# Set the QFPROM fuses Qualcomm fuse programmable read only memory (QFPROM) fuses store cryptographic keys that authenticate software images during the secure boot process. This ensures that only authorized software can run on the device. QFPROM uses a fusing mechanism to program registers by blowing fuses, thereby storing permanent data. This is a one-time operation that can’t be undone. The following table captures the QFPROM fuse values and details for QCS5430, QCS6490, Qualcomm Dragonwing^™^ IQ-9075, Qualcomm Dragonwing^™^ IQ-9100, Qualcomm Dragonwing^™^ IQ-8275, Qualcomm Dragonwing^™^ IQ-8300, and Qualcomm Dragonwing^™^ IQ-615. Secure boot is enabled when the respective fuses are blown. Tab QCS5430/QCS6490 Tab IQ-9075/IQ-9100 Tab IQ-8275/IQ-8300 Tab IQ-615 | Fuse name | Start address (in hexadecimal) | Bit number | Fuse blow value | Description | | --- | --- | --- | --- | --- | |
**Read permissions** |
**Read permissions** |
**Read permissions** |
**Read permissions** |
**Read permissions** | | Secondary Key derivation Key Read disable | 7801A8 | 24 | 1 | After provisioning the SKDK, blow this bit to secure the secondary key from being read back. A secure path hardware exists from SKDK to the crypto engine. | |
**Write permissions** |
**Write permissions** |
**Write permissions** |
**Write permissions** |
**Write permissions** | | Read permissions write disable | 7801B0 | 6 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | FEC enables write disable | 7801B0 | 8 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | OEM configuration write disable | 7801B0 | 9 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | Public key hash 0 write disable | 7801B0 | 17 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | OEM secure boot write disable | 7801B0 | 23 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | Secondary key derivation key write disable | 7801B0 | 24 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | |
**FEC enable** |
**FEC enable** |
**FEC enable** |
**FEC enable** |
**FEC enable** | | OEM secure boot FEC enable | 7801B8 | 23 | 1 | To enable FEC for OEM secure boot region, blow this bit. Ensure that the complete region is provisioned before FEC is enabled. | | Secondary key derivation key FEC enable | 7801B8 | 24 | 1 | To enable FEC for the secondary KDF key, blow this bit. Ensure that the complete region is provisioned before FEC is enabled. | |
**OEM Config** |
**OEM Config** |
**OEM Config** |
**OEM Config** |
**OEM Config** | | `WDOG_EN` | 7801C0 | 14 | 1 | Prevents the `WDOG_DISABLE` GPIO from disabling WDOG, freeing up the GPIO and preventing potential abuse by an attacker. | | `SHARED_QSEE_SPIDEN_DISABLE` | 7801C0 | 30 | 1 | A shared Qualcomm TEE secure invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_QSEE_SPNIDEN_DISABLE` | 7801C0 | 31 | 1 | A shared Qualcomm TEE secure non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_MSS_DBGEN_DISABLE` | 7801C4 | 32 | 1 | A shared MSS invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_MSS_NIDEN_DISABLE` | 7801C4 | 33 | 1 | A shared MSS non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `SHARED_CP_DBGEN_DISABLE` | 7801C4 | 34 | 1 | A shared CP invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_CP_NIDEN_DISABLE` | 7801C4 | 35 | 1 | A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `SHARED_NS_DBGEN_DISABLE` | 7801C4 | 36 | 1 | A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_NS_NIDEN_DISABLE` | 7801C4 | 37 | 1 | A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `APPS_DBGEN_DISABLE` | 7801C4 | 38 | 1 | Blow this bit for a secure solution. This configuration disables the application processor global invasive debug capabilities (JTAG and monitor mode). The `OVERRIDE` registers can override this configuration. | | `APPS_NIDEN_DISABLE` | 7801C4 | 39 | 1 | Blow this bit for a secure solution. This configuration disables the application processor global non-invasive debug capabilities (trace and performance monitoring). This configuration can be overridden with the `OVERRIDE` registers. | | `SHARED_MISC_DEBUG_DISABLE` | 7801C4 | 40 | 1 | A shared miscellaneous debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `EKU_ENFORCEMENT_EN` | 7801C8 | 30 | 1 | To enable enforcement of the EKU field in the certificate, blow this device. | | `OEM_HW_ID[0:15]` | 7801CC | [47:32] | 0 | Represents the OEM hardware ID. Bits 15:0. | | `OEM_PRODUCT_ID[0:15]` | 7801CC | [63:48] | 0 | Represents the OEM product ID. Bits 15:0. | | `ANTI_ROLLBACK_FEATURE_EN[0]` | 7801D4 | 32 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[1]` | 7801D4 | 33 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[2]` | 7801D4 | 34 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[3]` | 7801D4 | 35 | 1 | >
>
> | |
**PK hash** |
**PK hash** |
**PK hash** |
**PK hash** |
**PK hash** | | `PK hash 0[383:0]` | 780248 | [383:0] | | The OEM-specific root certificate PK hash value. | |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** | | `OEM_SECURE_BOOT1_PK_HASH_IN_FUSE` | 780728 | 4 | 1 | When this bit is ‘1’, use the value stored in OEM\_PK\_HASH for the root certificate hash. | | `OEM_SECURE_BOOT1_AUTH_EN` | 780728 | 5 | 1 | To enable secure boot for apps and other peripheral images, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot configuration 1. | | `OEM_SECURE_BOOT2_PK_HASH_IN_FUSE` | 780728 | 12 | 1 | For boot configuration 2:


