Post Go back to editing

Secure JTAG

Category: Hardware
Product Number: SC589
Software Version: cces 2.8.3

Hi,

Is it possible to program just a secure key for the JTAG or does enabling secure jtag also mandate that a secure boot stream is required ?

I've tried to experiment with an old board with the code based on the Program_OTP util in the EE-366 notes, but after programming the key & then reading it back to verify, it always comes back as zeros. It seems to program fine and I can see the key being programmed is valid.


/* call the api */
if(!adi_rom_otp_pgm(&data)) { return false; }

/* verify the data was written */
return VALIDATE(secure_emu_key);

where

#define VALIDATE(otpkey) validate_pgm(otpcmd_##otpkey,*key,ROM_OTP_SZ_##otpkey)

I've read that the OTP regions is memory mapped, I eventually found the address in an apt file as 

 
{ 0x24000000u, 0x240FFFFFu, ADI_MMU_RW_UNCACHED }, /* 1MB OTP Space */

but I can't view that address in a cces memory window - should I be able to ?

Is there any documentation about how to use cldp to program the OTP ? 

Parents
  • Hi Rob,

    Is it possible to program just a secure key for the JTAG or does enabling secure jtag also mandate that a secure boot stream is required ?
    >> Secure booting is considered as whole.

    Please note, from 0x202BFFFF to 0x28240000 is reserved memory space. Since you are trying to read data from the RESERVED Memory location, it is not accessible.

    Also, please refer "Figure 5. ADSP-SC58x/ADSP-2158x Memory Map" in the below linked datasheet of ADSP-SC58x/ADSP-2158x.
    www.analog.com/.../ADSP-SC582_583_584_587_589_ADSP-21583_584_587.pdf

    Is there any documentation about how to use cldp to program the OTP ?
    >> Please refer in below CCES help:
    CrossCore® Embedded Studio 2.11.0 > Integrated Development Environment > Working with Bootable and Non-bootable Files > Device Programmer > Device Programmer Command Line > Device Programmer Command-Line Switches


    Please note that once the part is locked, it can only be accessed via JTAG with the emulation key.

    Regards
    Divya.P

Reply
  • Hi Rob,

    Is it possible to program just a secure key for the JTAG or does enabling secure jtag also mandate that a secure boot stream is required ?
    >> Secure booting is considered as whole.

    Please note, from 0x202BFFFF to 0x28240000 is reserved memory space. Since you are trying to read data from the RESERVED Memory location, it is not accessible.

    Also, please refer "Figure 5. ADSP-SC58x/ADSP-2158x Memory Map" in the below linked datasheet of ADSP-SC58x/ADSP-2158x.
    www.analog.com/.../ADSP-SC582_583_584_587_589_ADSP-21583_584_587.pdf

    Is there any documentation about how to use cldp to program the OTP ?
    >> Please refer in below CCES help:
    CrossCore® Embedded Studio 2.11.0 > Integrated Development Environment > Working with Bootable and Non-bootable Files > Device Programmer > Device Programmer Command Line > Device Programmer Command-Line Switches


    Please note that once the part is locked, it can only be accessed via JTAG with the emulation key.

    Regards
    Divya.P

Children
  • Hi Divya,

    Thanks for your response.

    The datasheet only mentioned OTP once..

    One Time Programmable Memory (OTP) The processors feature 7 kB of one time programmable (OTP) memory which is memory-map accessible. This memory contains space for programmable unique keys and supports secure boot and secure operation. 

    But doesn't mention it in the memory map, hence my question.

    Any ideas why the EE note example code doesn't seem to work on an SC589 ? That's my main concern at the moment as I'm unable to proceed in my evaluation of security options. 

