Hello,
I’ve been trying to enable and demo secure boot on the ClearFog CX2 Dev Board for the LX2160A. I’ve made a software image with Yocto which I believe has secure boot enabled, although it’s hard to tell given that the board does not produce serial output. Although I have been able to build non-secure images just fine so I am inclined to believe that my build system works.
Because I do not want to permanently write to the fuses since I want to verify my software image, I need to write my Super-Root Key Hash (SRKH) to the appropriate registers immediately as the CPU comes out of reset before the BootROM can run. According to the NXP documentation, this can be done using their “CodeWarrior TAP” which seems to be a proprietary JTAG debugger, however I have a SEGGER J-Link on hand and I am trying to use that instead with OpenOCD, but I am having issues with the getting the board into Reset Sequence Pause (RSP).
Quick note: in some of their documentation they mention needing the BOOT_HO RCW option to be enabled, however I am pretty sure this is not necessary on the LX2160A because it has this “RSP” feature. If someone has concrete information on this it’d be much appreciated!
Following the recently updated SolidRun instructions for OpenOCD on the ClearFog boards I found here combined with de-soldering the zero-ohm as hinted at in the same instructions, I attempted to use the same configuration but the cores simply didn’t halt when instructed, and besides I don’t think that it’s possible with that given configuration since it doesn’t interact with the RSP functionality of the board.
I’ve tried a few modifications to the script, and I have gotten some success by directly communicating with the AXI bus to read/write memory with the CPU running:
source [find interface/jlink.cfg]
transport select jtag
adapter speed 4000
reset_config srst_only
set _CHIPNAME lx2160a
set _DAP_TAPID 0x6ba00477
jtag newtap $_CHIPNAME dap -irlen 4 -expected-id $_DAP_TAPID
dap create $_CHIPNAME.dap -chain-position $_CHIPNAME.dap
# Connect directly to the system memory AXI bus
target create $_CHIPNAME.axi mem_ap -dap $_CHIPNAME.dap -ap-num 1
init
poll off
But again, since I can’t halt the cores after a reset the BootROM (technically the ISBC) reads the mirror registers / fuses before I get a chance to write to them.
Once the board is stuck booting the secure boot image I’ve also tried reading some of the status registers to hopefully at least see what the exact issue is, but all of them always come back as 0x00000000:
> mdw 0x01e00208
0x01e00208: 00000000
> mdw 0x01e90014
0x01e90014: 00000000
> mdw 0x01e80024
0x01e80024: 00000000
And while of course the first thing I thought was that my debugger connection is bad, I can read other registers just fine like the system version register:
> mdw 0x01e000a4
0x01e000a4: 87360020
So my question: is there any way to put this board into RSP so that the SRKH mirror registers can be written to for secure boot development? Failing that, are there any workarounds that can validate if a secure boot image will work without permanently writing to the e-fuses? Finally, is there anything I’ve missed in the process to enable secure boot or any better guides / tutorials available? Thank you.