Post Go back to editing

Secure Booting - Using Secure Boot_Open Part Directory

Category: Hardware
Product Number: ADSP-21569
Software Version: CrossCore Embedded Studio 2.10.0

Hi,

I am using ADSP-21569 REV B board . We will able to do secure boot process using adi_rom_Boot() as per hardware reference manual . While referring the EE -336 doc they described about the procedure to do secure boot using  secureBoot_OpenPart Directory for adsp-SC58x processor. Shall I follow the same configurations procedure for  ADSP-21569 processor / whether the Configuration of Secure Boot  for the both processor are the same ?.  Is their any other way to implement the secure booting in ADSP-21569 PROCESSOR without using OTP programmer(without writing any keys into the OTP memory)?.

Parents
  • Hi Monika,
     
    Please refer application note EE-366 "Secure Booting Guide for Blackfin+® and SHARC+® Processors "in the below link. It applies to the ADSP-2156x. Although it’s not ADSP-2156x specific, the same concepts apply.
     
    Take a reference associated example code can be downloaded from the below link.
    https://www.analog.com/media/en/technical-documentation/application-notes/EE366v02.zip
     
    Also, please refer the following EZ post described the main differences/additions between the two series:
    Additionally, please refer the below Ezone thread, which might be helpful for you.
    Regarding "Is their any other way to implement the secure booting in ADSP-21569 Processor without using OTP programmer(without writing any keys into the OTP memory)?"
    >>>> Please refer the "secureBoot_OpenPart" example in the EE-366 reference code. This is an example project that can securely boot a loader stream from SPI2 flash memory using keys generated by keygen without writing any OTP memory.
    Regards,

    Divya.P

  • Hi,

     I have created new project which is linked with secureboot_openpart.c file for ADSP-21569 processor . In secureboot_openpart.c  file  & I made a change in this line      

    pBootConfig->pDmaBaseRegister =(ADI_DMA_TypeDef *) pADI_DMA9;

    instead of     pBootConfig->pDmaBaseRegister = pADI_MDMA0_DST;               refers for ADSC-SC58x processor , remaining configurations are same.

    Then I have loaded the plaintext format (BLp) boot stream (blp_bootstream.bin) into memory of the  ADSP-21569 BOARD .After that secureboot_openpart .c loaded and executed using the emulator. But the applications is not working and get halt in somewhere . while debugging the  secureboot_openpart .c code  after the configureBlp(pBootConfig); call , the application gets halt . May I know is their any other relevant changes / configurations have to take care to make the application to work in secure boot _open part  in ADSP-21569 processor?? . What is the reason the application gets halt ?

  • Hi Monika,

    To assist you better on this please provide your comments on below points.

    1. Before doing secure booting, Please confirm whether you can able to do normal booting without failure?
    2. The boot kernel requires 8k of SRAM for the stack and buffers. This space is reserved until after the boot process is complete, and the boot kernel will flag an exception if this rule is violated". This is done in the following code snippet. Please add this code after adi_initComponents();

        *pREG_SHL1C0_CFG2|=0xF00 ;
        *pREG_SHL1C0_RANGE_START4 = 0x200FE000 ;
        *pREG_SHL1C0_RANGE_END4 = 0x200FFFFF ;

