# QFPROM fuses QFPROM fuses are used to store cryptographic keys that authenticate software images during the secure boot process. This ensures that only authorized software can run on the device. QFPROM employs a fusing mechanism where registers are programmed by blowing fuses to store permanent data. This is a one-time operation that can’t be undone. The QFPROM fuse values and details are captured in the following table, which enable secure boot once the fuses are blown. Tab QCS5430/QCS6490 Tab QCS9075/QCS9100 Tab QCS8275 | Fuse name | Start address | Bit number | Fuse blow value | Description | | --- | --- | --- | --- | --- | |
**Read permissions** |
**Read permissions** |
**Read permissions** |
**Read permissions** |
**Read permissions** | | Secondary Key derivation Key Read disable | 7801A8 | 24 | 1 | After provisioning the SKDK, blow this bit to secure the secondary key from being read back. A secure path hardware exists from SKDK to the crypto engine. | |
**Write permissions** |
**Write permissions** |
**Write permissions** |
**Write permissions** |
**Write permissions** | | Read permissions write disable | 7801B0 | 6 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | FEC enables write disable | 7801B0 | 8 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | OEM configuration write disable | 7801B0 | 9 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | Public key hash 0 write disable | 7801B0 | 17 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | OEM secure boot write disable | 7801B0 | 23 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | Secondary key derivation key write disable | 7801B0 | 24 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | |
**FEC enable** |
**FEC enable** |
**FEC enable** |
**FEC enable** |
**FEC enable** | | OEM secure boot FEC enable | 7801B8 | 23 | 1 | To enable FEC for OEM secure boot region, blow this bit. Ensure that the complete region is provisioned before FEC is enabled. | | Secondary key derivation key FEC enable | 7801B8 | 24 | 1 | To enable FEC for the secondary KDF key, blow this bit. Ensure that the complete region is provisioned before FEC is enabled. | |
**OEM Config** |
**OEM Config** |
**OEM Config** |
**OEM Config** |
**OEM Config** | | `WDOG_EN` | 7801C0 | 14 | 1 | Prevents the `WDOG_DISABLE` GPIO from disabling WDOG, freeing up the GPIO and preventing potential abuse by an attacker. | | `SHARED_QSEE_SPIDEN_DISABLE` | 7801C0 | 30 | 1 | A shared Qualcomm TEE secure invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_QSEE_SPNIDEN_DISABLE` | 7801C0 | 31 | 1 | A shared Qualcomm TEE secure non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_MSS_DBGEN_DISABLE` | 7801C4 | 32 | 1 | A shared MSS invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_MSS_NIDEN_DISABLE` | 7801C4 | 33 | 1 | A shared MSS non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `SHARED_CP_DBGEN_DISABLE` | 7801C4 | 34 | 1 | A shared CP invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_CP_NIDEN_DISABLE` | 7801C4 | 35 | 1 | A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `SHARED_NS_DBGEN_DISABLE` | 7801C4 | 36 | 1 | A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_NS_NIDEN_DISABLE` | 7801C4 | 37 | 1 | A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `APPS_DBGEN_DISABLE` | 7801C4 | 38 | 1 | Blow this bit for a secure solution. This configuration disables the application processor global invasive debug capabilities (JTAG and monitor mode). The `OVERRIDE` registers can override this configuration. | | `APPS_NIDEN_DISABLE` | 7801C4 | 39 | 1 | Blow this bit for a secure solution. This configuration disables the application processor global non-invasive debug capabilities (trace and performance monitoring). This configuration can be overridden with the `OVERRIDE` registers. | | `SHARED_MISC_DEBUG_DISABLE` | 7801C4 | 40 | 1 | A shared miscellaneous debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `EKU_ENFORCEMENT_EN` | 7801C8 | 30 | 1 | To enable enforcement of the EKU field in the certificate, blow this device. | | `OEM_HW_ID[0:15]` | 7801CC | [32:47] | 0 | Represents the OEM hardware ID. Bits 15:0. | | `OEM_PRODUCT_ID[0:15]` | 7801CC | [48:63] | 0 | Represents the OEM product ID. Bits 15:0. | | `ANTI_ROLLBACK_FEATURE_EN[0]` | 7801D4 | 32 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[1]` | 7801D4 | 33 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[2]` | 7801D4 | 34 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[3]` | 7801D4 | 35 | 1 | >
>
> | |
**PK hash** |
**PK hash** |
**PK hash** |
**PK hash** |
**PK hash** | | `PK hash 0[0:383]` | 780248 | [0:383] | | The OEM-specific root certificate PK hash value. | |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** | | `OEM_SECURE_BOOT1_PK_HASH_IN_FUSE` | 780728 | 4 | 1 | When this bit is ‘1’, use the value stored in OEM\_PK\_HASH for the root certificate hash. | | `OEM_SECURE_BOOT1_AUTH_EN` | 780728 | 5 | 1 | To enable secure boot for apps and other peripheral images, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot configuration 1. | | `OEM_SECURE_BOOT2_PK_HASH_IN_FUSE` | 780728 | 12 | 1 | For boot configuration 2:


