn fuse: RKTH_63_32 ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x7e FAF305E0 lock
if errorlevel 1 exit 2

@echo ### Burn fuse: RKTH_31_0 ###
call "%blhost%" %blhost_connect% -j -- efuse-program-once 0x7f 811167FF lock
if errorlevel 1 exit 2

After writing the fuses and then a secure (Signed) firmware release, I then  run the following batch file:

call "%blhost%" %blhost_connect% -- get-property 17

And the output is:

Inject command 'get-property'
Response status = 0 (0x0) Success.
Response word 1 = 1520786085 (0x5aa55aa5)
Security State = UNSECURE

I would expect the Security State would be SECURE, but that is not the case.  Is this Security State based only on OTP word?  If so, what OTP words need to be burned?  If not, what other configuration is the Security State based on?

 

Thanks for your help.

ラベル(1)
ラベル
0 件の賞賛
返信
1 解決策

ソリューションへジャンプ
‎11-16-2021 11:28 PM
928件の閲覧回数
Yuri
NXP Employee
NXP Employee

@scott-kooy 
Hello,

 The SECURE_BOOT_EN fuse means, that the Secure boot ROM will perform boot.
Secure boot provides guarantee that unauthorized code cannot be executed / booted.

 The Security State concerns the ARM TrustZone configuration.

https://www.nxp.com/docs/en/application-note/AN12839.pdf

 

Regards,
Yuri.

元の投稿で解決策を見る

0 件の賞賛
返信
3 返答(返信)

ソリューションへジャンプ
‎11-16-2021 11:28 PM
929件の閲覧回数
Yuri
NXP Employee
NXP Employee

@scott-kooy 
Hello,

 The SECURE_BOOT_EN fuse means, that the Secure boot ROM will perform boot.
Secure boot provides guarantee that unauthorized code cannot be executed / booted.

 The Security State concerns the ARM TrustZone configuration.

https://www.nxp.com/docs/en/application-note/AN12839.pdf

 

Regards,
Yuri.

0 件の賞賛
返信

ソリューションへジャンプ
‎11-17-2021 06:54 AM
921件の閲覧回数
scott-kooy
Contributor III

So you say that Security State concerns the Trustzone.  Does this mean that Security State=SECURE which is returned by "blhost get-property 17" if the Trustzone is enabled?  ( BOOT_CFG[0], bits 14:13 is 2'b11 or 2'b10)?  Also will "blhost get-property 17" return SECURE if we set those bits in the shadow registers? If not, what OTP word values are required to return SECURE?

0 件の賞賛
返信

ソリューションへジャンプ
‎11-24-2021 05:35 AM
897件の閲覧回数
scott-kooy
Contributor III

I was asking the wrong question here.  I thought that if the SECURE_BOOT_EN bin was set that "blhost get-property 17" would return SECURED, but I was wrong.  I found out that I instead need to do "blhost read-efuse-once 0x60" to get the BOOT_CFG[0] which contains the SECURE_BOOT_EN bit.  Thanks.

返信