AN12631 Normal and Secure Debug for i.MX8/8X Family of Applicati....pdf-资料库

embededman-13619918-4744300845372089459.pdf-第1页.png

第1页 / 共14页

embededman-13619918-4744300845372089459.pdf-第2页.png

第2页 / 共14页

embededman-13619918-4744300845372089459.pdf-第3页.png

第3页 / 共14页

embededman-13619918-4744300845372089459.pdf-第4页.png

第4页 / 共14页

embededman-13619918-4744300845372089459.pdf-第5页.png

第5页 / 共14页

embededman-13619918-4744300845372089459.pdf-第6页.png

第6页 / 共14页

embededman-13619918-4744300845372089459.pdf-第7页.png

第7页 / 共14页

embededman-13619918-4744300845372089459.pdf-第8页.png

第8页 / 共14页

AN12631 Normal and Secure Debug for i.MX8/8X Family of Applications Processors Rev. 0 — February 2020 Application Note 1 Introduction 1.1 Purpose This document describes how to configure and use Normal/Secure JTAG on the i.MX8/8X family applications processors. This document does not apply to i.MX8M family of Application process. See AN4686 for 8M devices. 1.2 Intended audience This document is intended for users who: • Need an explanation about the procedure of secure debugging. • Need an explanation about how to use Lauterbach tools to debug U- boot/Kernel/SCFW. 1.3 Definitions, Acronyms, and Abbreviations The terms and acronyms used in this document are: • ADM – Authenticated Debug Module; Module that works with the debug system and fuse configuration to provide security measures • AHAB – Advanced High Assurance Boot; A software library executed in internal ROM on the NXP processor at boot time which, among other things authenticates software in external memory by verifying digital signatures in accordance with a CSF Contents 1 Introduction............................................ 1 1.1 Purpose.................................. 1 1.2 Intended audience.................. 1 1.3 Definitions, Acronyms, and Abbreviations................... 1 2 Overview................................................1 2.1 System JTAG Controller......... 1 2.2 The Authenticated Debug Module.................................... 2 2.3 Debug Flow when Secure Debug is enabled.................... 3 3 Deploy SCFW for OEM Open ...............4 3.1 Connect Lauterbach to the board....................................... 4 3.2 SCFW Debugging...................5 3.3 Run SCFW..............................5 3.4 Attach to SCFW...................... 6 4 Debug U-boot........................................ 6 4.1 Attach to U-Boot..................... 7 5 Kernel Debug.........................................9 6 Secure Debug......................................11 6.1 Introduction........................... 11 6.2 Steps to connect Lauterbach debug tool via Secure Debug....................... 13 • OTP – One-Time Programmable; The OTP hardware includes the masked ROM and electrically programmable fuses (eFuses) • SCU – System Controller Unit • SCFW – SCU FirmWare • SDP – Serial Download Protocol; Also called UART/USB serial download mode. It allows code provisioning through UART or USB during the production and development phases • SECO – Security Controller • SJC – System JTAG Controller 2 Overview 2.1 System JTAG Controller The JTAG port provides debug access to hardware blocks, including the Arm processor and the system bus. This allows program control and manipulation as well as visibility to the chip peripherals and memory.

