4.3 Locking Secure Boot Mode
The OTP controller offers ways to disable specific operations on the secure boot configuration packet type. These operations include invalidating, locking and programming the secure boot configuration packet, as well as the hardware configuration packet.
To permanently lock Secure Boot mode, write the hardware configuration packet in OTP without using OTP Emulation mode. In the user hardware configuration packet, write the bit fields dedicated to disabling operations such as invalidation, locking and programming for secure configuration and boot configuration:
sam-ba -p secure –device sam9x60:0:1 -a bootconfig -c writecfg:uhcp-otp: BCINVDIS,BCPGDIS,SBCINVDIS,SBCPGDIS,UHCINVDIS,UHCPGDIS- The BCINVDIS, SBCINVDIS and UHCINVDIS flags are used to disable the option to invalidate the boot configuration, secure configuration and user hardware configuration packets.
- The BCPGDIS, SBCPGDIS and UHCPGDIS flags are used to prevent any other programming operations on boot configuration, secure boot configuration and user hardware configuration packets.
Warning: This method is only applicable in OTPC Real mode.
In OTPC Emulation mode, all configurations can be erased with a power-off/power-on
cycle.