    Thanks

    Rob

  • Hi Rob,
     
    Can you please provide more information on below points to assist you better on this.
    1.Can you provide more insight into what exactly you are trying to do? Please confirm whether you are facing any issue in Secure Booting?
    2.Please mention the example code you are referring from EE-366 notes, whether "Program_OTP" or "SecureBoot_OpenPart"
    3.Can you confirm whether you have modified default application available in EE-366.
    4.Please confirm whether you have checked your application using "SecureBoot_OpenPart" example before checking into "Program_OTP" example. This will help us to ensure that your application is working properly before writing into OTP memory.
    5.Did you faced any error while running the Program_OTP application, if so please send the screenshot of the register setting  "OTPC_STAT" or "OTPC_PMC_STAT" register
    6.Also, ensure whether you have Comment out the call to the lock_part(),during initial stage.
    7.Did you locked the part.

    Could you please refer the hardware reference manual for ADSP-SC58x, which explains the OTP layout in detail:
    https://www.analog.com/media/en/dsp-documentation/processor-manuals/SC58x-2158x-hrm.pdf


    Regards,
    Divya.P
  • Hi Divya, 

    I'm using the Program_OTP project from here 

    http://www.analog.com/media/en/technical-documentation/application-notes/EE-366.zip

    Here are the steps I followed..

    1) imported the keygen & Program_OTP projects into cces (2.8.3)

    2) Delete all the pre-build artefacts in the keygen project & build project to create new keys

    3) Fix out of date python scripts to work with Python 3

     bin2inc.py : 

         Bytes.append(ord(b))  >> Bytes.append(b)
         if args.mode is 'c': >> if args.mode == 'c':

    genRandKey.py

     print "File %s exists, will not overwrite" % f >> print ("File %s exists, will not overwrite" , f)

    Makefile
       PYTHON: - change to path to Pythong 3.10

    4) Build keygen project to generate a new set of keys

    5) There are no example projects for the SC589, so I created a new cces project Program_OTP_Sharc (for Cores 0 & 1)
        - remove addins from Core0 & 1 projects except heap add in for core 0 

        - delete Program_OTP_Sharc_Core1.h & .c auto generated files

        - add new linked file to the Core 1 project (PROJECT_LOC/../Program_OTP/src/Program_OTP.c)

        - add include path to C++ preprocessor settings ("${workspace_loc:/keygen}")

        - enable call to setupBlp() in main() and comment out all references to lock_part() 

              - one in setupBlp()

              - one in main()

        - Set custom linker script for Core0 project to run from L2

              C:\Analog Devices\CrossCore Embedded Studio 2.9.3\ARM\arm-none-eabi\arm-none-eabi\lib\ldscripts\adsp-sc589-l2.ld

      - Add while(1); to end of arm main()

      - configure heap to 4KB. Configure all stacks to 1KB so that project fits in L2

    6) Setup launch config for Core 0 & 1 projects (using standard EzKit preloads)

    7) Set custom board to No Boot mode

    8) Launch debug project, continue the ARM core and start stepping through code in sharc core 1

        - Step into SetupBlp

             - Step into program_authentication_key()

                    run to line in the disas windows to step over adi_rom_otp_pgm - note that R0=1 (success)

                    run to line to step over validate_pgm - note R0 = 0 (fail) 

                    continue and observe output...

    Programming auth key:
    Qx: a2 6a ff 68 f8 d0 ab c0 03 03 f9 98 60 b1 7d 02 89 be b1 a3 9a 26 a0 d4 18 de 9c 08
    Qy: 5e 2d ba 86 50 56 89 3b 2b c8 25 71 f1 1b 04 4b 05 d5 41 3d 84 bf 09 c9 0e 1e b7 df

    failed to program authentication key
    Reading auth key:
    Qx: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Qy: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

    I've tried this on several boards. I know the boards haven't been locked, because I accidentally locked one (forgot to comment out lock_part() and the behaviour is different for a locked part - the adi_rom_opt_pgm call fails if the part has been locked.

    To confirm, I haven't got as far as generating a secure boot image yet, I was just trying to verify the process of securing a processor. 

    Kind Regards

    Rob

  • Hi Rob,

    We have OTP program example for ADSP-SC589 from EE366v02 notes. Also, we suspect you may face error when trying to import the ADSP-SC589 Program_OTP in CCES.