If this bit is ‘0’, use the internal ROM hash index and `OEM_SECURE_BOOT1_ROM_PK_HASH_IDX[3:0]` for the root certificate hash.


If this bit is ‘1’, use the value stored in `OEM_PK_HASH` for the root certificate hash. | | `OEM_SECURE_BOOT2_AUTH_EN` | 780728 | 13 | 1 | To enable the secure boot, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot. | | `OEM_SECURE_BOOT3_PK_HASH_IN_FUSE` | 780728 | 20 | 1 | For boot configuration 3:


If this bit is ‘0’, use the internal ROM hash index and `OEM_SECURE_BOOT1_ROM_PK_HASH_IDX[3:0]` for the root certificate hash.


When this bit is ‘1’, use the value stored in `OEM_PK_HASH` for the root certificate hash. | | `OEM_SECURE_BOOT3_AUTH_EN` | 780728 | 21 | 1 | To enable the secure boot, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot configuration 3. | |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** | | `Sec Key derivation Key[0:255]` | 780738 | [0:255] | | This 256‑bit value is used as the secondary key derivation input, which is used to generate the secondary key for the crypto engine. When running in an insecure mode (no secure boot or Debug enabled), the SKDK is fed into the key derivation function to generate a unique non‑secure secondary key for use by the crypto engine.


When running in a secure mode (secure boot and debug disabled), the SKDK is fed directly to the crypto engine as the secondary key.


After the SKDK value has been correctly programmed, the SKDK Read Disable must be blown to permanently protect the SKDK value. The software reads the SKDK value from the QFPROM before this correction is made.