If this bit is ‘0’, use the internal ROM hash index and `OEM_SECURE_BOOT1_ROM_PK_HASH_IDX[3:0]` for the root certificate hash.


If this bit is ‘1’, use the value stored in `OEM_PK_HASH` for the root certificate hash. | | `OEM_SECURE_BOOT2_AUTH_EN` | 780728 | 13 | 1 | To enable the secure boot, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot. | | `OEM_SECURE_BOOT3_PK_HASH_IN_FUSE` | 780728 | 20 | 1 | For boot configuration 3:


If this bit is ‘0’, use the internal ROM hash index and `OEM_SECURE_BOOT1_ROM_PK_HASH_IDX[3:0]` for the root certificate hash.


When this bit is ‘1’, use the value stored in `OEM_PK_HASH` for the root certificate hash. | | `OEM_SECURE_BOOT3_AUTH_EN` | 780728 | 21 | 1 | To enable the secure boot, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot configuration 3. | |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** | | `Sec Key derivation Key[255:0]` | 780738 | [255:0] | | This 256‑bit value is used as the secondary key derivation input, which is used to generate the secondary key for the crypto engine. When running in an insecure mode (no secure boot or Debug enabled), the SKDK is fed into the key derivation function to generate a unique non‑secure secondary key for use by the crypto engine.


When running in a secure mode (secure boot and debug disabled), the SKDK is fed directly to the crypto engine as the secondary key.


After the SKDK value has been correctly programmed, the SKDK Read Disable must be blown to permanently protect the SKDK value. The software reads the SKDK value from the QFPROM before this correction is made.


