AnsweredAssumed Answered

T1024RDB NOR secure boot failure

Question asked by ARUMUGAM P on Oct 12, 2016
Latest reply on Oct 14, 2016 by ARUMUGAM P


      I have tried NOR secure boot in T1024RDB, but it goes to non-secure state which is detected from SECMON_HPSR register.  Below are the steps followed,


PBL binary generation using QCVS tool:

  • RCW values of T1024RDB retained, but with bits 201 & 202(BOOT_HO & SB_EN) set to 1.
  • Below PBI commands are added in the binary image using QCVS,


    09000c10 00000000

    09000c14 c0000000

    09000c18 81f0001b


   09000d00 00000000

    09000d04 bff00000

    09000d08 81000013

# Scratch Registers

    090e0200 c0b00000

    090e0208 c0c00000


    09010100 00000000

    09010104 bff00009

# CPC Configuration

    09010f00 08000000

    09010000 80000000


Key, hash value and CSF header generation:

  • Generated the public/private RSA key pair using “./gen_keys 1024
  • Obtained the hash string of the key pair, to be programmed in SFP using “./uni_sign –hash <input_uboot_secure path>”.
  • Created CSF header for ESBC boot image, uImage, dtb, rootfs and bootscript using “uni_sign”.

     Flashed the images and the corresponding CSF header in the alternate bank of T1024RDB.


Fusing OTPMK:

     Switched to the alternate bank using the command “cpld reset altbank”.  Since BOOT_HO is enabled, core enters doze mode.

  • Initial state of the SECMON_HPSR register is 0x88008900.
  • Generated OTPMK is written into mirror registers(SFP_OTPMKRn) using JTAG.  Now SECMON_HPSR register value is 0x80008900 and SFP_SVHESR register value is 0x00000000.
  • The values are then fused by writing in SFP_INGR

Writing SRKH:

  • SRKH value is written into SFP_SRKHRn mirror registers using JTAG.  Then core is released for booting by writing in DCFG_CCSR_BRR


No console messages appear and the value of SECMON_HPSR is 0x80008b00 (i.e. SSM is in Non-secure state).  Value of DCFG_CCSR_SCRATCHRW2 register is 0x00000000.


Are these steps enough or I have missed anything?


Further assistance to implement secure boot in T1024RDB would be helpful.  Kindly suggest how to debug further?