    Please note that, Typically a project will use a number of relative paths in its configuration that may become invalid once the project has been moved. These are files that do not exist within the directory structure of the project, and are instead linked into the project from relative paths

    In order to recover the "file not found error", use the linked resources path, please follow the below steps.

    1. Open project properties > Resources > Linked Resources
    2. Select the "Linked Resources" tab which is next to Path Variables.
    3. Select the to be changed to relative location under 'Resource name' and click 'Edit'.
    4. Select the source file/folder to be link and click OK.

    Please find the attached screenshot for reference.OTP.zip

    Could you please try to use the default key available in Keygen project without creating new keys and let us know whether you are able to read the authentication key properly.  And confirm whether the issue occurs only in generating new key's. Please share us the screenshot of the console.

    If still facing issue in example project, can you please share us your modified project along with keys you have used.

    Regards,
    Divya.P

  • Hi Divya,

    I didn't have that issue with the missing linked file because I re-generated the projects from scratch for the SC589 (the example project was for a blackfin and I couldn't change the target family type). 

    You state "We have OTP program example for ADSP-SC589 from EE366v02 notes."

    but I don't see an example for the 589 in EE366v02.zip ? 

    I still get a programming / verification error ..

    Programming auth key:
    Qx: a2 6a ff 68 f8 d0 ab c0 03 03 f9 98 60 b1 7d 02 89 be b1 a3 9a 26 a0 d4 18 de 9c 08
    Qy: 5e 2d ba 86 50 56 89 3b 2b c8 25 71 f1 1b 04 4b 05 d5 41 3d 84 bf 09 c9 0e 1e b7 df

    failed to program authentication key
    Reading auth key:
    Qx: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Qy: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

    I then tried replacing all the bin, xml and h files in the keygen folder with the original ones provided in the zip and I get the same result.

    Programming auth key:
    Qx: 0e 6d 81 c4 ed ba 49 85 2a 9f 0f 3f 74 06 be aa 90 6b 78 52 02 5e b2 64 9d ef c0 c7
    Qy: 81 11 33 ca 87 ed 11 33 29 b8 76 10 29 10 f0 3f ce a7 32 23 57 0b ba a1 ba 2b c0 03

    failed to program authentication key
    Reading auth key:
    Qx: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Qy: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

    Perhaps I'm missing some setup ? Do I need any of this stuff from adi_initComponents() ? 


    #ifdef __ADI_USE_UTILITY_ROM /* check if Utility ROM support is enabled */

    #ifndef NO_UTILITY_ROM_LIBDRV
    /* Drivers initialization for the parts that have a Utility ROM. */
    if (result == 0) {
    static uint8_t bfrom_memory[ADI_BF70X_RAM_SIZE_FOR_ROM_CODE];

    result = adi_init_drv_Rom(bfrom_memory, (uint32_t) ADI_BF70X_RAM_SIZE_FOR_ROM_CODE);
    }

    #endif /* NO_UTILITY_ROM_LIBDRV */

    #endif /* __ADI_USE_UTILITY_ROM */

    Arm & Core1 Projects attached...

    SecureJTAG.zip

  • Hi Rob,

    Please find the attached OTP program example with the source file "Program_OTP.c" project.
    0207.OTP.zip
    We also recommend upgrading to the latest CCES version 2.11.1. You can use the below link to download latest version of  CCES 2.11.1:
    download.analog.com/.../ADI_CrossCoreEmbeddedStudio-Rel2.11.1.exe

    Could you please try to run the attached project in latest cces version 2.11.1 and let us know how to get on.

    Regards
    Divya.P

  • Hi Divja,

    I wasn't able to successfully load the example you provided, it never hits main() of the ARM executable. Should I be using this with the following preload ? 

    C:\Analog Devices\CrossCore Embedded Studio 2.11.1\SHARC\ldr\ezkitSC589_preload_core0_v01

    I've also tried using our custom preload app which I know initialises DDR correctly on our boards but get the same result....