The SBL fuse blow API can automatically generate a random number for use as the SKDK, ensuring that the SKDK value is never available outside of the device. | | | | | | | | | | | | | | | | | | | | Fuse name | Start address | Bit number | Fuse blow value | Description | | --- | --- | --- | --- | --- | |
**Read permissions** |
**Read permissions** |
**Read permissions** |
**Read permissions** |
**Read permissions** | | Secondary Key derivation Key Read disable | 780190 | 31 | 1 | After provisioning the SKDK, blow this bit to secure the secondary key from being read back. A secure path hardware exists from SKDK to the crypto engine. | |
**Write permissions** |
**Write permissions** |
**Write permissions** |
**Write permissions** |
**Write permissions** | | Read permissions write disable | 780198 | 5 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | FEC enables write disable | 780198 | 7 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | OEM configuration write disable | 780198 | 8 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | Public key hash 0 write disable | 780198 | 24 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | OEM secure boot write disable | 780198 | 30 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | Secondary key derivation key write disable | 780198 | 31 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | |
**FEC enable** |
**FEC enable** |
**FEC enable** |
**FEC enable** |
**FEC enable** | | OEM secure boot FEC enable | 7801A0 | 30 | 1 | To enable FEC for OEM secure boot region, blow this bit. Ensure that the complete region is provisioned before FEC is enabled. | | Secondary key derivation key FEC enable | 7801A0 | 31 | 1 | To enable FEC for the secondary KDF key, blow this bit. Ensure that the complete region is provisioned before FEC is enabled. | |
**OEM Config** |
**OEM Config** |
**OEM Config** |
**OEM Config** |
**OEM Config** | | `WDOG_EN` | 7801A8 | 14 | 1 | Prevents the `WDOG_DISABLE` GPIO from disabling WDOG, freeing up the GPIO and preventing potential abuse by an attacker. | | `SHARED_QSEE_SPIDEN_DISABLE` | 7801A8 | 30 | 1 | A shared Qualcomm TEE secure invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_QSEE_SPNIDEN_DISABLE` | 7801A8 | 31 | 1 | A shared Qualcomm TEE secure non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_MSS_DBGEN_DISABLE` | 7801AC | 32 | 1 | A shared MSS invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_MSS_NIDEN_DISABLE` | 7801AC | 33 | 1 | A shared MSS non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `SHARED_CP_DBGEN_DISABLE` | 7801AC | 34 | 1 | A shared CP invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_CP_NIDEN_DISABLE` | 7801AC | 35 | 1 | A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `SHARED_NS_DBGEN_DISABLE` | 7801AC | 36 | 1 | A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_NS_NIDEN_DISABLE` | 7801AC | 37 | 1 | A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `APPS_DBGEN_DISABLE` | 7801AC | 38 | 1 | Blow this bit for a secure solution. This configuration disables the application processor global invasive debug capabilities (JTAG and monitor mode). The `OVERRIDE` registers can override this configuration. | | `APPS_NIDEN_DISABLE` | 7801AC | 39 | 1 | Blow this bit for a secure solution. This configuration disables the application processor global non-invasive debug capabilities (trace and performance monitoring). This configuration can be overridden with the `OVERRIDE` registers. | | `SHARED_MISC_DEBUG_DISABLE` | 7801AC | 40 | 1 | A shared miscellaneous debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `EKU_ENFORCEMENT_EN` | 7801B0 | 30 | 1 | To enable enforcement of the EKU field in the certificate, blow this device. | | `OEM_HW_ID[0:15]` | 7801B4 | [32:47] | 0 | Represents the OEM hardware ID. Bits 15:0. | | `OEM_PRODUCT_ID[0:15]` | 7801B4 | [48:63] | 0 | Represents the OEM product ID. Bits 15:0. | | `ANTI_ROLLBACK_FEATURE_EN[0]` | 7801BC | 32 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[1]` | 7801BC | 33 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[2]` | 7801BC | 34 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[3]` | 7801BC | 35 | 1 | >
>
> | |
**PK hash** |
**PK hash** |
**PK hash** |
**PK hash** |
**PK hash** | | `PK hash 0[0:383]` | 7802A0 | [0:383] | | The OEM-specific root certificate PK hash value. | |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** | | `OEM_SECURE_BOOT1_PK_HASH_IN_FUSE` | 780D78 | 4 | 1 | When this bit is ‘1’, use the value stored in OEM\_PK\_HASH for the root certificate hash. | | `OEM_SECURE_BOOT1_AUTH_EN` | 780D78 | 5 | 1 | To enable secure boot for apps and other peripheral images, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot configuration 1. | | `OEM_SECURE_BOOT2_PK_HASH_IN_FUSE` | 780D78 | 12 | 1 | For boot configuration 2:


If this bit is ‘0’, use the internal ROM hash index and `OEM_SECURE_BOOT1_ROM_PK_HASH_IDX[3:0]` for the root certificate hash.


If this bit is ‘1’, use the value stored in `OEM_PK_HASH` for the root certificate hash. | | `OEM_SECURE_BOOT2_AUTH_EN` | 780D78 | 13 | 1 | To enable the secure boot, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot. | | `OEM_SECURE_BOOT3_PK_HASH_IN_FUSE` | 780D78 | 20 | 1 | For boot configuration 3:


If this bit is ‘0’, use the internal ROM hash index and `OEM_SECURE_BOOT1_ROM_PK_HASH_IDX[3:0]` for the root certificate hash.


