What is the purpose of the 'Encryption XIP enable' eFuse?

cancel
Showing results for 
Search instead for 
Did you mean: 

What is the purpose of the 'Encryption XIP enable' eFuse?

569 Views
rshipman
Contributor V

If I run a signed UNencrypted xip demo (iled_blinky) on a board with the SRK and BEE_KEYx_SEL fuses burnt, the demo runs fine out of flash as XIP.
This signed UNencrypted xip demo works fine if the 'Encryption XIP enable' eFuse is either set or not set.

If I run the same demo, but as a signed ENCRYPTED xip (using .bd to set up PRDB blocks etc) the demo also runs fine, but only if the 'Encryption XIP enable' eFuse is set.
(I can verify it is encrypted by using blhost to read back the flash.)

Note that I use SW8-1 DIP switch to override the eFuse setting.


eFuse info here:
Document: i.MX RT1020 Processor Reference Manual, Rev. 1, 12/2018
Section: 8.6.1.1 Serial NOR eFUSE Configuration
Page: 200

Table 8-9. Fuse definition for Serial NOR over FlexSPI
BOOT_CFG1[0], Encrypted XIP

eFuse info also here:
Document: i.MX RT1020 Processor Reference Manual, Rev. 1, 12/2018
Section: 21.1 Boot Fusemap
Page: 1097

Table 21-2. FlexSPI (Serial NOR) boot fusemap
0x450[0]
(BOOT_CFG1)
EncryptedXIP

My question therefore is, what is the purpose of the efuse 'Encryption XIP enable'?


Is the purpose of the eFuse simply to turn on the BEE engine?
If the BEE engine is turned on, apps without PRDB blocks set up can still run as unencrypted xip?
So the fuse does not prevent unencrypted xip apps?

If this is all true, why not have the BEE running all the time, and not bother with the eFuse?
I'm sure there must be a good reason to have this eFuse. So what am I missing here?
Is it a power consumption thing?

Many thanks for your help.

Labels (1)
0 Kudos
4 Replies

371 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi rshipman ,

  About the Encryption XIP enable function, RT1020 RM is not enough, you need to read the secure document:

https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=IMXRT1050SRM&appType=moderated 

  Although it is used for RT1050/RT1060, but you still can refer to it.

  Check 3.6.2.5 Encrypted XIP Flow.

and chapter 3.6.2 Encrypted XIP and Flash Access Protection.

It will be more clear.

Wish it helps you!

Have a great day,
Kerry

 

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

 

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

371 Views
rshipman
Contributor V

Hi Kerry,

Many thanks for your answer.

Ok, so the Encrypt XIP bit needs to be set for the BEE decrypt-on-the fly to run.

However if the PRDB blocks are not present, a plaintext image will still boot.

So the SRK fuses and SEC_CONFIG need to be burnt to prevent unauthorised code from booting.

That would explain the behaviour I am seeing.

Another question:

The Encrypt XIP dip switch SW8-1 is routed to GPIO_EMC_18 (on RT1020-EVK).

However the default iomux setting for that pin is ALT5 = GPIO2_IO18 of instance: gpio2

It is not ALT6 = SRC_BT_CFG00 of instance: src

So how does this dip switch work during boot, i.e. before software can re-route it?

Yet it does seem to work.

Kind regards,

Ronnie

0 Kudos

371 Views
rshipman
Contributor V

I had a look at the eval board schematic, and I can see (probably) how the different pull up/down resistors allow the SDRAM line to work if the SW8-1 switch is on. However I still do not understand how the GPIO_EMC_18 pin is routed to SRC_BT_CFG00, so that SW8-1 controls the Encrypt XIP settings. Is the ROM doing this?

 

0 Kudos

371 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi rshipman

    The MIMXRT1020-EVK is using the SW8_1 as the Encrypted XIP bit.

pastedImage_1.png

It use the pull up and the pull low to select the specifc Encrypted XIP bit data.

About your consideration about the pin function, you are right, during boot, the ROM bootloader will configure the related pin function.

Wish it helps you!

Have a great day,
Kerry

 

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

 

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------