BOOT process for CYS0644x/CYB0644x

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
Michael
Level 1
Level 1
10 sign-ins 5 replies posted 5 sign-ins

Hi,

If I have understood it correctly the boot process is as follows:

  1. The processor starts from the internal ROM circuit that controls the integrity of the BOOT Flash section in flash memory with a 128-bit truncated SHA256 digest before jumping to flash.
  2. The BOOT Flash is executed which checks the signature of the application before jumping to it.

  3. The application runs (on the Cortex M4 core)

 

The questions I now have is:

1.1 I have found information that the fuse bits in the eFuse OTP area can be programmed from ‘0’ to ‘1’ (which blows the fuse) but not the other way around.
If I have understood it correctly, the ‘0’ valued bits of the SECURE_HASH can still be programmed to ‘1’ and that is why the SECURE_HASH_ZEROES area exists to check if there is still the same number of zeroes as when programmed.

Is this correct? If so can the ‘0’ value bits of the SECURE_HASH_ZEROES also be changed?

 

2.1 Can a user defined bootloader be programmed to the BOOT flash sector, i.e can a custom 2nd stage bootloader be used?

 

 

Best regards,

Michael

0 Likes
1 Solution
DheerajK_81
Moderator
Moderator
Moderator
First comment on KBA First comment on blog 5 questions asked

Hello @Michael ,

Q1. I have found information that the fuse bits in the eFuse OTP area can be programmed from ‘0’ to ‘1’ (which blows the fuse) but not the other way around.

Ans. Yes. 

Q2. If I have understood it correctly, the ‘0’ valued bits of the SECURE_HASH can still be programmed to ‘1’ and that is why the SECURE_HASH_ZEROES area exists to check if there is still the same number of zeroes as when programmed.

Ans. Yes, that's right. SECURE_HASH is a hash that covers objects from TOC1 and TOC2. It is generated during the transition to SECURE mode will program the necessary efuses to 1. All hashes are generated with the SHA-256 algorithm, but the ones stored in eFuse, only the most significant 128 bits are stored with additional 8-bits stored that contains the number of zeros in the 128-bits of hash. 

Q3. Is this correct? If so can the ‘0’ value bits of the SECURE_HASH_ZEROES also be changed?

Ans. No. SECURE_HASH and SECURE_HASH_ZEROS are generated during the transition from Normal to Secure mode. Once the device is in Secure mode, it is used to validate FlashBoot by ROMBoot before FlashBoot is executed.  You can no longer modify the HASH once the lifecycle transition is complete. If it is modified maliciously, the FlashBoot validation will fail. 

Hope this answers your questions 🙂

Regards,
Dheeraj

View solution in original post

0 Likes
3 Replies
DheerajK_81
Moderator
Moderator
Moderator
First comment on KBA First comment on blog 5 questions asked

Hello @Michael ,

Q1. I have found information that the fuse bits in the eFuse OTP area can be programmed from ‘0’ to ‘1’ (which blows the fuse) but not the other way around.

Ans. Yes. 

Q2. If I have understood it correctly, the ‘0’ valued bits of the SECURE_HASH can still be programmed to ‘1’ and that is why the SECURE_HASH_ZEROES area exists to check if there is still the same number of zeroes as when programmed.

Ans. Yes, that's right. SECURE_HASH is a hash that covers objects from TOC1 and TOC2. It is generated during the transition to SECURE mode will program the necessary efuses to 1. All hashes are generated with the SHA-256 algorithm, but the ones stored in eFuse, only the most significant 128 bits are stored with additional 8-bits stored that contains the number of zeros in the 128-bits of hash. 

Q3. Is this correct? If so can the ‘0’ value bits of the SECURE_HASH_ZEROES also be changed?

Ans. No. SECURE_HASH and SECURE_HASH_ZEROS are generated during the transition from Normal to Secure mode. Once the device is in Secure mode, it is used to validate FlashBoot by ROMBoot before FlashBoot is executed.  You can no longer modify the HASH once the lifecycle transition is complete. If it is modified maliciously, the FlashBoot validation will fail. 

Hope this answers your questions 🙂

Regards,
Dheeraj

0 Likes
Michael
Level 1
Level 1
10 sign-ins 5 replies posted 5 sign-ins

Hi @DheerajK_81 ,

 

Thank you for the reply!

The answer is very helpfull but now I have a follow up question.

 

Is each byte of the SECURE_HASH value fused or is it the individual bits of the SECURE:HASH value that is fused when programmed in the eFuse OTP area?

The same question about SECURE_HASH_ZEROES, is it the whole byte that is fused or individual bits?

 

Regards,

Michael

0 Likes
DheerajK_81
Moderator
Moderator
Moderator
First comment on KBA First comment on blog 5 questions asked

Hello Michael,

The PSoC64 Architecture is available here: https://www.cypress.com/file/522156/download

One fuse in the target device is represented by one byte:
0x00 - NOT BLOWN
0x01 - BLOWN

This applies to all the fuses: SECURE_HASH, SECURE_HASH_ZEROS

eFuse programming is locked once chip is moved to the Secure state. Hence you cannot flip or reprogram the fuses in any way.

Hope this answers your question. Let me know if you need any further clarification.

Regards,
Dheeraj

0 Likes