1 1
abstractEffort

Espressobin - using trusted/secure U-Boot

Recommended Posts

Hi,

 

I am currently trying to install a secure /trusted U-Boot into the EspressoBin and got several questions for this issue.

 

I followed this manual:

https://github.com/MarvellEmbeddedProcessors/u-boot-marvell/blob/u-boot-2017.03-armada-17.10/doc/mvebu/trusted_boot.txt

Regarding this manual the Flag for "efuse write BOOT_DEVICE SPINOR "has to be setup into NOR-Flash, so that the device will only boot from NOR anymore (which is a reason for security, I know). Can I skip this step, so that I do not damage the complete board?

I would choose UART for testing my encrypted bootloader.

 

I skipped the step "efuse write DEV_DEPLOY 1"  and my board doesn't boot anymore. Could this be the reason?

 

Initially, I installed my own keys for aes-256.txt and iv.txt and also generated CSK[0..F].txt,KAK.txt files (and csk[1..16].txt, kak.txt)  each with different seeds. I couldn't find any manual for this setup. Does anyone have experience with the encryption-setup of U-Boot with ATF?

 

Thanks for your help!

 

Share this post


Link to post
Share on other sites

I would never TRY to use trusted boot on a single board without BGA socket. You may end up with SoC that does not boot and needs replacement.

Have you burned your trusted image after burning efuses but before you reset the board?

It is true, that on Marvell A8K platform you can test most of efuse operations without entering the trust boot mode. The only trigger is the single efuse "security enable". This is not a case with A3700.

I think A3700 BootROM assumes that the SoC is in trusted boot mode even this DEV_DEPLOY fuse is not burned, but the KAK/CSK values already programmed.

In any case you have to exactly follow the instructions for the trusted boot enablement. Trusted boot is always tricky and people who test it for the first time, trash few SoCs before they get it working as expected.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
1 1