Secure Solution

This section is very platform dependent and we Strongly suggest reading the security chapter of the LSDK document first before running any real instructions on the device.

In order to build a secure solution, you need to boot the board securely. Steps to do so can be found in LSDK document’s “security chapter”.

Prepare Secure Bootstrap Image

  • Generate key pair using CST tool.

    CST tool can be built from source and key pair generation is one of the functionality. Generally, the key pair should be generated once and keep safe. The private key will be used to sign images and the public key will be fused into the device to verify the image signature.

# build cst tool from source
$ flex-builder -c cst

$ cd <flex-builder dir>/packages/apps/cst

# generate RSA key pair: srk.pub and srk.pri, 1024bit
$ ./gen_keys 1024

Image Download

Download the pre-built secure bootstrap images according to the following table. For demonstration purposes only, all pre-built secure bootstrap images are built using the same key pair.

Version Platform Images
v1909 LS1012ARDB secure_ls1012ardb-qspi.img
v1909 LS1012ARDB bl2_qspi_ls1012ardb.pbl
v1909 LS1012AFRWY secure_ls1012afrwy-qspi.img
v1909 LS1012AFRWY bl2_qspi_ls1012afrwy.pbl
v1909 LS1043ARDB secure_ls1043ardb-nor.img
v1909 LS1043ARDB bl2_nor_ls1043ardb.pbl
v1909 LS1046ARDB secure_ls1046ardb-qspi.img
v1909 LS1046ARDB bl2_qspi_ls1046ardb.pbl
v1909 LS1046AFRAWY secure_ls1046afrwy-qspi.img
v1909 LS1046AFRAWY bl2_qspi_ls1046afrwy.pbl
v1909 LS1088ARDB_PB secure_ls1088ardb-pb-qspi.img
v1909 LS1088ARDB_PB bl2_qspi_ls1088ardb-pb.pbl
v1909 LS2088ARDB secure_ls2088ardb-nor.img
v1909 LS2088ARDB bl2_nor_ls2088ardb.pbl
v1909 LS1028ARDB secure_lS1028ardb-xspi.img
v1909 LS1028ARDB bl2_xspi_ls1028ardb.pbl
v1909 LX2160ARDB secure_lx2160ardb-xspi.img
v1909 LX2160ARDB bl2_xspi_lx2160ardb.pbl
v1909 demo key pair srk.tgz
  • Build the secure bootstrap image

    For build the secure bootstrap image with the specified key pair , please refer to Bootstrap.

Prepare Secure Solution Image

  • Specify the key pairs for secure boot in configs/build_lsdk.cfg
SECURE_PRI_KEY=/home/xx/path/srk.pri
SECURE_PUB_KEY=/home/xx/path/srk.pub

Create Device and Bootup in Secure Mode

  • Create device via EdgeScale dashboard or escli command line tools.
  • Program secure bootstrap image into the device. See more at Bootstrap.

Enforce the Secure Boot

In production systems, secure boot is enforced via blowing the ITS fuse.

In development environment, if you are booting the board securely using SB_EN bit, you need to ensure that ITS bit is set. This can be done via code-warrior (ccs). For this you would need to put the core in boot hold-off by setting the corresponding bit in RCW.

  • Set the ITS bit through CCS when the system is in boot hold off state.
#Boot up the system

#Connect CodeWarrior/ccs

#Set the ITS bit if ITS not fused
$ ccs::write_mem <dap chain position> 0x1e80200 4 0 0x00000004

#Get the Core Out of Boot Hold-Off
$ ccs::write_mem <dap chain position> 0x1ee00e4 4 0 0x1

Read Pub Key From Device

This public key is derived from srk.pub generated by CST tool and used for device authentication. mp_app is part of the secure object library and is integrated with LSDK rootfs.

  • Get MP public key:
    • Boot up system with secure mode.
    • Get public key in the device with tool mp_app:
mp_app -p

Public key x part = 671fe89daca42004d648b2ad7ddeb2a0ca7e47556e73f376aab45061fca74603

Public key y part = 9519e09aab4da3a972511d3ca7e842e8bb1d02e744cc85ff4e65c0ca6fbb7376

Public key in form of x followed by y is saved in pub_key file

Upload Device db to Cloud

To securely enroll the device to the cloud, some data from the device needs to be uploaded to the cloud. This data includes:

  1. Manufacturing Protection Public Key - Public part of the ECC key pair generated after secure boot process. Steps are given in the Section “Read pub key from device”.
  2. Factory UID or FUID

3. OEM UID (To obtain 2 and 3, please refer to the SoC SFP block memory map from the Reference Manual)

#csv file schema: FUID, OEMID, SK_PUB_X, SK_PUB_Y, MODEL_ID

$ escli device upload-db -f <db.csv>
  1. Create device on dashboard with SN: <FUID>:<OEMID>