8. Programming the secure image using Renesas PLT

This section describes how the secure image can be programmed into the DA1459x Device Under Test (DUT) during the production process. To do this, the Renesas Production Line Toolkit (PLT) will be used, more info about the PLT can be found on the PLT product page.

Note

The previously obtained keys, image, and additional security settings will be used again in this chapter.

8.1. PLT Configuration

8.1.1. Programming Flash

To setup the PLT for programming flash memories, the Memory Functions (1) tab’s Flash Memory (2) section is used from the PLT configuration GUI. After the Write enable (3) checkbox is checked, the Image Path (4) can be selected from the filesystem.

../_images/plt-settings-1.svg — Figure 39 PLT QSPI Flash Settings

Warning

The CS part of the image will be modified by the PLT to write calibration values and, if configured, the keys section can also be overwritten by the PLT.

To enable the memory programming (2) configuration, memory programming must also be enabled in the General (1) tab of the PLT settings.

../_images/plt-settings-2.svg — Figure 40 PLT General Settings

The rest is optional

After configuring the PLT to write the entire memory like read from the device in Section 6.1 no additional steps are required to have a functional secure boot image programmed in production.

8.1.2. Programming Keys (optional)

If, for any reason, it is required to program the secure boot keys using the PLT instead of including them in the image and flashing the entire image at once, that can be done by following these instructions.

To setup the PLT for programming keys in sector 1 and 2 of the eFlash, the Custom Memory Data section of the Memory Header tab is used from the PLT configuration GUI. After the Write enable checkbox is checked, the csv file containing the keys can be selected.

To program multiple fields in the image using the PLT, a csv file must be used as the data source. The format of the csv file is described in the PLT manual section 5.10.1 but a template that is specific to secure boot can be downloaded here. The template has the following programming actions pre-configured:

Address 0x0C00 - 0x0FFF : Signature Keys
Address 0x0800 - 0x0BFF: User Data Encryption Keys

The keys obtained in Section 6.2.3 have to be byte swapped and placed in this csv file. So, for example this is how to move from the xml to the csv:

- product_keys.xml: <symmetric_key> 77EFE1B37051B4C1DA87A48903012ADAAE9D24A1DB1B1861183534E987D4E004 </symmetric_key>
- CSV: B3E1EF77C1B4517089A487DADA2A0103A1249DAE61181BDBE934351804E0D487
- product_keys.xml: <symmetric_key> 2F40170C1C8DED3FCAE9191CEFE9A9C9D6E0093377EA0128541EFBA1041C01CC </symmetric_key>
- CSV: 0C17402F3FED8D1C1C19E9CAC9A9E9EF3309E0D62801EA77A1FB1E54CC011C04
- product_keys.xml: <public> D8D3FB4FBDCF99FCC75F5BC22FAAC6628B976A54AEE51E48E08026F13E2B2386 </public>
- CSV: 4FFBD3D8FC99CFBDC25B5FC762C6AA2F546A978B481EE5AEF12680E086232B3E

After inserting the (byte swapped) keys in the csv file, the CSV file path (3) must be selected in the Custom Memory Data (2) section of the Memory Header (1) tab:

../_images/plt-settings-3.svg — Figure 41 PLT Settings for programming keys using a csv file

8.1.2.1. Static keys in csv File (optional)

In order to program the same set of keys in each DUT, one line would have to be inserted in the csv file for each DUT (identified by its BD address). Since this is a lot of redundant work if all keys need to be the same, a script was created to update the BD addresses in the csv file before each PLT test run. The script can be downloaded here and it should be placed inside SmartBond_PLT_v_4.6\executables\scripts and can be enabled (2) in the Test Options section of the General tab (1) like illustrated in Figure 42. When using the automation script, the keys must be defined at the start of the script.

../_images/plt-settings-4.svg — Figure 42 PLT Settings for enabling csv update script

8.1.3. Configuration Script Entry (optional)

To enable secure boot, the secure boot register (0x500000CC) has to be written using the configuration script. To do this using the PLT, the Configuration Script (2) section of the Memory Header (1) tab is used. After the Configuration script Enable (3) checkbox is checked, the Set Once Bits Configuration (4) can be enabled using the checkbox and the Value (5) can be written:

Configure script register value = 0x80 (this is the DA1459x SECURE_BOOT enable bit)

Note

Please note that the value might not be 0x80 in all cases. Sometimes, other fields of the register should be used as well. Please refer to the Section 7.1 to check what are the other fields in this register.

../_images/plt-settings-5.svg — Figure 43 PLT Settings for enabling secure boot

The PLT is now configured to program the keys in the image and enable secure boot in the configuration script. Don’t forget to enable Memory programming in the General tab.