# Secure boot

Source: [https://docs.qualcomm.com/doc/80-88500-4/topic/87_Secure_boot.html](https://docs.qualcomm.com/doc/80-88500-4/topic/87_Secure_boot.html)

Secure boot is a security tool that boots only trusted software and prevents unknown or
    malicious software from accessing the system.

The following is a brief overview of the secure boot configuration. For more information, see
        <cite class="cite">QRB5165 Secure Boot Enablement User Guide </cite>(80-PV086-42).

- The secure boot configuration is application-based, and the application code creates a
        root of trust (ROT).
- It is responsible for validating the code image and for validating the boot code stored in
        external memory.
- It confirms the code originated from a trusted authority (authenticity) and verifies that
        the code is in its original form (integrity).
- The digital signatures validate the external code image and establish the system security
        level. The ROT verifies the code image version (compares the signed version label to the
        value in Qfuse). Version control ensures that an old and revoked code image is
        unusable.

| Fuse name | Bit number in row | Blow value | Comments |
| --- | --- | --- | --- |
| OEM\_SECURE\_BOOT1\_ROM\_PK\_HASH\_IDX0 | 0 | 0 | If PK\_HASH\_IN\_FUSE = 0, this value selects which root certificate<br>              hash to use from the ROM table. |
| OEM\_SECURE\_BOOT1\_ROM\_PK\_HASH\_IDX1 | 1 | 0 | If PK\_HASH\_IN\_FUSE = 0, this value selects which root certificate<br>              hash to use from the ROM table. |
| OEM\_SECURE\_BOOT1\_ROM\_PK\_HASH\_IDX2 | 2 | 0 | If PK\_HASH\_IN\_FUSE = 0, this value selects which root certificate<br>              hash to use from the ROM table. |
| OEM\_SECURE\_BOOT1\_ROM\_PK\_HASH\_IDX3 | 3 | 0 | If PK\_HASH\_IN\_FUSE = 0, this value selects which root certificate<br>              hash to use from the ROM table. |
| OEM\_SECURE\_BOOT1\_PK\_HASH\_IN\_FUSE | 4 | 0 | For boot configuration 1:<br><br><br>              <br>If this bit = 0, use the internal ROM hash index and<br><br><br>              <br>OEM\_SECURE\_BOOT1\_ROM\_PK\_HASH\_IDX[3:0] for the root certificate hash.<br><ul class="ul" id="Secure_boot_87__ul_lmx_sdl_bxb"><br>                <li class="li">If this bit = 1, use the value stored in OEM_PK_HASH for the root certificate<br>                  hash.</li><br><br>              </ul> |
| OEM\_SECURE\_BOOT1\_AUTH\_EN | 5 | 1 | Blow this bit to enable secure boot for applications and other peripheral images.<br>              When this bit = 1, it enables authentication for any code that references secure boot<br>              configuration 1. |
| OEM\_SECURE\_BOOT1\_USE\_SERIAL\_NUM | 6 | 0 | If this bit = 1, then the unique device serial number is required in the code<br>              authentication for boot configuration 1. |
|  |  |  |  |
|  |  |  |  |
|  |  |  |  |

**Parent Topic:** [Security](https://docs.qualcomm.com/doc/80-88500-4/topic/76_Security.html)

Last Published: Aug 18, 2023

[Previous Topic
Crypto APIs](https://docs.qualcomm.com/bundle/publicresource/80-88500-4/topics/86_Crypto_APIs.md) [Next Topic
Storage](https://docs.qualcomm.com/bundle/publicresource/80-88500-4/topics/88_Storage.md)