    Error in launch sequence
    [TpsdkServer] Failed to load file: D:\SecureJTAG\0207_OTP\OTP\examples\Program_OTP\Project\SC589\Program_OTP_Core0\Debug\Program_OTP_Core0 [Error: Failed to connect to target., Code=0x80047344]

    And also 
    Loading application: "D:\Sharc\zpu_preload_Core0\Release\zpu_preload_Core0"
    Load complete.
    Loading application: "D:\SecureJTAG\0207_OTP\OTP\examples\Program_OTP\Project\SC589\Program_OTP_Core0\Debug\Program_OTP_Core0"
    Error loading section ".text" to target.

    and yet, using the same custom preload is fine when trying to load other applications into the ARM core (also built into DDR)

    After looking at the output map file from the Program_OTP_Core0 ARM project, I realised it was trying to deploy to non-existent DDR memory (0xC.....) so switched to linking the Program_OTP_Core0 project with the LD file for our board and now the load completes but the A5 core is stuck at "Running : User Request" and if I try & halt it, I get 

    Failed to remove automatic breakpoint. Error writing opcode at address: 0x8200d4b0.
    Failed to remove automatic breakpoint. Error writing opcode at address: 0x8200a8dc.
    Failed to remove automatic breakpoint. Error writing opcode at address: 0x82008536.
    Failed to remove automatic breakpoint. Error writing opcode at address: 0x8200901e.

    and the ICE-1000 takes a good 30 seconds or so to disconnect & go green after stopping cces.

    The ARM memory is quite constricted in our map file so not sure if it's trying to allocate a large heap or something ?


    /* #### ARM L3 Memory ################################################## */

    /* ARM CORE 0 L3, DMC0 */
    MEM_L3 : ORIGIN = 0x82000000, LENGTH = 12M
    MEM_L3_UNCACHED : ORIGIN = 0x82C00000, LENGTH = 4M

    I tried adding the Heap and Stack add in and limited all the heap & stacks to 4KB but it still does the same.

  • ok, I got a bit further by adding in our version of apt-sc589.c which makes the above DDR regions useable ...

    Loading application: "D:\Neural\SecureJTAG\0207_OTP\OTP\examples\Program_OTP\Project\SC589\Program_OTP_Core0\Debug\Program_OTP_Core0"
    Load complete.
    Programming auth key:
    Qx: 0e 6d 81 c4 ed ba 49 85 2a 9f 0f 3f 74 06 be aa 90 6b 78 52 02 5e b2 64 9d ef c0 c7
    Qy: 81 11 33 ca 87 ed 11 33 29 b8 76 10 29 10 f0 3f ce a7 32 23 57 0b ba a1 ba 2b c0 03


    A non-recoverable error or exception has occurred.
    Description: Data Fault Exception - caused by attempting to access invalid data memory.
    General Type: RunTimeError
    Specific Type: ExceptAbrtData
    Error Message: If this is a synchronous fault, address 0x240002c0 held in Data Fault Address Register (DFAR) is the problem address.
    Error PC: 0x00003bc0

    That seems to occur somewhere in the call to adi_rom_otp_pgm

  • OK, I got a bit further still by adding the region definition for the OTP to the apt file which I guess answers my question about where it gets memory mapped..

    { 0x24000000u, 0x24001FFFu, ADI_MMU_RW_DEVICE           }, /* 8KB OTP space */

    I found that in C:\Analog Devices\CrossCore Embedded Studio 2.11.1\ARM\arm-none-eabi\arm-none-eabi\lib\src\cortex-a5\crt\apt-sc589.c

    Now it no longer generates an exception, but gets me back to the original issue

    Programming auth key:
    Qx: 0e 6d 81 c4 ed ba 49 85 2a 9f 0f 3f 74 06 be aa 90 6b 78 52 02 5e b2 64 9d ef c0 c7
    Qy: 81 11 33 ca 87 ed 11 33 29 b8 76 10 29 10 f0 3f ce a7 32 23 57 0b ba a1 ba 2b c0 03

    failed to program authentication key. If you can email me, I can provide the project I'm using now.

  • Hi Rob,

    Could you please confirm whether you are still receiving the 0 values in Reading auth key or  getting random values.
    Also, Could you please share us the project to "processor.support@analog.com" email address.

    Regards,
    Divya.P