I've been investigating system security on a custom i.MX6SoloLite board. I've been reading the i.MX6SoloLite Reference Manual and the i.MX6SoloLite Security Reference Manual. There seems to be some conflicting/confusing/lacking sections in the two documents. My main areas of confusion are in regards to the One Time Programmable Key, Crypto Key, and the Unique Id, all of which are contained in fuses.
In regards to the OTPMK, the Security Reference Manual says the key is 256-bits long and is programmed by Freescale at the time of production. On production parts, that key is read-locked (which I've verified on my part, is in fact locked). That's all fine to me, what's confusing is how key is used. The Security Reference Manual says that after a system reset, the OTP controller reads the e-fuse devices and provides the OTP key information to the DCP. The DCP receives a 64-bit UNIQUE KEY and a 128-bit CRYPTO KEY. The crypto key is either directly or indirectly provided through the SNVS module based a 'key path control' fuse. What fuse is that? I cannot find it in the documentation (it's possible I may have missed). Furthermore, the CRYPTO KEY is 256-bits and a mux is used to select the high or low 128-bits. Where is this mux? Is it in fuses? Is it a HW mux? Does this mean the OTPMK and CRYPTO key are the same key? Note this is all from section 18.104.22.168 AES OTP Key in the i.MX6SLSRM.
Now, in section 4.2.4 One Time Programmable (OTP) Key of the i.MX6SLSRM, it says that the DCP can receive two different 128-bit keys. One key comes from the OTP controller (I'm assuming that's the OTPMK?) and one can come directly from the SNVS. What key is coming from the SNVS? Is this the ZMK business contained in the SNVS? Both reference manuals say to set the OTP_KEY_TO_DCP_DISABLE fuse to enable SNVS mode. Where is this fuse?
The next area of confusion is the UNIQUE_KEY. I the same section above, the i.MX6SLSRM states that the UNIQU_KEY may be selected for use by the DCP. The security reference manual states that "The UNQUE_KEY is generated from the OTP KEY and key modifier bits from other OTP fuse fields. This key is unique to the device...". Is this key the 64-bit UNIQUE ID combined with the OTPMK (somehow)? What are the "key modifier bits" and what fuse fields is this referring too? If this is not the 64-bit UNIQUE ID, how/where is that 64-bit value used?
(Questions are in bold)
Any help/clarification would be very beneficial. Thanks in advance!