Post Go back to editing

bf70x Si rev1.0 how to secure boot SPI Master ? (for mass production)

hello

i would like to know what do i need to write in otp for BLx secure boot a BF706 Si REV1.0

my application uses a standard flash memory connected to SPI2 and /SPI_SEL2 pin (not the default SS/SEL1 pin)

for normal non secure boot i just need to write 0x20211202 at dBootCmd, and the booting process is ok

here is the CLDP command i use :

cldp -proc ADSP-BF706 -emu 200 -driver "bf707_otp_driver.dxe" -device otp -cmd prog -file otp_spi2_sel2_boot.bin -format bin -offset 0x288 -numbyte 4 -quiet


the binary file contains only the following bytes (LSB first):

  02 12 21 20

for performing the SPI boot process at full speed, i need to write an "initcode" that sets the spi clock register at the right speed.

this acts like a first stage boot. this is a very convenient way for setting the CPU and SPI clock speed, turning on the memory. etc

for secure booting i have three big problems :

first there is no "initcode" available therefore i'm not sure how set the SPI speed for booting at the maximum speed available

Q : is it in the uwClkLower field of the ADI_ROM_BOOT_SPI structure ?

secondly due the 19000026 bug we need to boot using the undocumented BCMD_DEVICE mode 7, instead of the SPI device.

in the last anomaly list revision (12-22-2014) i received, this bug was not resolved

the workaround is : use adi_boot_rom(0x40000000,0,0,0,,0x207);

Q : but how do i use this information ? do i need to write in OTP 0x207 as dBootCmd and 0x40000000 at pSource ? how do we activate MDMA ?

thirdly i do not know how to lock the part yet using CLDP. i managed to lock the part using the EE366 app note "program OTP", but i do not know what exactly need to be written in the OTP to perform the locking. once locked i have no mean to dump the OTP memory yet, thus i'm kind of blind

Q :  i know this lock bit at OTP offset 0x48C, but what is the actual  BYTE value to be written ? are there other registers to be set for activating the secure boot and locking the part ?

i wish to bring at your attention that the flash and OTP programming will be performed in mass production

the step are the following:

1> flash programming of the secured application using CLDP and the dxe flash driver, via JTAG

2> writing of the SPIM boot commands, the BLx mode keys, using the CLDP and the dxe OTP driver, via JTAG

3> locking the part using CLDP and the dxe OTP driver, via JTAG

in mass production we cannot open CCES and start a debug session for programming the keys and locking the part.

thus we prefer to use a convenient tool like CLDP, that can be made fully automatable

this is an urgent request

thanks for your support

Alban

Parents
  • hello

    i managed to secure boot the BF706 si rev1.0 using both methods (BLx security type):
    1> the EE366 secure open part project, the booting method recommended by AD
    2> the "real life" power on boot from OTP, i.e. the standalone secure boot without JTAG emulator.

    for doing so i wrote the key using two methods :
    1> using the EE366 "program-OTP" application, as recommended by AD
    2> with CLDP, like in a real mass production situation.

    in order to make the "secureBoot_OpenPart.c" app work on a BF70x Si Rev1.0 target,
    we need to comment the following at line 117 :

        /* kernel anomaly workaround */
    //    pBootConfig->pSource+=16;       <-----------  please comment this line out

    (this is an undocumented Bug in Si Rev0.0B)

    test A)
    for the secure boot with JTAG (EE366 app note), i first tried with a completely empty OTP, with no key written in it.
    i use the following spimBootCommand

    uint32_t spimBootCommand = ((ENUM_ROM_BCMD_DEVICE_SPI) |
                                  (0x2 << BITP_ROM_BCMD_SPIM_SPEED)   |
                                  (0x2 << BITP_ROM_BCMD_SPIM_ADDR)    |
                                  (0x1 << BITP_ROM_BCMD_SPIM_BCODE)   |
                                  (ENUM_ROM_BCMD_CHANNEL_1)    |
                                  (ENUM_ROM_BCMD_DEVENUM_2));
            
    adi_rom_Boot(0x00000,BITM_ROM_BFLAG_HOOK,0,&ConfigureForSecureBoot,spimBootCommand);        

    then the kernel booting hook function set up the keys and the memory mapped SPI flash access,
    and the leds start to blink.


