4.1 Switching to Secure Boot Mode

To switch a SAM9X60 MPU into Secure Boot mode, start it in Standard Monitor mode. This requires disabling any boot media on the board before performing a hard reset.

To verify if the ROM code is in Standard Monitor mode, use the SAM-BA® tool as follows:

sam-ba -p serial --device:sam9x60 -m version

The ROM code response will look similar to this:

To configure OTPC to run in Emulation mode and switch the device to Secure Boot mode:

1. Enable OTPC Emulation mode (the ROM code will activate it at the next reset):

   sam-ba --device sam9x60:0:1 –a bootconfig –c writecfg:bscr:EMULATION_ENABLED

2. Reset/clear internal SRAM1 used by OTPC in Emulation mode:

   sam-ba --device sam9x60:0:1 –a bootconfig –c resetemul

3. (Optional, to activate OTPC Emulation mode configured in step 1) Reset the target:

   sam-ba --device sam9x60:0:1 -a reset

4. Write the Secure Boot Configuration Packet:

   sam-ba --device sam9x60:0:1 -a bootconfig -c writecfg:sbcp-emul:

5. Reset the target:

   sam-ba –device sam9x60:0:1 -a reset

6. Read back the Secure Configuration Packet:

   sam-ba -p secure --device sam9x60:0:1 -a bootconfig -c readcfg:sbcp-emul:

To switch the device to Secure Boot mode using OTPC Real mode (persistent mode), start with step 4 but use the “Write into OTP real memory” option as follows:

sam-ba -p secure --device sam9x60:0:1 -a bootconfig -c writecfg:sbcp-otp:

At this point, the device can be provisioned with keying material using the write_customer_key and write_rsa_hash Secure Monitor commands if the RSA Signature mode is selected. Refer to the SAM-BA documentation for more details about these commands and how to use them. See References.