        asm("#include <sys/def215xx_core.h>");
        asm("IRPTL = 0;");
        asm("MMASK = BITM_REGF_MMASK_BR8 |BITM_REGF_MMASK_BR0 |BITM_REGF_MMASK_IRPTEN |BITM_REGF_MMASK_ALUSAT |BITM_REGF_MMASK_TRUNCATE |BITM_REGF_MMASK_PEYEN | BITM_REGF_MMASK_BDCST9|BITM_REGF_MMASK_BDCST1;");
        asm("IMASK = BITM_REGF_IMASK_EMUI|BITM_REGF_IMASK_RSTI|BITM_REGF_IMASK_PARI|BITM_REGF_IMASK_ILOPI|BITM_REGF_IMASK_CB7I|BITM_REGF_IMASK_IICDI|BITM_REGF_IMASK_SOVFI| BITM_REGF_IMASK_ILADI; nop;");
        asm("B7 = 0x200FF400;\
                      I7 = ((0x200FF400 + 0xc00 - 1)-((0x200FF400 + 0xc00 - 1) % 4) );\
               L7 = (( 0xc00 - ((0x200FF400 + 0xc00 - 1) % 4) )/4);\
               B6 = B7;\
               I6 = I7; \
                 L6 = L7;");
    3.  Can you please let us know whether you are configuring the secure registers in your application? If yes, we would also suggest you to verify whether the secure registers are configured correctly. The list of secure register IDs are given in Pg. No : (1472) in the Hardware Reference Manual. The HRM can be downloaded from the below link.
    www.analog.com/.../adsp-2156x_hwr.pdf

    Regards,
    Divya.P

  • Hi,

    1. Normal booting was perfectly working.

    2. Whether I have to add below code snippet in " main application.c " or in "secure Boot_open part .c" file ?? because ,by default the main application will take care 8kb memory for booting process .

    *pREG_SHL1C0_CFG2|=0xF00 ;
        *pREG_SHL1C0_RANGE_START4 = 0x200FE000 ;
        *pREG_SHL1C0_RANGE_END4 = 0x200FFFFF ;

        asm("#include <sys/def215xx_core.h>");
        asm("IRPTL = 0;");
        asm("MMASK = BITM_REGF_MMASK_BR8 |BITM_REGF_MMASK_BR0 |BITM_REGF_MMASK_IRPTEN |BITM_REGF_MMASK_ALUSAT |BITM_REGF_MMASK_TRUNCATE |BITM_REGF_MMASK_PEYEN | BITM_REGF_MMASK_BDCST9|BITM_REGF_MMASK_BDCST1;");
        asm("IMASK = BITM_REGF_IMASK_EMUI|BITM_REGF_IMASK_RSTI|BITM_REGF_IMASK_PARI|BITM_REGF_IMASK_ILOPI|BITM_REGF_IMASK_CB7I|BITM_REGF_IMASK_IICDI|BITM_REGF_IMASK_SOVFI| BITM_REGF_IMASK_ILADI; nop;");
        asm("B7 = 0x200FF400;\
                      I7 = ((0x200FF400 + 0xc00 - 1)-((0x200FF400 + 0xc00 - 1) % 4) );\
               L7 = (( 0xc00 - ((0x200FF400 + 0xc00 - 1) % 4) )/4);\
               B6 = B7;\
               I6 = I7; \
                 L6 = L7;");

    3.  The configuration of secure registers in SPU_init (); - its usually configured according to user requirements (i.e., secure / non- secure  transactions between peripherals)  . In my application its configured correctly . Is this configuration related to secure boot process?

  • Hi Monika,

    Regarding "Question 2"
    >>>> Please add this snippet code in "secure Boot_open part .c" file after adi_initComponents();

    Regarding "Question 3"
    >>>> No, It's not only related to secure booting. The system protection unit (SPU) provides write-protection against MMRs peripherals and its own write-protect registers. If a write attempt is made to any locked MMR peripheral the SPU has write protected, it blocks the write. The SPU generates a bus error to the master that attempted the write. So, the peripherals which are used in your application only need to be configured for the secure privileges on the SPU_SECUREP(n) registers. For SPI master booting, MDMA0 need to be enable in SPU registers

    Regards,
    Divya.P

  • Hi,

    While adding the snippet followed by your words, the application is not working its get halt after the

    adi_rom_Boot((void*)&address,BITM_ROM_BFLAG_HOOK,0,&ConfigureForSecureBoot,spimBootCommand);    call . I couldn't able to proceed this to further ..

