# Secure boot GPIO mapping

Source: [https://docs.qualcomm.com/doc/80-PV086-5P/topic/secure-boot-gpio-mapping.html](https://docs.qualcomm.com/doc/80-PV086-5P/topic/secure-boot-gpio-mapping.html)

The secure boot ensures that the QTI code and the OEM code cannot be modified by another entity. The secure boot configuration is application-based. The applications code creates a root of trust (ROT):

- It is responsible for validating the code image and for validating the boot code stored in external memory.
- It confirms the code originated from a trusted authority (authenticity) and verifies that the code is in its original form (integrity).
- The digital signatures validate the external code image and establish the system security level.
- The ROT verifies the code image version (compares the signed version label to the value in Qfuse).
- Version control ensures that an old revoked code image is unusable.

See the *QRB5165 QFPROM Programming Reference Guide* (80-PV086-97) for details.

| Fuse name | Bit no. in row | Blow value | Comments |
| --- | --- | --- | --- |
| OEM\_SECURE\_BOOT1\_ROM\_PK\_HASH\_IDX0 | 0 | 0 | If PK\_HASH\_IN\_FUSE = 0, this value<br>              selects which root certificate hash to use from the ROM table. |
| OEM\_SECURE\_BOOT1\_ROM\_PK\_HASH\_IDX1 | 1 | 0 | If PK\_HASH\_IN\_FUSE = 0, this value<br>              selects which root certificate hash to use from the ROM table. |
| OEM\_SECURE\_BOOT1\_ROM\_PK\_HASH\_IDX2 | 2 | 0 | If PK\_HASH\_IN\_FUSE = 0, this value<br>              selects which root certificate hash to use from the ROM table. |
| OEM\_SECURE\_BOOT1\_ROM\_PK\_HASH\_IDX3 | 3 | 0 | If PK\_HASH\_IN\_FUSE = 0, this value<br>              selects which root certificate hash to use from the ROM table. |
| OEM\_SECURE\_BOOT1\_PK\_HASH\_IN\_FUSE | 4 | 0 | For boot configuration 1:<br><ul class="ul" id="concept.dita_7b581690-e653-46c0-b30d-a08f9c7674e8__ul_2"><br>                <li class="li">If this bit = 0, use the internal ROM hash index and<br>                  OEM_SECURE_BOOT1_ROM_PK_HASH_IDX[3:0] for the root certificate hash.</li><br><br>                <li class="li">If this bit = 1, use the value stored in OEM_PK_HASH for the root certificate<br>                  hash.</li><br><br>              </ul> |
| OEM\_SECURE\_BOOT1\_AUTH\_EN | 5 | 1 | Blow this bit to enable secure boot for applications and other peripheral images.<br>              When this bit = 1, it enables authentication for any code that references secure boot<br>              configuration 1. |
| OEM\_SECURE\_BOOT1\_USE\_SERIAL\_NUM | 6 | 0 | If this bit = 1, then the unique device serial number is required in the code<br>              authentication for boot configuration 1. |
|  |  |  |  |
|  |  |  |  |
|  |  |  |  |

**Parent Topic:** [Boot configuration and memory](https://docs.qualcomm.com/doc/80-PV086-5P/topic/boot-configuration-and-memory.html)

Last Published: Jul 07, 2023

[Previous Topic
Fastboot configuration](https://docs.qualcomm.com/bundle/publicresource/80-PV086-5P/topics/fastboot-configuration.md) [Next Topic
SoC subsystems](https://docs.qualcomm.com/bundle/publicresource/80-PV086-5P/topics/SoC-subsystem.md)