Re: [PATCH v3] misc: Add RZG2L OTP support

[Mathieu Othacehe <othacehe@gnu.org>]

Hello Marek,

> If you do want to expose the fuses via SMC , then the fuse region has to be
> secure only , so only TFA can access it . TFA can then decide which exact fuse
> the user can or can not read or program, on a single fuse granularity.
>
> By default, non-secure user should be able to read some select fuses (IDs),
> program no fuses. User should have the ability to expose some select fuses as
> programmable, for manufacturing purposes.
>
> Mathieu, which fuses exactly do you plan to program ?

I plan to program all fuses (enable secureboot, ROT hash, user
encryption keys) using U-Boot directly or U-Boot + TF-A during
manufacturing.

I then see two possibilities:

1. During manufacturing, use a specific TF-A that allows fusing from the
non-secure world (with SYS_SLVACCCTL7 register). Fuse directly
everything from U-Boot, using the patch under review. Then, flash the
regular, default TF-A that does not allow fusing from the non-secure
world.

2. During manufacturing, use a specific TF-A that allows, via SMC,
fusing everything from the non-secure world. Write a new U-Boot driver
that performs fusing through SMC. Use it to fuse everything from U-Boot
during manufacturing. Then, flash the regular, default TF-A that only
allows specific ID fuse read via SMC.

Both options require a specific TF-A during manufacturing. The only real
difference to me is that with option 2, we can allow ID fuse read from
U-Boot via SMC during regular use.

What do you think?

Thanks,

Mathieu