NXP Semiconductors Overview The JTAG port must be accessible during initial platform development, manufacturing tests, and general troubleshooting. Given its capabilities, JTAG manipulation is a known attack vector for accessing sensitive data and gaining control over software execution. System JTAG Controller (SJC) protects against the whole range of attacks based on unauthorized JTAG manipulation. In i.MX8/8X family, the System JTAG Controller (SJC) provides a method of regulating the JTAG access. SJC provides the following security levels: • JTAG Disabled – JTAG use is permanently blocked • No-Debug – JTAG security sensitive features are permanently blocked • Secure JTAG – JTAG use is restricted (as in the No-Debug level) unless a secret-key challenge/response protocol is successfully executed • JTAG Enabled – JTAG use is unrestricted Security levels are selected via e-fuse configuration. The fuse burning is an irreversible process, once a fuse is burned it is not possible to change the fuse back to the unburned state. 2.1.1 Boundary Scan Arm signals DBGEN/NIDEN/SPIDEN/SPNIDEN are not tied with the Boundary Scan functionality, therefore, programming these fuses does not have any impact on Boundary Scan, which is enabled by default. Boundary Scan functionality can be disabled in either of these scenarios: • Setting the SJC Disable Fuse, since the JTAG controller is gated off. • The device is in “No Return” Lifecycle (regardless of the SJC_DISABLE eFUSE). 2.2 The Authenticated Debug Module The Authenticated Debug Module (ADM) is a module that works with the debug system and fuse configuration to provide security measures. It receives control signals from various sources such as pins, OTP fuses, and the SCU, Debug Access Port, and JTAG at boot and during runtime to determine, restrict, and indicate use of the debugging components. Certain debugging features are allowed or disallowed based on NXP and OEM requirements. It supports the following functions: • Debug Security Controls • SDP Security Controls • JTAG Security Controls • Content Key Security Controls • Chip Lifecycle Security Controls The chip has multiple debug domains, as shown in the table below. Having access to one debug domain does not grant access to the others. Table 1. Debug domains on the chip Life Cycle/ Enabled without authentication SCU FW SECO FW CLOSED OEM (with or without NXP firmware) PARTIAL FIELD RETURN FULL FIELD RETURN NO FIELD RETURN Debug Domain 0 (SCU) Debug Domain 3 (APPS) Debug Domain 5 (SECO) No Yes Yes Yes Yes No No No No Yes Yes No Yes Yes Yes No No No Application Note Normal and Secure Debug for i.MX8/8X Family of Applications Processors, Rev. 0, February 2020 2 / 14

NXP Semiconductors Overview 2.3 Debug Flow when Secure Debug is enabled In a closed configuration, the debug options are determined at boot time using signed code. However, if the Secure Debug level is chosen in the security fuse configuration then a successful Secure JTAG challenge/response allows access to debug features for the application and CM4 cores. In other words, secure debug is coupled with secure boot and is enabled only if chip LC is OEM Closed and the JTAG Challenge/ Response provides a means to open a Closed device for debug purposes. Therefore, when the device is in closed state, JTAG use is restricted unless a challenge/response protocol is successfully executed. If the chip is closed, normal JTAG does not work anymore and a signed message must be delivered through ADM Figure 1. Figure 1. App Cores TrustZone and Normal World Debugging The debug flow is as follows: 1. User request debug through JTAG interface 2. SOC responds with chip unique ID 3. Server finds corresponding secret (Trust Zone or Normal Debug) 4. User submits secret through JTAG interface 5. Secure JTAG module compares secret to pre-configured secret 6. If a match, ADM asks SECO to clear sensitive data Arm model is used to restrict debug access based on TZ/normal state. The OEM secret is used to enable debug for non-secure code (EL2 and below). Similarly, the TZ secret enables debug for secure code (EL3). Separating these worlds can cause some difficulties when debugging code that crosses these boundaries (that is, Linux -> ATF), so to get a full view both shall be enabled. Application Note Normal and Secure Debug for i.MX8/8X Family of Applications Processors, Rev. 0, February 2020 3 / 14

NXP Semiconductors 3 Deploy SCFW for OEM Open Deploy SCFW for OEM Open Figure 2. Boot image layout The boot image has two containers: SECO FW (AHAB) and SCFW+ATF+U-Boot as shown in Figure 2 firmware image 1. Headers come first 2. The first container only contains the SECO 3. 4. Second container header aligned to 1k 5. Flexible image placement for the second container 6. which can contain one or multiple images 7. No CSF For SECO to be authenticated with success the boot image must be signed using CST. 3.1 Connect Lauterbach to the board After creating the image, you need to connect Lauterbach hardware to the board by following the steps below: 1. Disconnect the debug cable from the target while the target power is off 2. Connect the host system, the TRACE32 hardware and the debug cable 3. Power ON the TRACE32 hardware 4. Start the TRACE32 software to load the debugger firmware. 5. Connect the debug cable to the target. 6. Switch the target power ON. 7. Configure your debugger, e.g., via a start-up script. Next, add cores and start the debugger: 1. Add cores on which to run the debugger 2. Change the Temp file location (Advanced Settings->Paths) Application Note Normal and Secure Debug for i.MX8/8X Family of Applications Processors, Rev. 0, February 2020 4 / 14