When this bit is ‘1’, use the value stored in `OEM_PK_HASH` for the root certificate hash. | | `OEM_SECURE_BOOT3_AUTH_EN` | 780D78 | 21 | 1 | To enable the secure boot, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot configuration 3. | |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** | | `Sec Key derivation Key[0:255]` | 780D88 | [0:255] | | This 256‑bit value is used as the secondary key derivation input, which is used to generate the secondary key for the crypto engine. When running in an insecure mode (no secure boot or Debug enabled), the SKDK is fed into the key derivation function to generate a unique non‑secure secondary key for use by the crypto engine.


When running in a secure mode (secure boot and debug disabled), the SKDK is fed directly to the crypto engine as the secondary key.


After the SKDK value has been correctly programmed, the SKDK Read Disable must be blown to permanently protect the SKDK value. The software reads the SKDK value from the QFPROM before this correction is made.


The SBL fuse blow API can automatically generate a random number for use as the SKDK, ensuring that the SKDK value is never available outside of the device. | | | | | | | | | | | | | | | | | | | | Fuse name | Start address | Bit number | Fuse blow value | Description | | --- | --- | --- | --- | --- | |
**Read permissions** |
**Read permissions** |
**Read permissions** |
**Read permissions** |
**Read permissions** | | Secondary Key derivation Key Read disable | 780190 | 31 | 1 | After provisioning the SKDK, blow this bit to secure the secondary key from being read back. A secure path hardware exists from SKDK to the crypto engine. | |
**Write permissions** |
**Write permissions** |
**Write permissions** |
**Write permissions** |
**Write permissions** | | Read permissions write disable | 780198 | 5 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | FEC enables write disable | 780198 | 7 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | OEM configuration write disable | 780198 | 8 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | Public key hash 0 write disable | 780198 | 24 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | OEM secure boot write disable | 780198 | 30 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | Secondary key derivation key write disable | 780198 | 31 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | |
**FEC enable** |
**FEC enable** |
**FEC enable** |
**FEC enable** |
**FEC enable** | | OEM secure boot FEC enable | 7801A0 | 30 | 1 | To enable FEC for OEM secure boot region, blow this bit. Ensure that the complete region is provisioned before FEC is enabled. | | Secondary key derivation key FEC enable | 7801A0 | 31 | 1 | To enable FEC for the secondary KDF key, blow this bit. Ensure that the complete region is provisioned before FEC is enabled. | |
**OEM Config** |
**OEM Config** |
**OEM Config** |
**OEM Config** |
**OEM Config** | | `WDOG_EN` | 7801A8 | 14 | 1 | Prevents the `WDOG_DISABLE` GPIO from disabling WDOG, freeing up the GPIO and preventing potential abuse by an attacker. | | `SHARED_QSEE_SPIDEN_DISABLE` | 7801A8 | 30 | 1 | A shared Qualcomm TEE secure invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_QSEE_SPNIDEN_DISABLE` | 7801A8 | 31 | 1 | A shared Qualcomm TEE secure non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_MSS_DBGEN_DISABLE` | 7801AC | 32 | 1 | A shared MSS invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_MSS_NIDEN_DISABLE` | 7801AC | 33 | 1 | A shared MSS non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `SHARED_CP_DBGEN_DISABLE` | 7801AC | 34 | 1 | A shared CP invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_CP_NIDEN_DISABLE` | 7801AC | 35 | 1 | A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `SHARED_NS_DBGEN_DISABLE` | 7801AC | 36 | 1 | A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_NS_NIDEN_DISABLE` | 7801AC | 37 | 1 | A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `APPS_DBGEN_DISABLE` | 7801AC | 38 | 1 | Blow this bit for a secure solution. This configuration disables the application processor global invasive debug capabilities (JTAG and monitor mode). The `OVERRIDE` registers can override this configuration. | | `APPS_NIDEN_DISABLE` | 7801AC | 39 | 1 | Blow this bit for a secure solution. This configuration disables the application processor global non-invasive debug capabilities (trace and performance monitoring). This configuration can be overridden with the `OVERRIDE` registers. | | `SHARED_MISC_DEBUG_DISABLE` | 7801AC | 40 | 1 | A shared miscellaneous debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `EKU_ENFORCEMENT_EN` | 7801B0 | 30 | 1 | To enable enforcement of the EKU field in the certificate, blow this device. | | `OEM_HW_ID[0:15]` | 7801B4 | [32:47] | 0 | Represents the OEM hardware ID. Bits 15:0. | | `OEM_PRODUCT_ID[0:15]` | 7801B4 | [48:63] | 0 | Represents the OEM product ID. Bits 15:0. | | `ANTI_ROLLBACK_FEATURE_EN[0]` | 7801BC | 32 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[1]` | 7801BC | 33 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[2]` | 77801BC | 34 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[3]` | 7801BC | 35 | 1 | >
>
> | |
**PK hash** |
**PK hash** |
**PK hash** |
**PK hash** |
**PK hash** | | `PK hash 0[0:383]` | 7802A0 | [0:383] | | The OEM-specific root certificate PK hash value. | |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** | | `OEM_SECURE_BOOT1_PK_HASH_IN_FUSE` | 780DA8 | 4 | 1 | When this bit is ‘1’, use the value stored in OEM\_PK\_HASH for the root certificate hash. | | `OEM_SECURE_BOOT1_AUTH_EN` | 780DA8 | 5 | 1 | To enable secure boot for apps and other peripheral images, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot configuration 1. | | `OEM_SECURE_BOOT2_PK_HASH_IN_FUSE` | 780DA8 | 12 | 1 | For boot configuration 2:


If this bit is ‘0’, use the internal ROM hash index and `OEM_SECURE_BOOT1_ROM_PK_HASH_IDX[3:0]` for the root certificate hash.


If this bit is ‘1’, use the value stored in `OEM_PK_HASH` for the root certificate hash. | | `OEM_SECURE_BOOT2_AUTH_EN` | 780DA8 | 13 | 1 | To enable the secure boot, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot. | | `OEM_SECURE_BOOT3_PK_HASH_IN_FUSE` | 780DA8 | 20 | 1 | For boot configuration 3:


If this bit is ‘0’, use the internal ROM hash index and `OEM_SECURE_BOOT1_ROM_PK_HASH_IDX[3:0]` for the root certificate hash.


When this bit is ‘1’, use the value stored in `OEM_PK_HASH` for the root certificate hash. | | `OEM_SECURE_BOOT3_AUTH_EN` | 780DA8 | 21 | 1 | To enable the secure boot, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot configuration 3. | |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** | | `Sec Key derivation Key[0:255]` | 780DB8 | [0:255] | | This 256‑bit value is used as the secondary key derivation input, which is used to generate the secondary key for the crypto engine. When running in an insecure mode (no secure boot or Debug enabled), the SKDK is fed into the key derivation function to generate a unique non‑secure secondary key for use by the crypto engine.


When running in a secure mode (secure boot and debug disabled), the SKDK is fed directly to the crypto engine as the secondary key.


After the SKDK value has been correctly programmed, the SKDK Read Disable must be blown to permanently protect the SKDK value. The software reads the SKDK value from the QFPROM before this correction is made.


The SBL fuse blow API can automatically generate a random number for use as the SKDK, ensuring that the SKDK value is never available outside of the device. | | | | | | | | | | | | | | | | | | | ## Next steps - To ensure the that the cryptographic keys and certificates are generated and managed in a secure and trusted environment, see [Generate local (insecure) root key and certificate](https://docs.qualcomm.com/doc/80-70018-11/topic/generate-local-insecure-root-key-and-certificates.html#generate-local-insecure-root-key-and-certificate). - To enhance device security by providing stronger cryptographic protection and better performance, you must generate the ECDSA root key and certificate. For more information, see [Generate ECDSA root key and certificate](https://docs.qualcomm.com/doc/80-70018-11/topic/generate-ecdsa-root-key-and-certificate.html#generate-ecdsa-root-key-and-certificate). Last Published: Apr 10, 2025 [Previous Topic Enable secure boot](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/enable-secure-boot.md) [Next Topic Generate local (insecure) root key and certificate](https://docs.qualcomm.com/bundle/publicresource/80-70018-11/topics/generate-local-insecure-root-key-and-certificates.md) Source: [https://docs.qualcomm.com/doc/80-70018-11/topic/appendix-fuse-configurations.html](https://docs.qualcomm.com/doc/80-70018-11/topic/appendix-fuse-configurations.html)