=> fuse prog 0 8 1 Reboot. The system now refuses to boot any unsigned U-Boot. JTAG and debug interfaces are locked. TA 2.1 includes the SNVS block (formerly called the Secure Fuse Real-Time Clock). It provides 32 zeroizable master key slots (each 128-bit) secured by the Silicon Unique Key. Use Case: Storing device-unique encryption keys From U-Boot:
Example using JTAG (or via U-Boot when in OEM Open): qoriq trust architecture 2.1 user guide
ISBC: ESBC verification passed. Trust Architecture 2.1: Secure boot enabled. Blow the OEM_CLOSED fuse. On most QorIQ devices, this is fuse row 0, bit 8. => fuse prog 0 8 1 Reboot
cd cst/keys openssl ecparam -name prime256v1 -genkey -noout -out srk1_256.pem # for ECC # OR for RSA 4K: openssl genrsa -out srk1_4096.pem 4096 openssl rsa -pubout -in srk1_4096.pem -out srk1_4096_pub.pem # Repeat for srk2, srk3, srk4 Then generate the SRK table (hash + public keys): Trust Architecture 2