I'm currently working with the T2080RDB-PC reference board and I'm trying to test the secure boot. I've generated the headers and signatures with the NXP Code Signing Tool. I've flashed the images to the alternate bank of the NOR flash. Now I'm not sure how to handle the OTPMK and SRK, I would like to avoid permanently fusing anything if I can. The SFP is already in Non-Secure mode after reset before I can write the OTPMK and SRK. If I could just have a clear procedure of what to do with the keys just for testing the secure boot, that would be a great help.
Thank you for your time
Hello Andrew Banda,
Please refer to the procedure in the document https://community.nxp.com/docs/DOC-332248 to set up secure boot on PBL based platforms in Prototype Stage.
1. Please create secure boot RCW with "rcw" package provided in SDK to configure "BOOT_HO" as "1".
2. Please use Code Signing Tool to generate RSA public and private keys, OTPMK keys with hamming code inserted. Generate CSF header for u-boot image, and sign uImage, dtb, rootfs and boot script with RSA private keys.
3. Blow OTPMK keys to fuse array from CCS, please refer to T2080 Reference Manual for OTPMK registers address.
Setup u-boot in Bank0, deploy secure boot images to Bank4, switch to Bank4, use CCS to connect to the target board to
write SRKH, please refer to the section “10.3.1.14 Appendix P3/P4/P5/T1_T2_T4 Secure Boot demo” in https://www.nxp.com/docs/en/supporting-information/QORIQ-SDK-2.0-IC-REV0.pdf?fsrch=1&sr=3&pageNum=1 for details.
4. Boot up secure boot, if no print on UART console, please refer to the section "10.3.3.14 Troubleshooting" in SDK document.
Thank you for help Yiping,
I've followed the steps of the SDK 2.0, I've flashed the images and I've burned the OTPMK and SRK Hash. The keys don't seem to have any errors. When I try the secure boot it doesn't work, SecMon is stuck in Non-Secure Mode
0xfe314014 = 0x8000ab00, SCRATCHRW1 = 0xc0b00000, SCRATCHRW2 = 00000101 (ERROR_STATE_NOT_CHECK) and SCRATCHRW3 = 0xc0c00000. I'm not sure where the error can be coming from, your advice would be appreciated.