2.2. Secure Boot eFuse Setup Process

Attention

eFuse cannot be erased after writing 1 every bit (only allowed to change from 0 to 1), please pay attention before writing. After the specified eFuse is locked, it can no longer be read or written. Please pay attention before locking.

Cvitek provides u-boot command and Linux library to access eFuse. The following process uses u-boot command as an example.

2.2.1. Viewing the Content of Key

To view the key content on a PC:

# View AES keys
host$ xxd -p -c 256 loader_ek.key
668f8b6655a89f7cb8ee5cbd6f2c914e

# Obtain RSA public key sha256 value required for signature verification
# When executing the signing script fipsign.py, the script will print the required sha256 value, as follows:
host$ ./fipsign.py ......
Host$ .......
Host$ INFO:root:KPUB_HASH:978bc2031b9377dadb4c7c34467ee985806a63a3ac8ee293a3f0eddcd2b789d8
Host$ .......

  • KPUB_HASH: The following string is the required sha256 value

2.2.2. Writing a Key

  1. Write loader_ek.key into the “encryption key” area of eFuse, the data is an array of 16, expressed as 32 numbers in hexadecimal. Skip this step if encryption is not used.

u-boot# efusew LOADER_EK 668f8b6655a89f7cb8ee5cbd6f2c914e

  1. Write the sha256 value required for signature verification into the “SHA256 summary required for signature verification” area of eFuse. The data is an array of 32, expressed as 64 numbers in hexadecimal.

u-boot# efusew HASH0_PUBLIC 978bc2031b9377dadb4c7c34467ee985806a63a3ac8ee293a3f0eddcd2b789d8

  1. Lock the key area to prevent reading and writing.

u-boot# efusew LOCK_LOADER_EK 01
u-boot# efusew LOCK_HASH0_PUBLIC 01

2.2.3. Enable secure Boot

  1. Enable RSA verification process

u-boot# efusew SECUREBOOT 01

  1. Enable RSA verification and AES decryption process

u-boot# efusew SECUREBOOT 02

Attention

After the secure boot is enabled, it cannot be changed. Please note that the FIP image has been signed/encrypted before burning.