Enable Secure boot + DB410C with Linux

darshak · September 12, 2017, 6:10am

Hi,

I am exploring secure boot feature on dragonboard 410c. For that I have downloaded Qualcomm LE release from create point and following steps mentioned in release note document(APQ8016.LE.1.0 Linux Enabled Release 1.0.33 for APQ8016E).

I have created signed images as mentioned in release document and also generated sec.dat file.
case 1: I have flashed all the signed images on the board without flashing the sec.dat file on Dragon board 410c. Board will up successfully with signed images. (without flashing sec.dat file).

case2: On the top of above case, I flashed the sec.dat file and given power cycle the DB410c board. It looks like SBL is up but not able to up lk(emmc_appsboot.mbn).

case3: After all above stuff, I have flashed the unsigned images using QFILL and its successfully flashed the unsigned images and board will also booting up fine. As mentioned in the release document once fuse blow we can flash signed images only. Does it mean that fuse is not blow in the 410c board?

Thanks & Regards,
Darshak

danielt · September 12, 2017, 8:55am

I can’t help much with the other questions but 410c is a developer board and is not configured for secure boot, nor AFAIK does it even have any private keys configured.

I believe the information about secure boot is shared to allow vendors of custom APQ8016E boards to enable secure boot on their platforms. Similarly recent Linaro releases require that LK be signed (to make it easier for vendors of custom boards to reuse our work) but the secondary bootloader doesn’t actually check the signature due to the absence any private keys.

danielt · February 6, 2019, 2:52pm

… and I’m afraid that is still the case. To discuss secure provisioning of these parts you must work with Qualcomm or Arrow.

danielt · March 19, 2019, 9:51am

AFAIK no official DB410C image enables any form of signed boot so I’m afraid I have to play the “I don’t know” card again here.