# Bring up
Source: [https://docs.qualcomm.com/doc/80-70015-11/topic/bring-up.html](https://docs.qualcomm.com/doc/80-70015-11/topic/bring-up.html)
You can verify the status of various security features.
Note: Remember to run all the SSH
commands in the SELinux permissive mode. The enforcing mode will be supported
in the future. For instructions on how to connect to the device, see [Qualcomm Linux Build Guide ➝ How to ➝ Use
SSH](https://docs.qualcomm.com/bundle/publicresource/topics/80-70015-254/how_to.html#use-ssh).
## Verify TrustZone/Device configuration/Hypervisor image loading
The XBL logs contain information about the TrustZone/Device configuration/Hypervisor
image loading.
For example:
- Device configuration (DEVCFG)
`B - 1206031 - QSEE Dev Config - Image
Load, Start `
`D - 763 - Auth Metadata
`
`D - 549 - Segments hash check
`
`D - 13054 - QSEE Dev Config - Image Loaded,
Delta - (53248 Bytes)`
- TrustZone
`B - 1228113 - QSEE - Image Load, Start
`
`D - 26382 - Auth Metadata
`
`D - 22234 - Segments hash check
`
`D - 88999 - QSEE - Image Loaded, Delta -
(4027792 Bytes)`
- Hypervisor
`B - 1402237 - QHEE - Image Load, Start
`
`D - 26383 - Auth Metadata
`
`D - 7045 - Segments hash check
`
`D - 35258 - QHEE - Image Loaded, Delta -
(1491024 Bytes)`
- APDP
`B - 978348 - APDP - Image Load, Start`
`D
- 42212 - Auth Metadata`
`D - 458 - Segments hash
check`
`D - 48434 - APDP - Image Loaded, Delta -
(17332 Bytes)`
## Verify secure boot
The XBL logs contain the secure boot status of the device. The logs include
information about the boot interface, secure boot status, boot configuration, JTAG
ID, OEM ID, and serial number.
S - Format: Log Type - Time(microsec) - Message - Optional Info
S - Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.MXF.1.0.c1-00037-KODIAKLA-1
S - IMAGE_VARIANT_STRING=SocKodiakLAA
S - OEM_IMAGE_VERSION_STRING=hu-apasunur-hyd
S - Boot Interface: USB
S - Secure Boot: On
S - Boot Config @ 0x00786070 = 0x000000c1
S - JTAG ID @ 0x00786130 = 0x001970e1
S - OEM ID @ 0x00786138 = 0x00000000
S - Serial Number @ 0x00786134 = 0x4172f1dd Copy to clipboard
## Verify SELinux status
1. Verify the kernel
configuration:
CONFIG_SECURITY_SELINUX=yCopy to clipboard
2. Connect to the device via SSH.
3. View the SELinux enable status and other details, by running the
`seinfo`
commands:
Statistics for policy file: /sys/fs/selinux/policy
Policy Version: 33 (MLS enabled)
Target Policy: selinux
Handle unknown classes: allow
Classes: 131 Permissions: 423
Sensitivities: 16 Categories: 1024
Types: 4376 Attributes: 319Copy to clipboard
4. Verify the SELinux enforce status from the console or connect to the device via
SSH:
getenforce
enforcing - if selinux is set to enableCopy to clipboard
## Verify PIL image loading – Sample logs
| WLAN (remoteproc1) | `730, 0x00000000000459B4 | 8.700828: remoteproc
remoteproc1: Remote processor 8a00000. Remoteproc is now
up` |
| --- | --- |
| cDSP (remoteproc3) | `735, 0x00000000000465A3 | 8.794052: remoteproc
remoteproc3: Remote processor a300000. Remoteproc is now up
` |
| aDSP (remoteproc2) | `741, 0x00000000000469FC | 8.828033: remoteproc
remoteproc2: Remote processor 3000000.remoteproc is now up
` |
| MODEM (remoteproc0) | `1035, 0x000000000006B78B | 13.433955: remoteproc
remoteproc0: Remote processor 4080000. Remoteproc is now up
` |
| A660\_zap | `sh-5.1# dmesg | grep gfx `
`[7.822629] kgsl-iommu SoC@0:QCOM,
kgsl-iommu@3da0000:gfx3d_user: Adding to iommu group 15
`
`[7.870446] kgsl-3d 3d00000.qcom, kgsl-3d0: bound
SoC@0:QCOM, kgsl-iommu@3da0000:gfx3d_user (ops
kgsl_mmu_cb_component_ops [msm_kgsl])` |
| Video (Vpu20\_1v.mbn) | `sh-5.1# dmesg | grep video`
`[7.094229] videodev: Linux video capture interface:
v2.00`
`[7.847469] qcom-iris aa00000.video-codec: Adding to iommu
group 17`
`[7.856647] qcom-iris aa00000.video-codec: no reset clocks
found`
`[10.131119] [drm] [msm-dsi-warn]: [nt36672e LCD video
mode DSI novatek panel with DSC] fall back to default
te-pin-select `
`[10.188079] [drm:dsi_display_bind [msm_drm]]
[msm-dsi-info]: Successfully bind display panel 'QCOM,
mdss_dsi_nt36672e_fhd_plus_120_video '`
|
## Verify Qualcomm TEE mink/global platform TEE API availability
1. Verify the availability of the library on the
device:
/usr/lib/
libmink*
libGPMTEE*
libGPTEE*Copy to clipboard
2. Verify if the mink listener service is
running:
ps -ef | grep qtee_supplicant and qtee_supplicant is running
ps -ef | grep ssgtzdCopy to clipboard
## Verify SMC invoke driver status
1. Connect to the device via SSH.
2. Verify if the `/dev/smcinvoke` node is present:
ls -l /dev/smcinvokeCopy to clipboard
## Verify Qualcomm WES status
This feature is available to licensed developers with authorized access to verify the
Qualcomm WES status. If you have access, see [Qualcomm Linux Security Guide - Addendum → Bring
up](https://docs.qualcomm.com/bundle/resource/topics/80-70015-11A/bring-up-fru.html).
## Check RPMB provision status
Connect to the device via SSH and run the following
command:
sh-5.1# rpmbClient smci -p 1Copy to clipboard
The following message is displayed:
------------------------------------------------------- SMCINVOKE
INTERFACE WARNING!!! You are about to provision the RPMB key. This is a ONE time
operation and CANNOT be reversed.
------------------------------------------------------- 0 -> Provision
Production key 1 -> Provision Test key 2 -> Check RPMB key provision status
------------------------------------------------------- Select an option to
proceed: 2 RMPB Key status: RPMB_KEY_NOT_PROVISIONED (f)
Last Published: Oct 14, 2024
[Previous Topic
Tools](https://docs.qualcomm.com/bundle/publicresource/80-70015-11/topics/tools.md) [Next Topic
Configure](https://docs.qualcomm.com/bundle/publicresource/80-70015-11/topics/configure.md)