    test B)
    i used the following command
    adi_rom_Boot(0x40000000,BITM_ROM_BFLAG_HOOK,0,&ConfigureForSecureBoot,0x00001207);

    and i commented out the line 136
        /* executed after the initial boot kernel configuration is completed */
    //    setupMemoryMappedSPI(pBootConfig);

    this dBootCmd setup the memory mapped mode by setting the BCMD_DEVICE field to 7.
    i wrote 0x00001207 instead of 0x00000207 because i need to use the spi2 SEL2 pins instead of the SS/SEL1 one.

    test C)
    i wrote the keys into the OTP memory using both the EE366 "program_OTP.c" method and the CLDP method 
    WITHOUT LOCKING THE PART !!!!!!!!  (i commented out the if(!lock_part()){ } statement in program_OTP.c)

    with CLDP :
    cldp -proc ADSP-BF706 -emu ice-2000 -driver "bf707_otp_driver.dxe" -device otp -cmd prog -file encrypt_key.bin -format bin -offset 0x168 -numbyte 16 -quiet
    cldp -proc ADSP-BF706 -emu ice-2000 -driver "bf707_otp_driver.dxe" -device otp -cmd prog -file jtag_key.bin -format bin -offset 0x1C8 -numbyte 16 -quiet
    cldp -proc ADSP-BF706 -emu ice-2000 -driver "bf707_otp_driver.dxe" -device otp -cmd prog -file auth_public_key.bin -format bin -offset 0x200 -numbyte 56 -quiet

    (auth_public_key.bin contains only the public part of the auth_key.bin key pair, starting at offset 0x32 in the binary file)

    then using the following command, i completely bypassed the kernel hook procedure, thus i simulated an almost "real life" booting process :
    adi_rom_Boot(0x40000000,0,0,0,0x00001207);

    there is an important observation : by using the API for secure booting the part, i stated that the SPI clock speed is about 3 MHz
    wether or not i change the BCMD_SPI_SPEED field to 0 or 2 or even 15, the clock speed is always 3 MHz. that all. don't ask me why.

    test D)
    the part was still unlocked and i wrote the dBootCmd directly into the OTP memory using CLDP.
    for doing so i created a binary file (otp_spi2_sel2_XIP_MMMode_boot.bin) containing the following bytes :
    0x07 0x12 0x00 0x00

    and there is the CLDP command i used :
    cldp -proc ADSP-BF706 -emu ice-2000 -driver "bf707_otp_driver.dxe" -device otp -cmd prog -file otp_spi2_sel2_XIP_MMMode_boot.bin -format bin -offset 0x288 -numbyte 4 -quiet

    then i turned off and on the power and oh surprise ! the leds were blinking !

    but the clock speed is now 562 kHz o_O ? i do not figure out what this 562 kHz clock speed belongs to !!
    i built the "LED_blink" project with both "-bcode = 1" and "-bcode = 6" but the speed stay the same !!

    with the spi differs wether I boot using API of not ? are the debug session reset settings involved ?

    i will end with two questions:

    Q1> how do i set the OTP field for making the part boot in secure mode AT FULL SPEED ?

    Q2> how do i lock the part using CLDP ?

    thanks for your support
    best regards,
    Alban

Reply
  • hello

    i managed to secure boot the BF706 si rev1.0 using both methods (BLx security type):
    1> the EE366 secure open part project, the booting method recommended by AD
    2> the "real life" power on boot from OTP, i.e. the standalone secure boot without JTAG emulator.

    for doing so i wrote the key using two methods :
    1> using the EE366 "program-OTP" application, as recommended by AD
    2> with CLDP, like in a real mass production situation.

    in order to make the "secureBoot_OpenPart.c" app work on a BF70x Si Rev1.0 target,
    we need to comment the following at line 117 :

        /* kernel anomaly workaround */
    //    pBootConfig->pSource+=16;       <-----------  please comment this line out

