Issue programming the HSS in Secure Boot mode 3 on board with Custom Security Settings applied

[nearly-big-endian]

Hi,

We are currently facing an issue transitioning from a DEV workflow to a PROD workflow.

We have previously validated that we could program the HSS in Secure Boot Mode 3 using either LiberoSoC or SoftConsole (via mpfsBootmodeProgrammer) on a IcicleKit board with NO security settings applied.

For PROD use, we now have our boards protected by UPK1/2 and UEK1/2 keys.

The idea here is that the fabric is programmed using UEK1 first, and the eNVM/sNVM is programmed using UEK2 later on (at a separate facility).

What we observe is that:

• we can't program the HSS using the SoftConsole, as the mpfsBootmodeProgrammer doesn't accept specifying key/security parameters
• programming the HSS through LiberoSoc in a "Boot-mode-3 eNVM client" yields a board that doesn't boot (no sign of HSS booting at all on serial terminal), even though the exact same procedure works on a board with no security settings applied

Could it be that this scenario is not supported ?

Thanks in advance for your help !

NB: SW Versions are LiberoSoC 2022.3 (also tried 2023.1), HSS 2022.2, SoftConsole 2022.2

[nearly-big-endian]

Forgot to mention that this workflow is working if the HSS is programmed in "Unsecured Boot mode 1" using liberoSoC+FlashPro on a board secured by UEK1/UEK2 keys. So, the Custom Security Settings have already been validated, in a sense.

[vfalanis]

Hi @nearly-big-endian,

If you have custom security settings in Libero, then you need to add a boot mode 3 envm client to include the HSS hex file.
I'll share some steps below, could you please try the following?

1. Checkout the latest HSS master branch from GitHub. You'll need the following commit.

git clone https://github.com/polarfire-soc/hart-software-services.git

2. Create the OpenSSL keys for the Factory Secure Boot (boot mode 3)

cd hart-software-services
openssl ecparam -name secp384r1 -genkey -noout -out combined.ec.key
openssl pkcs8 -topk8 -nocrypt -in combined.ec.key -out private.pem
openssl ec -in private.pem -pubout -out public.pem

2. Compile the HSS using the command line. Instructions on how to do this in Windows or Linux are provided in the HSS README. You will need the compile the HSS with the following flags:

make BOOTMODE=3 BOOTMODE_ARGS="--keys SEPARATED private.pem public.pem"

3. Once the HSS builds, a "hss-envm-wrapper-bm3-public-key-xy.txt" file should be generated inside the Default/bootmode3 directory. Copy or take note of the ucskx and ucsky values, as you will be using them in Libero.

4. Inside Libero, double-click the "Configure Design Initialization Data and Memories" option. Within the eNVM tab, add a boot mode 3 client.

In the "Content from file" option, browse the HSS project and select the hex file located in Default/bootmode3/hss-envm-wrapper-bm3-p0.hex

Copy the ucskx and ucsky values from step 3 into the Public Key X and Y fields

Click Ok and Apply the changes

5. At this stage you could carry on configuring Security in Libero and generating a bitstream which can be programmed into the device.

Note: you could also try steps 1-4 without custom security settings.

Hope this helps.

[nearly-big-endian]

Hello Valentina,

Thanks a lot for your detailed answer.

I apologize, as I think I didn't expose my problem clearly enough.

We do know that the procedure you detailed works, as we are also able to reproduce it.

What doesn't work for us is the "production" workflow that we're trying to set up:

• step 1 : program the board with security settings only, including UEK1/2 + UPK1/2 keys
• step 2 : program the fabric only, using a separate libero project containing UPK1/UEK1 keys only
• step 3 : program the sNVM + eNVM (including the HSS in eNVM bootmode3 client), using a separate libero project containing UPK2/UEK2 keys only

The issue that we have is that this procedure only works if we're doing all 3 steps at once, and from within a same Libero project containing both UPK1/UEK1 and UPK2/UEK2 keys.

But our need is to be able to perform each of these steps separately, using distinct libero projects using only a subset of UEK keys, as these steps will be performed by different people, at different locations and at different times. So, for instance, in the step 3, the libero project shall only contain the UPK2/UEK2 key.

The blocking point seems to be that we cannot program the HSS in secure boot mode 3 from a libero project that only contains the eNVM client and the UPK2/UEK2 key (programming logs say "Warning: UPK1 data is missing", then "Invalid/Corrupted enryption key").

It seems that the only way we can achieve that is if we have both the UPK1/UEK1 and UPK2/UEK2 keys set in the libero project, and if we program the Custom Security settings at the same time as the eNVM, which is something we precisely want to avoid.

I hope I could explain myself better this time.
Sorry for the confusion, and thanks in advance for your precious time you're giving us !

And let me know if there's something I should clarify...

[nearly-big-endian]

I tried to summarize our workflow in a more synthetic view, in the hope that it would clarify the intent and findings:

"STEP 1" libero project
------------------------------------------------------------------------------------------------------------------------
Keys embedded in       | eNVM content                   | Components selected        | Result
libero project         |                                | for programming            |    
------------------------------------------------------------------------------------------------------------------------
UEK1/UPK1 + UPK2/UEK2  | n/a                            | Security settings only     | OK
------------------------------------------------------------------------------------------------------------------------```

"STEP 2" libero project
------------------------------------------------------------------------------------------------------------------------
Keys embedded in       | eNVM content                   | Components selected        | Result
libero project         |                                | for programming            |    
------------------------------------------------------------------------------------------------------------------------
UEK1/UPK1              | n/a                            | Fabric only                | OK
------------------------------------------------------------------------------------------------------------------------

"STEP 3" libero project (3 variants tested):
----------------------------------------------------------------------------------------------------------------------------------
Variant# | Keys embedded in       | eNVM content                   | Components selected        | Result
         | libero project         |                                | for programming            |    
----------------------------------------------------------------------------------------------------------------------------------
1        | UEK2/UPK2              | Boot mode 1 client (un-secure) | eNVM only                  | OK (programming OK, HSS boot ok)
2        | UEK1/UPK1 + UEK2/UPK2  | Boot mode 3 client (secure)    | Security Settings + eNVM   | OK (programming OK, HSS boot ok)
3        | UEK2/UPK2              | Boot mode 3 client (secure)    | eNVM only                  | FAIL (programming fails)
----------------------------------------------------------------------------------------------------------------------------------

Steps 1 and 2 projects are always programmed first, and run fine.

Then, when we come to step 3, variants #1 and #2 do work, but variant #3 doesn't (which is the one we want)