The SBL fuse blow API can automatically generate a random number for use as the SKDK, ensuring that the SKDK value is never available outside of the device. | | | | | | | | | | | | | | | | | | | | Fuse name | Start address (in hexadecimal) | Bit number | Fuse blow value | Description | | --- | --- | --- | --- | --- | |
**Read permissions** |
**Read permissions** |
**Read permissions** |
**Read permissions** |
**Read permissions** | | Secondary Key derivation Key Read disable | 780190 | 31 | 1 | After provisioning the SKDK, blow this bit to secure the secondary key from being read back. A secure path hardware exists from SKDK to the crypto engine. | |
**Write permissions** |
**Write permissions** |
**Write permissions** |
**Write permissions** |
**Write permissions** | | Read permissions write disable | 780198 | 5 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | FEC enables write disable | 780198 | 7 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | OEM configuration write disable | 780198 | 8 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | Public key hash 0 write disable | 780198 | 24 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | OEM secure boot write disable | 780198 | 30 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | Secondary key derivation key write disable | 780198 | 31 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | |
**FEC enable** |
**FEC enable** |
**FEC enable** |
**FEC enable** |
**FEC enable** | | OEM secure boot FEC enable | 7801A0 | 30 | 1 | To enable FEC for OEM secure boot region, blow this bit. Ensure that the complete region is provisioned before FEC is enabled. | | Secondary key derivation key FEC enable | 7801A0 | 31 | 1 | To enable FEC for the secondary KDF key, blow this bit. Ensure that the complete region is provisioned before FEC is enabled. | |
**OEM Config** |
**OEM Config** |
**OEM Config** |
**OEM Config** |
**OEM Config** | | `WDOG_EN` | 7801A8 | 14 | 1 | Prevents the `WDOG_DISABLE` GPIO from disabling WDOG, freeing up the GPIO and preventing potential abuse by an attacker. | | `SHARED_QSEE_SPIDEN_DISABLE` | 7801A8 | 30 | 1 | A shared Qualcomm TEE secure invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_QSEE_SPNIDEN_DISABLE` | 7801A8 | 31 | 1 | A shared Qualcomm TEE secure non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_MSS_DBGEN_DISABLE` | 7801AC | 32 | 1 | A shared MSS invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_MSS_NIDEN_DISABLE` | 7801AC | 33 | 1 | A shared MSS non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `SHARED_CP_DBGEN_DISABLE` | 7801AC | 34 | 1 | A shared CP invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_CP_NIDEN_DISABLE` | 7801AC | 35 | 1 | A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `SHARED_NS_DBGEN_DISABLE` | 7801AC | 36 | 1 | A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_NS_NIDEN_DISABLE` | 7801AC | 37 | 1 | A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `APPS_DBGEN_DISABLE` | 7801AC | 38 | 1 | Blow this bit for a secure solution. This configuration disables the application processor global invasive debug capabilities (JTAG and monitor mode). The `OVERRIDE` registers can override this configuration. | | `APPS_NIDEN_DISABLE` | 7801AC | 39 | 1 | Blow this bit for a secure solution. This configuration disables the application processor global non-invasive debug capabilities (trace and performance monitoring). This configuration can be overridden with the `OVERRIDE` registers. | | `SHARED_MISC_DEBUG_DISABLE` | 7801AC | 40 | 1 | A shared miscellaneous debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `EKU_ENFORCEMENT_EN` | 7801B0 | 30 | 1 | To enable enforcement of the EKU field in the certificate, blow this device. | | `OEM_HW_ID[0:15]` | 7801B4 | [47:32] | 0 | Represents the OEM hardware ID. Bits 15:0. | | `OEM_PRODUCT_ID[0:15]` | 7801B4 | [63:48] | 0 | Represents the OEM product ID. Bits 15:0. | | `ANTI_ROLLBACK_FEATURE_EN[0]` | 7801BC | 32 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[1]` | 7801BC | 33 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[2]` | 7801BC | 34 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[3]` | 7801BC | 35 | 1 | >
>
> | |
**PK hash** |
**PK hash** |
**PK hash** |
**PK hash** |
**PK hash** | | `PK hash 0[383:0]` | 7802A0 | [383:0] | | The OEM-specific root certificate PK hash value. | |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** | | `OEM_SECURE_BOOT1_PK_HASH_IN_FUSE` | 780D78 | 4 | 1 | When this bit is ‘1’, use the value stored in OEM\_PK\_HASH for the root certificate hash. | | `OEM_SECURE_BOOT1_AUTH_EN` | 780D78 | 5 | 1 | To enable secure boot for apps and other peripheral images, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot configuration 1. | | `OEM_SECURE_BOOT2_PK_HASH_IN_FUSE` | 780D78 | 12 | 1 | For boot configuration 2:


If this bit is ‘0’, use the internal ROM hash index and `OEM_SECURE_BOOT1_ROM_PK_HASH_IDX[3:0]` for the root certificate hash.


