AnsweredAssumed Answered

What is the purpose of the 'Encryption XIP enable' eFuse?

Question asked by rshipman on Feb 8, 2020
Latest reply on Feb 11, 2020 by Kerry Zhou

If I run a signed UNencrypted xip demo (iled_blinky) on a board with the SRK and BEE_KEYx_SEL fuses burnt, the demo runs fine out of flash as XIP.
This signed UNencrypted xip demo works fine if the 'Encryption XIP enable' eFuse is either set or not set.

 

If I run the same demo, but as a signed ENCRYPTED xip (using .bd to set up PRDB blocks etc) the demo also runs fine, but only if the 'Encryption XIP enable' eFuse is set.
(I can verify it is encrypted by using blhost to read back the flash.)

 

Note that I use SW8-1 DIP switch to override the eFuse setting.


eFuse info here:
Document: i.MX RT1020 Processor Reference Manual, Rev. 1, 12/2018
Section: 8.6.1.1 Serial NOR eFUSE Configuration
Page: 200

Table 8-9. Fuse definition for Serial NOR over FlexSPI
BOOT_CFG1[0], Encrypted XIP

 

eFuse info also here:
Document: i.MX RT1020 Processor Reference Manual, Rev. 1, 12/2018
Section: 21.1 Boot Fusemap
Page: 1097

Table 21-2. FlexSPI (Serial NOR) boot fusemap
0x450[0]
(BOOT_CFG1)
EncryptedXIP

 

My question therefore is, what is the purpose of the efuse 'Encryption XIP enable'?


Is the purpose of the eFuse simply to turn on the BEE engine?
If the BEE engine is turned on, apps without PRDB blocks set up can still run as unencrypted xip?
So the fuse does not prevent unencrypted xip apps?

 

If this is all true, why not have the BEE running all the time, and not bother with the eFuse?
I'm sure there must be a good reason to have this eFuse. So what am I missing here?
Is it a power consumption thing?

 

Many thanks for your help.

Outcomes