Qoriq Trust Architecture 21 User Guide

NXP’s QorIQ Trust Architecture 2.1 (TA 2.1) is a specialized hardware-based security framework designed for Layerscape and QorIQ processors. It serves as the foundation for building Trusted Platforms by combining silicon-level security features with OEM-controlled software protocols. 🛡️ Core Security Features

The Trust Architecture provides a suite of "opt-in" hardware capabilities that allow developers to balance security strength against system debuggability.

Hardware Root of Trust (HRoT): An immutable silicon foundation that anchors the entire security chain.

Secure Boot: Ensures only authenticated, OEM-signed code can execute on the processor.

Secure Debug: Controls access to JTAG and debug interfaces via fused permissions, preventing unauthorized hardware-level inspection.

Anti-Tamper & Monitoring: Detects physical or environmental tampering and can trigger a "fail-safe" state or erase secret keys.

Secret Key Protection: Protects persistent and ephemeral device secrets (like RSA private keys) from extraction or misuse.

Runtime Integrity Checking (RTIC): Continuously monitors memory to ensure code has not been modified after the boot process. 🔑 Secure Boot Process (Chain of Trust) qoriq trust architecture 21 user guide

Secure Boot is the primary mechanism for establishing a Chain of Trust (CoT). It relies on digital signature validation using public/private key pairs. 1. Pre-Boot Phase

The Security Fuse Processor (SFP) reads internal fuse values immediately upon power-on.

If the Intent to Secure (ITS) fuse is blown, the system is locked down until trusted code is validated. 2. Internal Secure Boot Code (ISBC) The processor jumps to the on-chip Internal Boot ROM (IBR).

The ISBC validates the initial boot image (PBI commands and the next stage bootloader) using an RSA public key hash stored in the hardware fuses. 3. External Secure Boot Code (ESBC)

Once validated, the first-stage bootloader (e.g., U-Boot) takes over.

The ESBC continues the chain by validating subsequent images, such as the Linux Kernel, Device Tree (DTB), and user applications. 🛠️ Implementation & Tools

NXP's QorIQ Trust Architecture (TA) 2.1 represents a critical convergence of hardware-based security features designed for modern networking and embedded systems. It is defined by its ability to create a "Trusted Platform"—a system that performs exactly as stakeholders expect while resisting both remote and physical attacks. Core Evolution and Integration NXP’s QorIQ Trust Architecture 2

The 2.1 version specifically marks the merger of NXP’s long-standing proprietary Trust Architecture with ARM TrustZone (TZ) technology. This integration is a standard feature in ARM-based QorIQ LS-series (Layerscape) processors, combining silicon-based hardware roots of trust with ARM's architectural security specifications. Key Security Pillars

According to the architecture's objectives, it provides a comprehensive "defense-in-depth" protection model:

Hardware Root of Trust: Every SoC includes built-in capabilities for secure boot, anti-tamper mechanisms, and secret key protection.

Secure Boot: This process uses on-chip ROM and fused keys to validate code signatures before execution, preventing unvalidated or malicious software from running.

Strong Partitioning: By utilizing the e500 hypervisor and I/O Memory Management Units (MMUs), the architecture enforces access controls that isolate software partitions from one another, ensuring resources are not improperly accessed or interfered with.

Secret Management: It protects both persistent secrets (like fused keys) and ephemeral secrets (like session keys or Black Keys) from extraction or misuse.

Manufacturing Protection: The architecture supports a secure manufacturing process that integrates with device lifecycle management to ensure integrity from the factory floor to the field. User Implementation and Accessibility Step-by-Step Workflow from the User Guide Here is

The Trust Architecture is entirely optional (opt-in), allowing original equipment manufacturers (OEMs) to control trade-offs between cryptographic strength, debug visibility, and anti-cloning mitigation.

Developers typically manage these features through tools like the NXP Secure Provisioning Tool. It is important to note that the detailed Trust Architecture User Guide is considered confidential; it is generally not public and often requires a non-disclosure agreement (NDA) to access from the NXP Community or official support channels. INTRODUCTION TO QORIQ TRUST ARCHITECTURE

The QorIQ Trust Architecture 2.1 User Guide provides essential technical details for implementing silicon-based security, such as Secure Boot and ARM TrustZone, on NXP Layerscape processors. It is a critical, NDA-protected document that enables advanced features like hardware root of trust and runtime integrity checking. For more details, visit NXP Community.

---

Step-by-Step Workflow from the User Guide

Here is a condensed implementation flow found in the guide for enabling secure boot on a LS1046A or P4080.

Phase 3: Fusing the Keys (During Manufacturing)

The guide warns: Fusing is irreversible. Use the pbl_fuse tool or a JTAG programmer. Example fuse commands for SRKH (address 0x1E0):

write_fuse(0x1E0, SRKH_word0);
write_fuse(0x1E4, SRKH_word1);
...

3. Secure Debug Control

One of the most misunderstood sections of the guide is debug security. TA 2.1 implements multiple debug levels:

| Level | Access | Requirement | |-------|--------|--------------| | Disabled | No debug | Final product | | Unlocked | Full JTAG | Correct challenge-response | | Limited | Data memory only | Partial key |

The user guide explains how to generate challenge-response pairs using on-chip random numbers and a debug master key.

Chapter 2: The Core Concept – Secure Boot with TA 2.1

The central feature of the user guide is the Secure Boot process. Unlike software-only secure boot, TA 2.1 leverages the Boot ROM fused with your public key hash.