T1024RDB NOR secure boot failure

arumugamp · ‎10-12-2016

Hi,

I have tried NOR secure boot in T1024RDB, but it goes to non-secure state which is detected from SECMON_HPSR register. Below are the steps followed,

PBL binary generation using QCVS tool:

RCW values of T1024RDB retained, but with bits 201 & 202(BOOT_HO & SB_EN) set to 1.
Below PBI commands are added in the binary image using QCVS,

#LAW for ESBC

09000c10 00000000

09000c14 c0000000

09000c18 81f0001b

# LAW for CPC/SRAM

09000d00 00000000

09000d04 bff00000

09000d08 81000013

# Scratch Registers

090e0200 c0b00000

090e0208 c0c00000

# CPC SRAM

09010100 00000000

09010104 bff00009

# CPC Configuration

09010f00 08000000

09010000 80000000

Key, hash value and CSF header generation:

Generated the public/private RSA key pair using “./gen_keys 1024”
Obtained the hash string of the key pair, to be programmed in SFP using “./uni_sign –hash <input_uboot_secure path>”.
Created CSF header for ESBC boot image, uImage, dtb, rootfs and bootscript using “uni_sign”.

Flashed the images and the corresponding CSF header in the alternate bank of T1024RDB.

Fusing OTPMK:

Switched to the alternate bank using the command “cpld reset altbank”. Since BOOT_HO is enabled, core enters doze mode.

Initial state of the SECMON_HPSR register is 0x88008900.
Generated OTPMK is written into mirror registers(SFP_OTPMKRn) using JTAG. Now SECMON_HPSR register value is 0x80008900 and SFP_SVHESR register value is 0x00000000.
The values are then fused by writing in SFP_INGR

Writing SRKH:

SRKH value is written into SFP_SRKHRn mirror registers using JTAG. Then core is released for booting by writing in DCFG_CCSR_BRR

No console messages appear and the value of SECMON_HPSR is 0x80008b00 (i.e. SSM is in Non-secure state). Value of DCFG_CCSR_SCRATCHRW2 register is 0x00000000.

Are these steps enough or I have missed anything?

Further assistance to implement secure boot in T1024RDB would be helpful. Kindly suggest how to debug further?

yipingwang · ‎10-13-2016

Hello ARUMUGAM P,

Please use the following PBI commands provided in rcw package in SDK 2.0, you could use rcw package provided in Linux SDK to generate secure boot RCW, it is more convenient, please refer to the section "2.1.1 Create Secure boot RCW in Linux SDK" in Setting up Secure Boot on PBL Based Platforms in Prototype Stage .

write 0x10000, 0x00200400
write 0x10104, 0xBFF00007
write 0xC10, 0x00000000
write 0xC14, 0xC0000000
write 0xC18, 0x81F0001B
write 0xCF0, 0x00000000
write 0xCF4, 0xBFF00000
write 0xCF8, 0x81000010
write 0xE0200, 0xC0B00000
write 0xE0208, 0xC0C00000
write 0x10000, 0xC0000000
write 0x10100, 0x00000000
write 0x10F00, 0x08000000

In addition, do you use images signing input file provided in CST tool in the folder input_files/uni_sign/t1_t2_t4, would you please provide this file "input_uboot_nor_secure"?

Have a great day,
Yiping

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

arumugamp · ‎10-14-2016

Hi Yiping,

Thanks for quick reply. I tried the PBI commands you gave, but I am still getting the same problem(i.e. transition to Non-secure state). Herewith I have attached the input_uboot_nor_secure file that is used for images signing using CST tool. In the input_uboot_nor_secure file, not able to add T1024 in PLATFORM field, why so?

While writing in SRKH mirror registers, "mem fe0e823c = 54f39b1f" command is used. Is this fine to write the SRKH registers, I also tried swapping the contents and writing using "-s" option but no solution obtained. Could you suggest how to proceed further.

Regards,

ARUMUGAM P

T1024RDB NOR secure boot failure

T1024RDB NOR secure boot failure

QorIQ T1 Devices