If this bit is ‘1’, use the value stored in `OEM_PK_HASH` for the root certificate hash. | | `OEM_SECURE_BOOT2_AUTH_EN` | 780D78 | 13 | 1 | To enable the secure boot, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot. | | `OEM_SECURE_BOOT3_PK_HASH_IN_FUSE` | 780D78 | 20 | 1 | For boot configuration 3:


If this bit is ‘0’, use the internal ROM hash index and `OEM_SECURE_BOOT1_ROM_PK_HASH_IDX[3:0]` for the root certificate hash.


When this bit is ‘1’, use the value stored in `OEM_PK_HASH` for the root certificate hash. | | `OEM_SECURE_BOOT3_AUTH_EN` | 780D78 | 21 | 1 | To enable the secure boot, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot configuration 3. | |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** | | `Sec Key derivation Key[255:0]` | 780D88 | [255:0] | | This 256‑bit value is used as the secondary key derivation input, which is used to generate the secondary key for the crypto engine. When running in an insecure mode (no secure boot or Debug enabled), the SKDK is fed into the key derivation function to generate a unique non‑secure secondary key for use by the crypto engine.


When running in a secure mode (secure boot and debug disabled), the SKDK is fed directly to the crypto engine as the secondary key.


After the SKDK value has been correctly programmed, the SKDK Read Disable must be blown to permanently protect the SKDK value. The software reads the SKDK value from the QFPROM before this correction is made.