NXP Semiconductors 3. Select the Arm core, and press start Figure 3 Deploy SCFW for OEM Open Figure 3. Add Cores and start the debugger 3.2 SCFW Debugging Lauterbach scripts can be found either in the Lauterbach release or by contacting NXP support. For SCFW Debugging the MX8_misc/coresight-jtag-provision.cmm script can be used. The &binFile and &scfwFile script variables should be set with the paths to flash.signed.bin and scfw_tcm.elf. In order to link the disassembled code to the C code, you need to set &scfwPath variable with the path to SCFW source code. Run SCFW Debugging script: 1. Put the board in SDP Mode 2. Power on the board, start the ARM-core and run the MX8_misc/coresight-jtag-provision.cmm script Figure 4. 3. If the script succeeds, “SECO AUTH SUCCESS” is reported in the AREA window Figure 5. Figure 4. Run script Figure 5. Script log 3.3 Run SCFW In the B:: console use “list board_init”. If you are seeing only disassembled code the path to the current source file (board.c) must be added from View->Symbols. Add a breakpoint at board_init from Break -> Set or press right click on the line you want to set it and select breakpoint. To start debugging press the go button Figure 6. Application Note Normal and Secure Debug for i.MX8/8X Family of Applications Processors, Rev. 0, February 2020 5 / 14

NXP Semiconductors Figure 6. Menu bar Debug U-boot The debugger should be at the beginning of the board_init function. Figure 7. You can advance with the single-step button. If you have built the SCFW with the M=1 option, SCU Console was activated (see iMX8 User Guide Manual). Logs can be seen in the SCU console while advancing with the go/step button. If the break button is pressed Figure 8, the execution is halted and the terminals should not accept any input. Figure 7. board_init function Figure 8. Break button 3.4 Attach to SCFW For attaching to SCFW you need to write the previous image on the SD card. For i.MX8QXP devices, this can be done using the following command: dd if=flash.signed.bin of=/dev/sde bs=1K seek=32; Set the switches for SD1 boot (1100) and insert the SD-card. The U-boot has to be stopped from console terminal before booting. On the Arm-core, the coresight-scu.cmm script is used to attach to SCFW. 4 Debug U-boot Application Note Normal and Secure Debug for i.MX8/8X Family of Applications Processors, Rev. 0, February 2020 6 / 14

NXP Semiconductors Debug U-boot 4.1 Attach to U-Boot Adding a branch to self at the start label in U-Boot sources and recompiling the imx-boot is needed as in section 3. For 2018.03r0 U-Boot version it can be found in $YOCTO_BUILD/tmp/work/imx8-poky-linux/u-boot-imx/2018.03-r0/git/ arch/arm/cpu/armv8/start.V Figure 9. Figure 9. u-Boot start.v Write the U-Boot on the SD-card, set the switches for SD1 boot (1100) and insert the SD-card. In Lauterbach start the ARM64 core Figure 10. Figure 10. Start core Next, run the coresight-ca35.cmm script to attach to U-Boot. To load the elf file in Lauterbach, you need to run: data.load.elf $PATH_TO_u_boot /NoCODE To add sources to the disassembled code, you need the “U-Boot” file. For iMX8QX, you can find it in $YOCTO_BUILD/tmp/work/imx8qxpmek-poky-linux/u-boot-imx/2018.03r0/build/ imx8qxp_mek_config/. For attaching the source code, the following command can be used: y.SourcePATH $PATH_TO_u-boot-imx The elf can be loaded with the sources simultaneously with: data.load.elf $PATH_TO_u_boot /Strippart 4 /NoCode /PATH $PATH_TO_u-boot-imx To see the code, go to View->List Source and move the PC to the next line by pressing right click “b reset” and Set PC Here to jump over the loop Figure 11. Application Note Normal and Secure Debug for i.MX8/8X Family of Applications Processors, Rev. 0, February 2020 7 / 14

NXP Semiconductors Debug U-boot Figure 11. Set PC The U-boot needs to relocate at a specific address in RAM. For that it uses relocate_code and relocate_done functions. Set two breakpoints at relocate_code and relocate_done Figure 12) and press GO until you reach relocate_done Figure 13. Figure 12. Set breakpoints Figure 13. Old rellocate_done adress Application Note Normal and Secure Debug for i.MX8/8X Family of Applications Processors, Rev. 0, February 2020 8 / 14

资料库

AN12631 Normal and Secure Debug for i.MX8/8X Family of Applicati....pdf

相关推荐

行业

热门标签

最新资料