    Could you please tell me the next procedure to achieve the secure boot in ADSP-21569?

  • Hi Monika,

    Regarding "adi_rom_Boot((void*)&address,BITM_ROM_BFLAG_HOOK,0,&ConfigureForSecureBoot,spimBootCommand);"
    >>>> We understand that you are using the same code which is available in the EE-366 application note . So, you can pass the "SPIADDR" value instead of giving &address in ROM API and Please note SPI master secure boot is only supported in memory mapped mode. If you are configuring SPI2 (SPI instance that operates in memory mapped mode) in ROM_BCMD_SPIM_DEVENUM then set the ROM_BCMD_SPIM_DEVICE field in the SPI master boot command parameter to 0x7 as an argument in the ROM API call.
    Also, please add the code for SRAM for the stack and buffers and secure registers after adi_initComponents(); which we shared in the previous Iteration.

    Also please follow the below steps and let us know the response.

    1.Create loader file for your application.
    2.Create your keys using Keygen project.
    3.Create encrypted loader file and flash it using CLDP commands. Please refer the below encrypted loader file generation commands for your reference.
    "C:\Analog Devices\CrossCore Embedded Studio 2.11.0\signtool.exe" sign -type BLp -attribute 0x80000003=224 -prikey "path for keypair.bin file" -infile "path for normal ldr file" -outfile "give path, where you want to create secure ldr"
     
     You need to give the attribute value to perform Authentication using ECDSA-224 or 256 algorithms. To know about this please refer "Secure Boot Image Attributes" In HRM.
    www.analog.com/.../adsp-2156x_hwr.pdf
     
    4. Then we can verify the encrypted information using Secure_Openpart example. Before running this code, Please replace secure boot public key from Keygen project, since you are using Blp format.

    Regards,
    Divya.P

  • Hi Divya,

          I have followed the above instructions. It working fine for Plaintext format(BLp) & Keyless format(Blx).

    But for wrapper format(BLw) its not working . The steps which I followed to do secure boot in BLw format is given below,

    1. Creating an loader file :

    signtool sign -type BLw -attribute 0x80000003=224 -prikey keypair.bin -enckey encrypt_key.bin -wrapkey wrapper_key.bin -infile LEDBlink.ldr -outfile BLw_at_LED.ldr

    2. Flashing cmd :

    cldp.exe -proc ADSP-21569 -emu 1000 -driver F:\EV-2156x_EZ-KIT-Rel1.0.1\EV-2156x_EZ-KIT\Examples\Device_Programmer\Legacy_SPI\is25lp512m_dpia_2156x\is25lp512m_dpia_2156x.dxe -cmd prog -erase all -format bin -file BLw_at_LED.ldr -cmd compare -format bin -file BLw_at_LED.ldr

    3. update the keys again in header.

    4.Debugging/ run the Secureboot_openpart.c .

Reply
  • Hi Divya,

          I have followed the above instructions. It working fine for Plaintext format(BLp) & Keyless format(Blx).

    But for wrapper format(BLw) its not working . The steps which I followed to do secure boot in BLw format is given below,

    1. Creating an loader file :

    signtool sign -type BLw -attribute 0x80000003=224 -prikey keypair.bin -enckey encrypt_key.bin -wrapkey wrapper_key.bin -infile LEDBlink.ldr -outfile BLw_at_LED.ldr

    2. Flashing cmd :

    cldp.exe -proc ADSP-21569 -emu 1000 -driver F:\EV-2156x_EZ-KIT-Rel1.0.1\EV-2156x_EZ-KIT\Examples\Device_Programmer\Legacy_SPI\is25lp512m_dpia_2156x\is25lp512m_dpia_2156x.dxe -cmd prog -erase all -format bin -file BLw_at_LED.ldr -cmd compare -format bin -file BLw_at_LED.ldr

    3. update the keys again in header.

    4.Debugging/ run the Secureboot_openpart.c .

Children