The SBL fuse blow API can automatically generate a random number for use as the SKDK, ensuring that the SKDK value is never available outside of the device. | | | | | | | | | | | | | | | | | | | | Fuse name | Start address (in hexadecimal) | Bit number | Fuse blow value | Description | | --- | --- | --- | --- | --- | |
**Read permissions** |
**Read permissions** |
**Read permissions** |
**Read permissions** |
**Read permissions** | | Secondary Key derivation Key Read disable | 780190 | 31 | 1 | After provisioning the SKDK, blow this bit to secure the secondary key from being read back. A secure path hardware exists from SKDK to the crypto engine. | |
**Write permissions** |
**Write permissions** |
**Write permissions** |
**Write permissions** |
**Write permissions** | | Read permissions write disable | 780198 | 5 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | FEC enables write disable | 780198 | 7 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | OEM configuration write disable | 780198 | 8 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | Public key hash 0 write disable | 780198 | 24 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | OEM secure boot write disable | 780198 | 30 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | Secondary key derivation key write disable | 780198 | 31 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | |
**FEC enable** |
**FEC enable** |
**FEC enable** |
**FEC enable** |
**FEC enable** | | OEM secure boot FEC enable | 7801A0 | 30 | 1 | To enable FEC for OEM secure boot region, blow this bit. Ensure that the complete region is provisioned before FEC is enabled. | | Secondary key derivation key FEC enable | 7801A0 | 31 | 1 | To enable FEC for the secondary KDF key, blow this bit. Ensure that the complete region is provisioned before FEC is enabled. | |
**OEM Config** |
**OEM Config** |
**OEM Config** |
**OEM Config** |
**OEM Config** | | `WDOG_EN` | 7801A8 | 14 | 1 | Prevents the `WDOG_DISABLE` GPIO from disabling WDOG, freeing up the GPIO and preventing potential abuse by an attacker. | | `SHARED_QSEE_SPIDEN_DISABLE` | 7801A8 | 30 | 1 | A shared Qualcomm TEE secure invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_QSEE_SPNIDEN_DISABLE` | 7801A8 | 31 | 1 | A shared Qualcomm TEE secure non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_MSS_DBGEN_DISABLE` | 7801AC | 32 | 1 | A shared MSS invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_MSS_NIDEN_DISABLE` | 7801AC | 33 | 1 | A shared MSS non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `SHARED_CP_DBGEN_DISABLE` | 7801AC | 34 | 1 | A shared CP invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_CP_NIDEN_DISABLE` | 7801AC | 35 | 1 | A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `SHARED_NS_DBGEN_DISABLE` | 7801AC | 36 | 1 | A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `SHARED_NS_NIDEN_DISABLE` | 7801AC | 37 | 1 | A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `APPS_DBGEN_DISABLE` | 7801AC | 38 | 1 | Blow this bit for a secure solution. This configuration disables the application processor global invasive debug capabilities (JTAG and monitor mode). The `OVERRIDE` registers can override this configuration. | | `APPS_NIDEN_DISABLE` | 7801AC | 39 | 1 | Blow this bit for a secure solution. This configuration disables the application processor global non-invasive debug capabilities (trace and performance monitoring). This configuration can be overridden with the `OVERRIDE` registers. | | `SHARED_MISC_DEBUG_DISABLE` | 7801AC | 40 | 1 | A shared miscellaneous debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `EKU_ENFORCEMENT_EN` | 7801B0 | 30 | 1 | To enable enforcement of the EKU field in the certificate, blow this device. | | `OEM_HW_ID[0:15]` | 7801B4 | [47:32] | 0 | Represents the OEM hardware ID. Bits 15:0. | | `OEM_PRODUCT_ID[0:15]` | 7801B4 | [63:48] | 0 | Represents the OEM product ID. Bits 15:0. | | `ANTI_ROLLBACK_FEATURE_EN[0]` | 7801BC | 32 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[1]` | 7801BC | 33 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[2]` | 7801BC | 34 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[3]` | 7801BC | 35 | 1 | >
>
> | |
**PK hash** |
**PK hash** |
**PK hash** |
**PK hash** |
**PK hash** | | `PK hash 0[383:0]` | 7802A0 | [383:0] | | The OEM-specific root certificate PK hash value. | |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** | | `OEM_SECURE_BOOT1_PK_HASH_IN_FUSE` | 780DA8 | 4 | 1 | When this bit is ‘1’, use the value stored in OEM\_PK\_HASH for the root certificate hash. | | `OEM_SECURE_BOOT1_AUTH_EN` | 780DA8 | 5 | 1 | To enable secure boot for apps and other peripheral images, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot configuration 1. | | `OEM_SECURE_BOOT2_PK_HASH_IN_FUSE` | 780DA8 | 12 | 1 | For boot configuration 2:


If this bit is ‘0’, use the internal ROM hash index and `OEM_SECURE_BOOT1_ROM_PK_HASH_IDX[3:0]` for the root certificate hash.


If this bit is ‘1’, use the value stored in `OEM_PK_HASH` for the root certificate hash. | | `OEM_SECURE_BOOT2_AUTH_EN` | 780DA8 | 13 | 1 | To enable the secure boot, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot. | | `OEM_SECURE_BOOT3_PK_HASH_IN_FUSE` | 780DA8 | 20 | 1 | For boot configuration 3:


If this bit is ‘0’, use the internal ROM hash index and `OEM_SECURE_BOOT1_ROM_PK_HASH_IDX[3:0]` for the root certificate hash.


When this bit is ‘1’, use the value stored in `OEM_PK_HASH` for the root certificate hash. | | `OEM_SECURE_BOOT3_AUTH_EN` | 780DA8 | 21 | 1 | To enable the secure boot, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot configuration 3. | |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** | | `Sec Key derivation Key[255:0]` | 780DB8 | [255:0] | | This 256‑bit value is used as the secondary key derivation input, which is used to generate the secondary key for the crypto engine. When running in an insecure mode (no secure boot or Debug enabled), the SKDK is fed into the key derivation function to generate a unique non‑secure secondary key for use by the crypto engine.


