Qoriq Trust Architecture 2.1 User Guide
Securing the Edge: A Deep Dive into QorIQ Trust Architecture 2.1
In an era where network infrastructure is a prime target for cyber surveillance and disruption, embedded system designers need more than just hope—they need a hardware-anchored fortress. The QorIQ Trust Architecture (TA) 2.1
provides exactly that, merging NXP's legacy trust features with ARM TrustZone technology to simplify the development of "Trusted Platforms". What is a "Trusted Platform"? According to
, a trusted platform is a system that does exactly what its stakeholders expect, resisting attackers with both remote and physical access, or "failing safe" if compromised. Key Pillars of Trust Architecture 2.1 The QorIQ TA 2.1 is an opt-in scheme
, meaning it is disabled by default to give developers full control over their security policy enforcement. Its core objectives include: Secure Boot
: The cornerstone of the architecture. It uses a hardware root of trust to ensure that only authentic, OEM-signed code executes from the moment of power-on. Strong Partitioning
: Leverages MMU, IO-MMU, and Hypervisor models to ensure that if one partition is compromised, it cannot access or interfere with the resources of another. Secret Key Protection
: Protects persistent and ephemeral device secrets (like "Black Keys") from extraction, even against advanced physical attacks. Anti-Tamper & Debug Security
: Provides OEM-controlled trade-offs between debug visibility and sensitivity to physical tampering. The Technical Edge: TA 2.1 Improvements qoriq trust architecture 2.1 user guide
Architecture 2.1 represents a significant evolution, particularly for the Layerscape (LS) series ARM Integration : It successfully merges NXP TA with ARM TrustZone
, creating a unified environment for secure world vs. non-secure world operations. Virtualization Support
: Enhanced hardware hooks for virtualization and DPAA2 infrastructure integration allow for high-performance, secure message exchange in cloud and data centre environments. Implementation and Resources For developers ready to implement these features, the QorIQ Trust Architecture 2.1 User Guide
is the definitive technical resource. Note that this specific document is often restricted and may require a non-disclosure agreement (NDA) to access via the NXP Community or representative.
The QorIQ Trust Architecture 2.1 User Guide is a specialized technical document from NXP (formerly Freescale) that provides instructions for implementing hardware-based security features like Secure Boot on QorIQ processors. Availability and Access
The full User Guide is typically not public and often requires a Non-Disclosure Agreement (NDA) with NXP to access. You can request it through the NXP Community or by contacting your NXP representative directly. Key Components of Trust Architecture 2.1
Based on associated documentation and public summaries, this architecture version includes:
Secure Boot: Ensures only authenticated, OEM-signed code executes by verifying digital signatures during the boot cycle. Securing the Edge: A Deep Dive into QorIQ
Chain of Trust: A multi-stage verification process starting from a hardware root of trust (Internal Secure Boot Code).
Fuse Management (SFP): Use of the Security Fuse Processor (SFP) to store permanent system secrets, such as the Intent to Secure (ITS) bit and the Super Root Key Hash (SRKH).
Security Monitor (SecMon): Hardware that monitors the system state and manages transitions between secure and non-secure modes.
Trusted Manufacturing: Specialized processes (detailed in Section 5.5 of version 2.1) for securely provisioning devices during production. Implementing Secure Boot (Standard Flow) Implementation generally follows two phases:
Development Phase: Secure boot is enabled via software flags (e.g., RCW[SB_EN] = 1) without permanently blowing fuses, allowing for testing and debugging.
Production Phase: The ITS bit in the SFP is permanently "blown" to lock the system into a secure state, after which it will only boot signed code. Relevant Resources
Reference Manuals: Specific processor manuals (e.g., LS1012A or T2080) often point to the Trust Architecture guide for security-specific register details.
Training and White Papers: High-level overviews can be found in NXP's Secure Boot White Paper and training presentations on QorIQ Trust Features. Why this matters
The QorIQ Trust Architecture 2.1 User Guide outlines hardware-based security features for NXP Layerscape and Power Architecture SoCs, focusing on Secure Boot, trusted platforms, and hardware partitioning. Due to its confidential nature, this technical document requires an NDA and can be requested through NXP technical support. For more information, visit NXP Community.
Overview
The Trust Architecture 2.1 is NXP’s hardware-based security implementation for embedded networking and industrial processors. This user guide is the primary reference for developers implementing secure boot, debug security, and runtime integrity.
Why this matters?
For a system designer, the QorIQ Trust Architecture 2.1 moves security from an "optional add-on" to a hardware-enforced mandate. It allows you to build devices that can survive physical attacks (like probing the bus) and software attacks (like malware), making it essential for:
- Networking Gear: Preventing routers/switches from being hijacked.
- Aerospace: Ensuring flight controllers cannot be tampered with.
- Automotive: Securing the communication bus between ECUs.
If you are diving into the user guide, pay specific attention to the "Trust Architecture" chapter regarding the SEC (Security Engine) and the SDC (Secure Debug Controller)—these provide the most immediate practical value for implementation.
1.3 Trusted Boot (ISBC + ESBC)
- ISBC (Internal Secure Boot Code): ROM code embedded in the chip. Cannot be changed.
- ESBC (External Secure Boot Code): The first-stage bootloader (typically U-Boot) signed by you.
When secure boot is enabled, the ISBC verifies the signature of the ESBC using the SRK hash. If verification fails, the boot is halted.
Pitfall 3: Can’t transition to Secure Closed
Requirement: Must be in OEM Closed, and all fuses must be verified.
Check: Use sec_mon status command in U-Boot:
=> sf dp target 0
=> ssp 0x1E90000 1 # Read SEC-MON status register
If any factory fuses are still zero, transition is blocked.
3. Trusted Execution Environment (TEE)
The architecture physically isolates "Trusted" software from "Non-Trusted" software (like the Linux Kernel).
- Trust Space vs. Normal Space: The CPU uses a "Security Bit" (often referred to as the Secure/Non-secure bit in ARM TrustZone terminology, or Privilege levels in Power Architecture).
- Memory Partitioning: The hardware blocks access to secure memory regions when the processor is running non-secure code. This means even if the main OS (Linux) is hacked (e.g., a buffer overflow), the attacker cannot read the cryptographic keys or modify the secure bootloader because the hardware enforces the boundary.
Chapter 3: Runtime Defenses – The Sneakernet Stops Here
Once the OS is running, TA 2.1 enforces runtime integrity through:
- Run-Time Integrity Checking (RTIC): Periodically re-verifies critical code segments or immutable data against precomputed signatures.
- Central Security Unit (CSU): A system of registers that defines access rights (secure vs. non-secure, supervisor vs. user) to peripherals, memory regions, and debug interfaces. The user guide shows how to configure the CSU to lock JTAG, cJTAG, and trace ports after boot.
- Trusted Platform Module (TPM) emulation: TA 2.1 can present a TPM 2.0 interface to the OS using its internal secure non-volatile storage.
