Home Forums Software discussion Testing Trusted Boot on SPINOR, efuse

This topic contains 1 reply, has 2 voices, and was last updated by  abstractEffort 6 months, 2 weeks ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #1465

    ezaluzec
    Participant

    I am testing secure boot(trusted boot) on my 2GB EspressoBIN, using the armada-17.10 versions of u-boot, a3700utils, and atf-marvell.
    Following the trusted_boot.txt document, I successfully built an untrusted and trusted flash.bin and a u-boot.bin with mvebu efuse enabled.

    I was able to boot the board with the untrusted boot image and ran the efuse write commands. My board had a loss of power before I burned the trusted boot image using bubt. Now that I have set ‘efuse write BOOT_DEVICE’, mentioned in the trusted_boot.txt doc, I am unable to boot from SATA or SPI to burn the trusted boot image. I am unable to boot anything. Switching the jumper pins has no effect.

    Is there any alternative options to burn SPINOR with my trusted boot image? I need to burn the SPINOR with my trusted boot image.
    https://github.com/MarvellEmbeddedProcessors/u-boot-marvell/blob/u-boot-2017.03-armada-17.10/doc/mvebu/trusted_boot.txt#L261

    For future reference,
    Is there a method, supported by u-boot-2017.03-armada-17.10, to test trusted boot without efusing my hardware permanently?

    Is the ‘efuse write BOOT_DEVICE <device_type>’ command required before burning trusted image?

    Marvell>> efuse write ENCRYPTION 10
    Returned EFUSE value after write:
    ENCRYPTION      10
    
    Marvell>> efuse write AES256_KEY 
    Returned EFUSE value after write:
    AES256_KEY      
    
    Marvell>> efuse write BOOT_DEVICE SPINOR
    Returned EFUSE value after write:
    BOOT_DEVICE     SPINOR (1)
    
    Marvell>> efuse write KAK_DIGEST 
    Returned EFUSE value after write:
    KAK_DIGEST      
    
    Marvell>> efuse write CSK_INDEX 3
    Returned EFUSE value after write:
    CSK_INDEX       3
    
    Marvell>> efuse write OPER_MODE 2
    Returned EFUSE value after write:
    OPER_MODE       2
    
    Marvell>> efuse DEV_DEPLOY 0
    0 - Invalid eFuse ID
    efuse - efuse - read/Write SoC eFuse entries
    
    Usage:
    efuse
    Access to SoC eFuse entry values
            list         - Display all supported eFuse entry ids
            dump         - Dump all supported eFuse entries
            raw          - Dump all eFuses in raw format
            read id      - Read eFuse entry "id"
            write id val - Write "val" to eFuse entry "id"
    
    Marvell>> efuse write DEV_DEPLOY 0
    efuse_write: Invalid value 0, expected 1
    DEV_DEPLOY      === ERROR WRITING EFUSE VALUE ===
    Marvell>> efuse write DEV_DEPLOY 1
    Returned EFUSE value after write:
    DEV_DEPLOY      DEPLOYED (1)

    Any information would be helpful!
    Thank you.

    #1749

    abstractEffort
    Participant

    Hi ezaluzec,

    did you succeed with installing a trusted/encrypted U-Boot?

    I am having nearly the same problems. Especially a progam/tool for testing the encrypted U-Boot before burning fuses would be very helpful.
    Did you find anything?

    Also I have another question: Do I need the final “efuse write DEV_DEPLOY 1” at the end or can I skip it and use “bubt flash-image.bin …” without it(after burning efuses like described).

    Thanks!

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

Signup to our newsletter

Technical specification tables can not be displayed on mobile. Please view on desktop