    (this is an undocumented Bug in Si Rev0.0B)

    test A)
    for the secure boot with JTAG (EE366 app note), i first tried with a completely empty OTP, with no key written in it.
    i use the following spimBootCommand

    uint32_t spimBootCommand = ((ENUM_ROM_BCMD_DEVICE_SPI) |
                                  (0x2 << BITP_ROM_BCMD_SPIM_SPEED)   |
                                  (0x2 << BITP_ROM_BCMD_SPIM_ADDR)    |
                                  (0x1 << BITP_ROM_BCMD_SPIM_BCODE)   |
                                  (ENUM_ROM_BCMD_CHANNEL_1)    |
                                  (ENUM_ROM_BCMD_DEVENUM_2));
            
    adi_rom_Boot(0x00000,BITM_ROM_BFLAG_HOOK,0,&ConfigureForSecureBoot,spimBootCommand);        

    then the kernel booting hook function set up the keys and the memory mapped SPI flash access,
    and the leds start to blink.


    test B)
    i used the following command
    adi_rom_Boot(0x40000000,BITM_ROM_BFLAG_HOOK,0,&ConfigureForSecureBoot,0x00001207);

    and i commented out the line 136
        /* executed after the initial boot kernel configuration is completed */
    //    setupMemoryMappedSPI(pBootConfig);

    this dBootCmd setup the memory mapped mode by setting the BCMD_DEVICE field to 7.
    i wrote 0x00001207 instead of 0x00000207 because i need to use the spi2 SEL2 pins instead of the SS/SEL1 one.

    test C)
    i wrote the keys into the OTP memory using both the EE366 "program_OTP.c" method and the CLDP method 
    WITHOUT LOCKING THE PART !!!!!!!!  (i commented out the if(!lock_part()){ } statement in program_OTP.c)

    with CLDP :
    cldp -proc ADSP-BF706 -emu ice-2000 -driver "bf707_otp_driver.dxe" -device otp -cmd prog -file encrypt_key.bin -format bin -offset 0x168 -numbyte 16 -quiet
    cldp -proc ADSP-BF706 -emu ice-2000 -driver "bf707_otp_driver.dxe" -device otp -cmd prog -file jtag_key.bin -format bin -offset 0x1C8 -numbyte 16 -quiet
    cldp -proc ADSP-BF706 -emu ice-2000 -driver "bf707_otp_driver.dxe" -device otp -cmd prog -file auth_public_key.bin -format bin -offset 0x200 -numbyte 56 -quiet

    (auth_public_key.bin contains only the public part of the auth_key.bin key pair, starting at offset 0x32 in the binary file)

    then using the following command, i completely bypassed the kernel hook procedure, thus i simulated an almost "real life" booting process :
    adi_rom_Boot(0x40000000,0,0,0,0x00001207);

    there is an important observation : by using the API for secure booting the part, i stated that the SPI clock speed is about 3 MHz
    wether or not i change the BCMD_SPI_SPEED field to 0 or 2 or even 15, the clock speed is always 3 MHz. that all. don't ask me why.

    test D)
    the part was still unlocked and i wrote the dBootCmd directly into the OTP memory using CLDP.
    for doing so i created a binary file (otp_spi2_sel2_XIP_MMMode_boot.bin) containing the following bytes :
    0x07 0x12 0x00 0x00

    and there is the CLDP command i used :
    cldp -proc ADSP-BF706 -emu ice-2000 -driver "bf707_otp_driver.dxe" -device otp -cmd prog -file otp_spi2_sel2_XIP_MMMode_boot.bin -format bin -offset 0x288 -numbyte 4 -quiet

    then i turned off and on the power and oh surprise ! the leds were blinking !

    but the clock speed is now 562 kHz o_O ? i do not figure out what this 562 kHz clock speed belongs to !!
    i built the "LED_blink" project with both "-bcode = 1" and "-bcode = 6" but the speed stay the same !!

    with the spi differs wether I boot using API of not ? are the debug session reset settings involved ?

    i will end with two questions:

    Q1> how do i set the OTP field for making the part boot in secure mode AT FULL SPEED ?

    Q2> how do i lock the part using CLDP ?

    thanks for your support
    best regards,
    Alban

Children
No Data