When running in a secure mode (secure boot and debug disabled), the SKDK is fed directly to the crypto engine as the secondary key.


After the SKDK value has been correctly programmed, the SKDK Read Disable must be blown to permanently protect the SKDK value. The software reads the SKDK value from the QFPROM before this correction is made.


The SBL fuse blow API can automatically generate a random number for use as the SKDK, ensuring that the SKDK value is never available outside of the device. | | | | | | | | | | | | | | | | | | | | Fuse name | Start address (in hexadecimal) | Bit number | Fuse blow value | Description | | --- | --- | --- | --- | --- | |
**Read permissions** |
**Read permissions** |
**Read permissions** |
**Read permissions** |
**Read permissions** | | Secondary Key derivation Key Read disable | 780150 | 22 | 1 | After provisioning the SKDK, blow this bit to secure the secondary key from being read back. A secure path hardware exists from SKDK to the crypto engine. | |
**Write permissions** |
**Write permissions** |
**Write permissions** |
**Write permissions** |
**Write permissions** | | Read permissions write disable | 780158 | 3 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | FEC enables write disable | 780158 | 5 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | OEM configuration write disable | 780158 | 10 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | Public key hash 0 write disable | 780158 | 12 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | OEM secure boot write disable | 780158 | 20 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | | Secondary key derivation key write disable | 7801B0 | 22 | 1 | Blow this bit after the region has been provisioned to disable further QFPROM changes to this region. | |
**FEC enable** |
**FEC enable** |
**FEC enable** |
**FEC enable** |
**FEC enable** | | OEM secure boot FEC enable | 780160 | 20 | 1 | To enable FEC for OEM secure boot region, blow this bit. Ensure that the complete region is provisioned before FEC is enabled. | | Secondary key derivation key FEC enable | 780160 | 22 | 1 | To enable FEC for the secondary KDF key, blow this bit. Ensure that the complete region is provisioned before FEC is enabled. | |
**OEM Config** |
**OEM Config** |
**OEM Config** |
**OEM Config** |
**OEM Config** | | `WDOG_EN` | 780188 | 14 | 1 | Prevents the `WDOG_DISABLE` GPIO from disabling WDOG, freeing up the GPIO and preventing potential abuse by an attacker. | | `APPS_APB_DFD_DISABLE` | 780188 | 30 | 1 | When blown will disable Qualcomm® Kryo™ B Scandump using APB bus. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `DCC_DEBUG_DISABLE` | 780188 | 31 | 1 | When blown will be used to disable DCC IP in hardware. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `DEBUG_BUS_DISABLE` | 78018C | 32 | 1 | When blown will be used to disable debug bus from appearing on GPIOs. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `AOSS_AOP_DFD_DISABLE` | 78018C | 33 | 1 | When blown will disable the scan dump of RPMh. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `EUD_DISABLE` | 78018C | 34 | 1 | When blown will disable EUD. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `DAP_DEVICEEN_DISABLE` | 78018C | 35 | 1 | When blown will disable the external debugger access to APB-AP port of QDSS DAP. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `APPS_DBGEN_DISABLE` | 78018C | 36 | 1 | When blown will disable the non-secure invasive debug facilities of APPS (including the APPS processor) subsystem. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `DAP_DBGEN_DISABLE` | 78018C | 37 | 1 | When blown will block the NS=1 transactions from both AXI-AP port of DAP, and ETR, of QDSS subsystem. It also prevents the STM block of QDSS to generate any back pressure on the bus it receives the event traces. A corresponding Qualcomm fuse can override this OEM‑controlled fuse. | | `LPASS_TURING_DBGEN_DISABLE` | 780188 | 38 | 1 | When blown will disable the invasive debug facilities of LPASS as well as Turing. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `WCSS_DBGEN_DISABLE` | 78018C | 39 | 1 | When blown will disable the non-secure invasive debug facilities of WCSS subsystem. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `AOSS_AOP_DBGEN_DISABLE` | 78018C | 40 | 1 | When blown will disable the non-secure invasive debug facilities of AOSS AOP. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `CAM_ICP_DBGEN_DISABLE` | 78018C | 41 | 1 | When blown will disable the non-secure invasive debug facilities of camera A5. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `SSC_DBGEN_DISABLE` | 78018C | 42 | 1 | When blown will disable the non-secure invasive debug facilities of Snapdragon sensor core subsystem. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `VENUS_0_DBGEN_DISABLE` | 78018C | 44 | 1 | When blown will disable the non-secure invasive debug facilities of ARM9 processor in spectra subsystem. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `A5x_ISDB_DBGEN_DISABLE` | 78018C | 45 | 1 | When blown will disable the non-secure invasive debug facility of ISDB block of A5X subsystem. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `MSS_DBGEN_DISABLE` | 78018C | 46 | 1 | When blown will disable the modem-secure invasive debug facilities of Modem subsystem (including Q6 processor). It also blocks the MSA = 1 transactions from AXI-AP port of QDSS DAP. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `APPS_NIDEN_DISABLE` | 78018C | 47 | 1 | When blown will disable the non-secure non-invasive debug facilities of APPS (including APPS processor) subsystem. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `DAP_NIDEN_DISABLE` | 78018C | 48 | 1 | When blown will instruct QDSS STM to drop the non-secure event traces. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `LPASS_TURING_NIDEN_DISABLE` | 78018C | 49 | 1 | When blown will disable the non-secure non-invasive debug facilities of LPASS as well as Turing. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `WCSS_NIDEN_DISABLE` | 78018C | 50 | 1 | When blown will disable the non-secure non-invasive debug facilities of WCSS subsystem. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `AOSS_AOP_NIDEN_DISABLE` | 78018C | 51 | 1 | When blown will disable the non-secure non-invasive debug facilities of AOSS AOP. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `CAM_ICP_NIDEN_DISABLE` | 78018C | 52 | 1 | When blown will disable the non-secure non-invasive debug facilities of Camera A5. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `SSC_NIDEN_DISABLE` | 78018C | 53 | 1 | When blown will disable the non-secure non-invasive debug facilities of Snapdragon sensor core (including Q6 processor) subsystem. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `MSS_NIDEN_DISABLE` | 78018C | 54 | 1 | When blown will disable the modem secure non-invasive debug facilities of MSS (including Q6 processor) subsystem. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `APPS_SPNIDEN_DISABLE` | 78018C | 55 | 1 | When blown will disable the secure non-invasive debug facilities of APPS (including APPS processor) subsystem. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `DAP_SPNIDEN_DISABLE` | 78018C | 56 | 1 | When blown will instruct QDSS STM to drop the secure event traces. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `APPS_SPIDEN_DISABLE` | 78018C | 60 | 1 | When blown will disable the secure invasive debug facilities of APPS (including APPS processor) subsystem. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `DAP_SPIDEN_DISABLE` | 78018C | 61 | 1 | When blown will block the NS = 0 transactions from both AXI-AP port of DAP, and ETR, of QDSS subsystem. It also prevents the STM block of QDSS to generate any backpressure on the bus it receives the event traces. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `LLCC_DSRW_DISABLE` | 78018C | 63 | 1 | When blown will disable the secure invasive debug facilities of LLCC’s DSRW. A corresponding Qualcomm fuse can override this OEM-controlled fuse. | | `EKU_ENFORCEMENT_EN` | 780190 | 30 | 0 | To enable enforcement of the EKU field in the certificate, blow this device. | | `OEM_HW_ID[0:15]` | 780194 | [47:32] | 0 | Represents the OEM hardware ID. Bits 15:0. | | `OEM_PRODUCT_ID[0:15]` | 780194 | [63:48] | 0 | Represents the OEM product ID. Bits 15:0. | | `ANTI_ROLLBACK_FEATURE_EN[0]` | 78019C | 32 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[1]` | 78019C | 33 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[2]` | 78019C | 34 | 1 | >
>
> | | `ANTI_ROLLBACK_FEATURE_EN[3]` | 78019C | 35 | 1 | >
>
> | |
**PK hash** |
**PK hash** |
**PK hash** |
**PK hash** |
**PK hash** | | `PK hash 0[383:0]` | 7801C8 | [383:0] | | The OEM-specific root certificate PK hash value. | |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** |
**OEM secure boot** | | `OEM_SECURE_BOOT1_PK_HASH_IN_FUSE` | 780360 | 4 | 1 | When this bit is ‘1’, use the value stored in OEM\_PK\_HASH for the root certificate hash. | | `OEM_SECURE_BOOT1_AUTH_EN` | 780360 | 5 | 1 | To enable secure boot for apps and other peripheral images, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot configuration 1. | | `OEM_SECURE_BOOT2_PK_HASH_IN_FUSE` | 780360 | 12 | 1 | For boot configuration 2:


