Diagnostic Boot Mode
Diagnostic Boot Mode allows OEMs to bypass signing authority in later software boots on a per board basis on production mode hardware to run diagnostic software.
The flow for diagnostic boot:
- Provide ECID signed BR-BCT and MB1-BCT.
- Enable diagnostic boot in BR-BCT by setting
bf_bl_diag_bootandbf_bl_skip_oem_auth_diag_bootto 1. - Provide normal OEM signed components for MB1, MCE, PSC-BL1, and MEM-BCT.
MB1 skips OEM authentication of binaries after MCE, including the MB2 binary on the CCPLEX, which can be replaced with diagnostic software. If using standard un-signed MB2, MB2 no longer requires signed components for software it loads. In this mode, PSC-BL1, upon exit, erases all keys used for authentication and decryptions for key slots.
OEM can disable diagnostic boot mode on their devices by setting
BOOT_SECURITY_INFO[10] to 1.