Precautions#

Device Erase for Secure Debug#

Disabling the Device Erase is mandatory for secure debug as described in the following table.

Device Erase Description

Enabled By using erasedevice command, entire Flash contents can be erased, except OTP and Userdata contents. Ifsecurity erasedevice is enabled on production devices, it may expose the device to significant security risks, as malicious actors could potentially reprogram it with unauthorized or malicious firmware.

Disabled

Device Erase	Description
Enabled	By using `erasedevice` command, entire Flash contents can be erased, except OTP and Userdata contents. If`security erasedevice` is enabled on production devices, it may expose the device to significant security risks, as malicious actors could potentially reprogram it with unauthorized or malicious firmware.
Disabled	Disable device erase command disables the use of the commander security erasedevice command. This will prevent the clearing of the debug lock and secure debug configurations. If secure Debug is enabled and Device Erase is disabled, device allows only authorized parties to debug the device. If secure boot is also enabled boot loader will accept only authenticated (signed) firmware image, thereby ensures authenticity and integrity of the firmware.

Disable device erase command disables the use of the commander security erasedevice command. This will prevent the clearing of the debug lock and secure debug configurations.
If secure Debug is enabled and Device Erase is disabled, device allows only authorized parties to debug the device.
If secure boot is also enabled boot loader will accept only authenticated (signed) firmware image, thereby ensures authenticity and integrity of the firmware.

Notes:

Advised not to disable Device Erase during development phase as it is one time operation.
Without enabling Secure Debug disabling Device Erase will make the device permanently not usable.

Run the security disabledeviceerase command to disable Device Erase.

commander security disabledeviceerase --device sixg301 --serialno 440326972

================================================================================
THIS IS A ONE-TIME command which Permanently disables device erase.
If secure debug lock has not been set, there is no way to regain debug access to this device. Type 'continue' and hit enter to proceed or Ctrl-C to abort:
================================================================================
continue
Disabled device erase successfully
DONE

Secure Boot and Debug Lock#

The following table describes the different debug lock scenarios on the secure boot-enabled device.


Secure Debug	Device Erase	Debug Lock	State	Recover from Secure Boot Failure
Disabled	Enabled	Disabled	Standard debug unlock	Flash a correctly signed image.
Disabled	Enabled	Enabled	Standard debug lock	Flash a correctly signed image after standard debug unlocking the device.
Disabled	Disabled	Enabled	Permanent debug lock	There is no way to recover the device. Make sure the programmed image is correctly signed before locking the device.
Enabled	Disabled	Enabled	Secure debug lock	Flash a correctly signed image after secure debug unlocking the device.

Note: See Recover Devices when Secure Boot Fails in Series 2 and Series 3 Secure Boot with RTSL to flash a correctly signed image on different debug lock scenarios.

Limitation on Roll Challenge#

On Series 2 devices, challenge can be rolled any number of times, whereas on Series 3, challenge can be rolled a maximum of 128 times. Once a user has reached the 128 number of maximum rolls for debug challenges, new challenges will no longer be generated. The user will be able to continue to unlock the device using the last generated challenge..