# Bring up
You can verify the status of various security features.
Note
Remember to run all the SSH commands in the SELinux permissive mode. The enforcing mode will be supported in the future. For instructions on how to connect to the device, see [Qualcomm Linux Build Guide ➝ How to ➝ Log in using SSH](https://docs.qualcomm.com/bundle/publicresource/topics/80-70017-254/how_to.html#use-ssh).
## Verify TrustZone/Device configuration/Hypervisor image loading
The XBL logs contain information about the TrustZone/Device
configuration/Hypervisor image loading.
For example:
- Device configuration (DEVCFG)
`B - 1206031 - QSEE Dev Config - Image Load, Start`
`D - 763 - Auth Metadata`
`D - 549 - Segments hash check`
`D - 13054 - QSEE Dev Config - Image Loaded, Delta - (53248 Bytes)`
- TrustZone
`B - 1228113 - QSEE - Image Load, Start`
`D - 26382 - Auth Metadata`
`D - 22234 - Segments hash check`
`D - 88999 - QSEE - Image Loaded, Delta - (4027792 Bytes)`
- Hypervisor
`B - 1402237 - QHEE - Image Load, Start`
`D - 26383 - Auth Metadata`
`D - 7045 - Segments hash check`
`D - 35258 - QHEE - Image Loaded, Delta - (1491024 Bytes)`
- APDP
`B - 978348 - APDP - Image Load, Start`
`D - 42212 - Auth Metadata`
`D - 458 - Segments hash check`
`D - 48434 - APDP - Image Loaded, Delta - (17332 Bytes)`
## Verify secure boot
The XBL logs contain the secure boot status of the device. The logs
include information about the boot interface, secure boot status, boot
configuration, JTAG\_ID, OEM\_ID, and serial number.
S - Format: Log Type - Time(microsec) - Message - Optional Info
S - Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.MXF.1.0.c1-00037-KODIAKLA-1
S - IMAGE_VARIANT_STRING=SocKodiakLAA
S - OEM_IMAGE_VERSION_STRING=hu-apasunur-hyd
S - Boot Interface: USB **
S - Secure Boot: On **
S - Boot Config @ 0x00786070 = 0x000000c1
S - JTAG ID @ 0x00786130 = 0x001970e1
S - OEM ID @ 0x00786138 = 0x00000000
S - Serial Number @ 0x00786134 = 0x4172f1dd
Copy to clipboard
## Verify SELinux status
1. Verify the kernel configuration.
CONFIG_SECURITY_SELINUX=y
Copy to clipboard
2. Connect to the device using SSH.
3. View the SELinux enable status and other details, by running the
`seinfo` commands.
Statistics for policy file: /sys/fs/selinux/policy
Policy Version: 33 (MLS enabled)
Target Policy: selinux
Handle unknown classes: allow
Classes: 131 Permissions: 423
Sensitivities: 16 Categories: 1024
Types: 4376 Attributes: 319
Copy to clipboard
4. Verify the SELinux enforce status from the console or connect to the
device using SSH.
getenforce
enforcing - if selinux is set to enable
Copy to clipboard
## Verify PIL image loading – Sample logs
>
>
> | WLAN (remoteproc1) | `730, 0x00000000000459B4 | 8.700828: remoteproc remoteproc1: Remote processor 8a00000. Remoteproc is now up` |
> | --- | --- |
> | cDSP (remoteproc3) | `735, 0x00000000000465A3 | 8.794052: remoteproc remoteproc3: Remote processor a300000. Remoteproc is now up` |
> | aDSP (remoteproc2) | `741, 0x00000000000469FC | 8.828033: remoteproc remoteproc2: Remote processor 3000000.remoteproc is now up` |
> | MODEM (remoteproc0) | `1035, 0x000000000006B78B | 13.433955: remoteproc remoteproc0: Remote processor 4080000. Remoteproc is now up` |
> | A660\_zap | `sh-5.1# dmesg | grep gfx`
`[7.822629] kgsl-iommu SoC@0:QCOM, kgsl-iommu@3da0000:gfx3d_user: Adding to iommu group 15`
`[7.870446] kgsl-3d 3d00000.qcom, kgsl-3d0: bound SoC@0:QCOM, kgsl-iommu@3da0000:gfx3d_user (ops kgsl_mmu_cb_component_ops [msm_kgsl])` |
> | Video (Vpu20\_1v.mbn) | `sh-5.1# dmesg | grep video`
`[7.094229] videodev: Linux video capture interface: v2.00`
`[7.847469] qcom-iris aa00000.video-codec: Adding to iommu group 17`
`[7.856647] qcom-iris aa00000.video-codec: no reset clocks found`
`[10.131119] [drm] [msm-dsi-warn]: [nt36672e LCD video mode DSI novatek panel with DSC] fall back to default te-pin-select`
`[10.188079] [drm:dsi_display_bind [msm_drm]] [msm-dsi-info]: Successfully bind display panel 'QCOM, mdss_dsi_nt36672e_fhd_plus_120_video '` |
## Verify Qualcomm TEE mink/global platform TEE API availability
1. Verify the availability of the library on the device.
/usr/lib/
libmink*
libGPMTEE*
libGPTEE*
Copy to clipboard
2. Verify if the mink listener service is running.
ps -ef | grep qtee_supplicant and qtee_supplicant is running
ps -ef | grep ssgtzd
Copy to clipboard
## Verify SMC invoke driver status
1. Connect to the device using SSH.
2. Verify if the `/dev/smcinvoke` node is present:
ls -l /dev/smcinvoke
Copy to clipboard
## Verify Qualcomm WES status
This feature is available to licensed developers with authorized access
to verify the Qualcomm WES status. If you have access, see [Qualcomm Linux Security Guide - Addendum → Bring up](https://docs.qualcomm.com/bundle/resource/topics/80-70017-11A/bring-up-fru.html).
## Check RPMB provision status
Connect to the device using SSH and run the following command.
sh-5.1# rpmbClient smci -p 1
Copy to clipboard
The following message is displayed.
SMCINVOKE INTERFACE WARNING!!!
You are about to provision the RPMB key.
This is a ONE time operation and CANNOT be reversed.
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
0 -> Provision Production key
1 -> Provision Test key
2 -> Check RPMB key provision status
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Select an option to proceed: 2 RMPB Key status: RPMB\_KEY\_NOT\_PROVISIONED (f)
Last Published: Jan 30, 2025
[Previous Topic
Tools](https://docs.qualcomm.com/bundle/publicresource/80-70017-11/topics/tools.md) [Next Topic
Configure](https://docs.qualcomm.com/bundle/publicresource/80-70017-11/topics/configure.md)