RT1020 - why is BEE_SEL1_KEY set to 11 in the example

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RT1020 - why is BEE_SEL1_KEY set to 11 in the example

1,181 Views
rshipman
Contributor V

Hi,

I have some questions regarding this document:

Document: AN12079.pdf

Section: 3.3.2. Generate SB file for FlexSPI NOR image encryption and programming

The bd file sets BEE_KEY0_SEL to b10 and BEE_KEY1_SEL to b11.

#6. Program BEE_KEY0_SEL and BEE_KEY1_SEL

load fuse 0x0000e000 > 0x06;

Questions:

  1. Why is BEE_KEY1_SEL being set at all, when only the PRDB0 block is being used?
  2. Why is BEE_KEY1_SEL being set to b11 which is the SW_GP2 key? SW_GP2 has not been set in this example.
  3. BEE_KEY0_SEL is being set to b10 which is the OTPMK key. Where is the OTPMK key being set?
  4. When I tried setting BEE_KEY0_SEL and BEE_KEY1_SEL b10, the device would not boot. But when I used BEE_KEY0_SEL=b10 and BEE_KEY1_SEL=b11 like the example, it does boot. Why is this?

I am using the RT1020-EVK.

Thanks and regards,

Ronnie

Labels (1)
0 Kudos
6 Replies

1,029 Views
Sabina_Bruce
NXP Employee
NXP Employee

Hello ,

Hope you are doing well.

1. PRDB and KIB are both stored encrypted in external memory
BEE_KEY0_SEL and BEE_KEY1_SEL determine the key used to decrypt KIBs:
OTPMK derived key
SW-GP2 key (fuse provisioned)
KIB -> encrypted by BEE_KEYn_SEL -> Encrypted KIB (EKIB)
PRDB -> encrypted by AES key in the KIB -> Encrypted PRDB (EPRDB)
2.Program OTPMK or SW_GP2 based on setting on BEE_KEY1_SEL.
3. The same as above for setting BEE_KEY0_SEL.

Best Regards,

Sabina

-----------------------------------------------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct Answer button. Thank you!

----------------------------------------------------------------------------------------------------------------------- 

0 Kudos

1,029 Views
rshipman
Contributor V

Hi Sabina,

Thanks for your reply.

What I was trying to ask is, why NXP used the settings they have in the example in AN12079, even though they are not using PRDB1, and have not set the OTPMK as far as I can see? Or why, if I differ from these settings, as described in my posting, it does not boot, even though the OTPMK must have been set somewhere (or the default setting works somehow)?

Working case (as per their example and works on one of my eval boards):
- BEE_KEY0_SEL=b10 and BEE_KEY1_SEL=b11.

Failing case (on a different board):
- BEE_KEY0_SEL = BEE_KEY1_SEL = b10

Note that the SW_GP2 fuses are not set, i.e. all 0.
I have not set OTPMK at all, in fact I do not know how. It is not in any of the RT1020 literature afaik.

Why does it not work?

One possibility might be that SW_GP2=0 has a special meaning. I know that if BEE_KEY0/1_SEL != 0, the RT1020 expects a PRDB0/1 block. But their example sets BEE_KEY1_SEL=b11 (use SW_GP2), but it does not set up PRDB1. It does set up two FAC regions in PRDB0 but not PRDB1. (In fact we now know that the flashloader does not support PRDB1 according to 'MCUX Flashloader Reference Manual, Rev. 2, 01/2018'.) So if BEE_KEY1_SEL != 0 why does this example boot? Does SW_GP2=0 mean ignore PRDBn? Or does an all-zero key do nothing? The PRDB1 area is all 1s (erased flash area), so it could be just a coincidence that a key of zero means the PRDB1 is decrypted into something valid or harmless. Seems unlikely though.

Kind regards,

Ronnie

0 Kudos

1,029 Views
Sabina_Bruce
NXP Employee
NXP Employee

Hello ,

Hope you are doing well.

The OTPMK is set during manufacturing, so you will not see in code that this is set anywhere. I believe some of your questions regarding the OTPMK were answered by my colleague in the following post:

RT1020 - How is the OTPMK set and used? 

 It does set up two FAC regions in PRDB0 but not PRDB1. (In fact we now know that the flashloader does not support PRDB1 according to 'MCUX Flashloader Reference Manual, Rev. 2, 01/2018'.) 

By default, all of the regions are BEE region 0.

Best Regards,

Sabina

-----------------------------------------------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct Answer button. Thank you!

----------------------------------------------------------------------------------------------------------------------- 

0 Kudos

1,029 Views
rshipman
Contributor V

Update:

Regarding the failing case:
- BEE_KEY0_SEL = BEE_KEY1_SEL = b10

This works (no HAB errors) if I set up PRDB1. And the flashloader (included in the SDK) does support this:

# 3.2. Prepare PRDB1 options
# 0xe4120000 is an option for PRDB contruction and image encryption
# bit[31:28] tag, fixed to 0x0E
# bit[27:27] Unused <- Ronnie: Added this line. The four bit keysource is actually split into three fields
# bit[26:26] PRDB block, 0 or 1 <- Ronnie: Added this line. The four bit keysource is actually split into three fields
# bit[25:24] Key source, fixed to 0 for A0 silicon <- Ronnie: Changed the bit description from [27:24] to [25:24]. The value can be 0 (OTPMK_SNVS_High), 1 (OTPMK_SNVS_Low - not used by RT1020 I think), 2 (SW_GP2). Not sure what it means about being fixed to 0?
# bit[23:20] AES mode: 1 - CTR mode
# bit[19:16] Encrypted region count
# bit[15:00] reserved in A0
load 0xe4120000 > 0x5000;
# Region 0 start
load 0x60011000 > 0x5004;
# Region 0 length
load 0x00001000 > 0x5008;
# Region 1 start
load 0x60012000 > 0x500c;
# Region 1 length
load 0x0000e000 > 0x5010;
# Program PRDB1 based on option
enable flexspinor 0x5000;

So the question remains:

Why does setting BEE_KEY1_SEL=b11 work without setting up PRBD1?

It can't be the 'fixed to zero' key source issue, because their example AN12079 should not have worked?

 

Regards,

Ronnie

0 Kudos

1,029 Views
rshipman
Contributor V

Further to my update.

Even though BEE_KEY0_SEL = BEE_KEY1_SEL = b10, and PRDB0 and PRDB1 are both set up, only the region specified by PRDB1 is encrypted. So there is something wrong with the flashloader perhaps after all.

It clearly does not make sense to write the content of the region specifed by PRDB0 in plaintext.

 

0 Kudos

1,029 Views
rshipman
Contributor V

Also see my reply to another posting:

https://community.nxp.com/thread/536805#comment-1339096 

0 Kudos