Espressobin - using trusted/secure U-Boot

[abstractEffort]

Hi,

 

I am currently trying to install a secure /trusted U-Boot into the EspressoBin and got several questions for this issue.

 

I followed this manual:

https://github.com/MarvellEmbeddedProcessors/u-boot-marvell/blob/u-boot-2017.03-armada-17.10/doc/mvebu/trusted_boot.txt

Regarding this manual the Flag for "efuse write BOOT_DEVICE SPINOR "has to be setup into NOR-Flash, so that the device will only boot from NOR anymore (which is a reason for security, I know). Can I skip this step, so that I do not damage the complete board?

I would choose UART for testing my encrypted bootloader.

 

I skipped the step "efuse write DEV_DEPLOY 1"  and my board doesn't boot anymore. Could this be the reason?

 

Initially, I installed my own keys for aes-256.txt and iv.txt and also generated CSK[0..F].txt,KAK.txt files (and csk[1..16].txt, kak.txt)  each with different seeds. I couldn't find any manual for this setup. Does anyone have experience with the encryption-setup of U-Boot with ATF?

 

Thanks for your help!

 

[kostap]

I would never TRY to use trusted boot on a single board without BGA socket. You may end up with SoC that does not boot and needs replacement.

Have you burned your trusted image after burning efuses but before you reset the board?

It is true, that on Marvell A8K platform you can test most of efuse operations without entering the trust boot mode. The only trigger is the single efuse "security enable". This is not a case with A3700.

I think A3700 BootROM assumes that the SoC is in trusted boot mode even this DEV_DEPLOY fuse is not burned, but the KAK/CSK values already programmed.

In any case you have to exactly follow the instructions for the trusted boot enablement. Trusted boot is always tricky and people who test it for the first time, trash few SoCs before they get it working as expected.