If this bit is ‘0’, use the internal ROM hash index and `OEM_SECURE_BOOT1_ROM_PK_HASH_IDX[3:0]` for the root certificate hash.


If this bit is ‘1’, use the value stored in `OEM_PK_HASH` for the root certificate hash. | | `OEM_SECURE_BOOT2_AUTH_EN` | 780360 | 13 | 1 | To enable the secure boot, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot. | | `OEM_SECURE_BOOT3_PK_HASH_IN_FUSE` | 780360 | 20 | 1 | For boot configuration 3:


If this bit is ‘0’, use the internal ROM hash index and `OEM_SECURE_BOOT1_ROM_PK_HASH_IDX[3:0]` for the root certificate hash.


When this bit is ‘1’, use the value stored in `OEM_PK_HASH` for the root certificate hash. | | `OEM_SECURE_BOOT3_AUTH_EN` | 780360 | 21 | 1 | To enable the secure boot, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot configuration 3. | |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** |
**Sec key derivation key** | | `Sec Key derivation Key[255:0]` | 780398 | [255:0] | | This 256‑bit value is used as the secondary key derivation input, which is used to generate the secondary key for the crypto engine. When running in an insecure mode (no secure boot or Debug enabled), the SKDK is fed into the key derivation function to generate a unique non‑secure secondary key for use by the crypto engine.


When running in a secure mode (secure boot and debug disabled), the SKDK is fed directly to the crypto engine as the secondary key.


After the SKDK value has been correctly programmed, the SKDK Read Disable must be blown to permanently protect the SKDK value. The software reads the SKDK value from the QFPROM before this correction is made.


The SBL fuse blow API can automatically generate a random number for use as the SKDK, ensuring that the SKDK value is never available outside of the device. | | | | | | | | | | | | | | | | | | | ## Next steps - To ensure the that the cryptographic keys and certificates are generated and managed in a secure and trusted environment, see Generate keys and certificates. - To ensure the authenticity and integrity of software images and to write a complete software image, see [Sign and flash the images](https://docs.qualcomm.com/doc/80-80022-11/topic/sign-and-flash-images.html#sign-and-flash-images). Last Published: May 18, 2026 [Previous Topic Enable secure boot](https://docs.qualcomm.com/bundle/publicresource/80-80022-11/topics/enable-secure-boot.md) [Next Topic Generate keys and certificates](https://docs.qualcomm.com/bundle/publicresource/80-80022-11/topics/generate-keys-and-certificates.md) Source: [https://docs.qualcomm.com/doc/80-80022-11/topic/appendix-fuse-configurations.html](https://docs.qualcomm.com/doc/80-80022-11/topic/appendix-fuse-configurations.html)