JTAG_SMODE to secure and SWD (E-XIP)

leonardos1 · ‎03-29-2019

Hi,

I'm settings up the security on a iMXRT1051 custom board, also tested on the IMXRT1050 EVKB.

The build is a FreeRTOS firmware and can proudly say that is running in EXIP (Encrypted eXecution In Place) flashed in a QSPI NOR. So, to recap the BEE is configured but I didn't touch anything to HAB or Central Secure Unit.

Everything was fine but I was going to close the board and securing the debugging ports.

Reading IMXRT1051SRM_rev1 and the AN4686 documents I was planning to enable the Secure JTAG mode fusing the JTAG_SMODE to 01.

Will it make possible to use the challenge/response mechanism with SWD?

Does it work only with JTAG so I need to disable the SWD entirely?

leonardos1 · ‎04-08-2019

Finally it worked, Secure JTAG works with an EXIP image.

SWD is not duable you have to switch the chip to JTAG.

michael_galda · ‎04-10-2019

Hi Leonardo,

Thanks for confirmation.

This is exactly what I saw before.

Attached is the AppNote draft, describing the usage with Segger JLink (instead of the Lauterbach)

The AN will be released soon. If you see anything wrong or unclear, correct me, please.

Thanks for cooperation,

Michael

michael_galda · ‎04-10-2019

AN draft for JLink attached

michael_galda · ‎04-01-2019

Hi Leonardo,

Attached is the draft of my Application Note, maybe not 100% correct, without warranty.

However it doesn't work in SWD mode, but device must be switched to JTAG mode.

Thanks,

Michael

leonardos1 · ‎04-02-2019

Thank you Micheal,

I finally had chance to test what I have done on the customer PCB and the EVKB.

To switch to JTAG and secure it I was missing the KTE_FUSE to me wasn't crystal clear in the documentaion.

What I'm missing now is the very last step, means communicate with the JTAG state machine to read the Challenge and send back the matching Response using the Segger/JLink script.

I was planning to use the chapter 4.1 of the document you share, unfortunately I cannot find this file to download.

If you wish to navigate to these scripts from Lauterbach’s main page for reference, they are located under “Support” - “Download Center” - “Start-UpScripts” at “arm” - “imxrt” “secure-jtag”.

jeremyzhou · ‎03-31-2019

Hi leonardo salvatore,

Thank you for your interest in NXP Semiconductor products and for the opportunity to serve you.
Q1) Will it make possible to use the challenge/response mechanism with SWD?
-- Actually, I'm very clear with the question, whether you can clarify it.
Q2) Does it work only with JTAG so I need to disable the SWD entirely?
-- Yes, you can disable the SWD mode by setting the DAP_SJC_SWD_SEL bit.

Fig 1

Have a great day,
TIC

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

leonardos1 · ‎04-01-2019

Hello,

Let me be more clear here.

I know how to use secure jtag with other boards lautherbach and OpenoOCD sending custom shift commands for challenge/response handshake.

But I'm new to imxrt and swd.

Q1.

The custom PCB I'm working with has only SWD.

Is it possible to secure it with the Secure JTAG?

Q2.

Sure I have done on the EVKB and is working fine.

Thank you for your time.

JTAG_SMODE to secure and SWD (E-XIP)

JTAG_SMODE to secure and SWD (E-XIP)

i.MXRT 105x

i.MXRT 106x