I'm not 100% sure regarding this particular secureCpu mechanism, nor how trip-able is et here, however I can see following piece of code in the Amazon's published source:
uboot/board/lab126/mx6sll_rex/secure_boot_cfg.c:
Code:
static int is_secure_cpu(void)
{
u32 val;
int n = 0;
if (!is_hab_enabled()) {
printf("is_secure_cpu: SEC_CONFIG is not set\n");
return 0;
}
for (n=0; n<SRK_HASH_BANK_SIZE; n++) {
if (fuse_read(SRK_HASH_BANK, n, &val)) {
printf("is_secure_cpu: fuse reading bank %d word %d failed\n", SRK_HASH_BANK, n);
return 0;
}
if ( val != srk_hash[n] ) {
printf("is_secure_cpu: bank %d word %d reading not matching (0x%x)\n", SRK_HASH_BANK, n, val);
return 0;
}
}
return 1;
}
So cpu is secure when secure_cpu returns 1.
This function is then used to prepare kernel boot command parameters:
Code:
secure_cpu = is_secure_cpu();
(...)
sprintf(secure_args, "secure_cpu=%d androidboot.secure_cpu=%d androidboot.prod=%d androidboot.unlocked_kernel=%s",
secure_cpu, secure_cpu, production, unlocked ? "true" : "false");
I can be totally wrong here: SRK_HASH_BANK is a fuse bank, but not a tripable one.
They can probably be reset to 0 but that'll likely also purge the kernel verification keys/certificates (for some Snapdragon SoCs it was purging also the DRM partition, I'm not sure how it works here, I'm still searching for some docs)
After the system is already started the value of secureCpu, prodVersion and unlockedKernel is not taken from the fusebank anymore but from /proc/cmdline that is set during uboot and does not change in runtime.
Example content of /proc/cmdline from a locked and secured device:
Code:
"console=ttymxc0,115200 consoleblank=0 uart_at_4m root=/dev/mmcblk1p8 rootwait quiet secure_cpu=1 androidboot.secure_cpu=1 androidboot.prod=1 androidboot.unlocked_kernel=false"
As for the code:
Code:
if [ "$prodVersion" == "0" -o "$unlockedKernel" == "true" -o "$secureCpu" = "0" ]; then
This single equal sign is probably a typo, but a harmless one, as for bash == is same as =