Skip to main content
Qualcomm fuse programmable read only memory (QFPROM) fuses store cryptographic keys that authenticate software images during the secure boot process. This ensures that only authorized software can run on the device. QFPROM uses a fusing mechanism to program registers by blowing fuses, thereby storing permanent data This is a one-time operation that can’t be undone. The following table captures the QFPROM fuse values and details for QCS5430, QCS6490, Qualcomm Dragonwing IQ-9075, Qualcomm Dragonwing IQ-9100, Qualcomm Dragonwing IQ-8275, Qualcomm Dragonwing IQ-8300, and Qualcomm Dragonwing IQ-615. Secure boot is enabled when the respective fuses are blown.
Fuse nameStart address (in hexadecimal)Bit numberFuse blow valueDescription
Read permissions
Secondary Key derivation Key Read disable7801A8241After provisioning the SKDK, blow this bit to secure the secondary key from being read back. A secure path hardware exists from SKDK to the crypto engine.
Write permissions
Read permissions write disable7801B061Blow this bit after the region has been provisioned to disable further QFPROM changes to this region.
FEC enables write disable7801B081Blow this bit after the region has been provisioned to disable further QFPROM changes to this region.
OEM configuration write disable7801B091Blow this bit after the region has been provisioned to disable further QFPROM changes to this region.
Public key hash 0 write disable7801B0171Blow this bit after the region has been provisioned to disable further QFPROM changes to this region.
OEM secure boot write disable7801B0231Blow this bit after the region has been provisioned to disable further QFPROM changes to this region.
Secondary key derivation key write disable7801B0241Blow this bit after the region has been provisioned to disable further QFPROM changes to this region.
FEC enable
OEM secure boot FEC enable7801B8231To enable FEC for OEM secure boot region, blow this bit. Ensure that the complete region is provisioned before FEC is enabled.
Secondary key derivation key FEC enable7801B8241To enable FEC for the secondary KDF key, blow this bit. Ensure that the complete region is provisioned before FEC is enabled.
OEM Config
WDOG_EN7801C0141Prevents the WDOG_DISABLE GPIO from disabling WDOG, freeing up the GPIO and preventing potential abuse by an attacker.
SHARED_QSEE_SPIDEN_DISABLE7801C0301A shared Qualcomm TEE secure invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse.
SHARED_QSEE_SPNIDEN_DISABLE7801C0311A shared Qualcomm TEE secure non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse.
SHARED_MSS_DBGEN_DISABLE7801C4321A shared MSS invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse.
SHARED_MSS_NIDEN_DISABLE7801C4331A shared MSS non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse.
SHARED_CP_DBGEN_DISABLE7801C4341A shared CP invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse.
SHARED_CP_NIDEN_DISABLE7801C4351A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse.
SHARED_NS_DBGEN_DISABLE7801C4361A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse.
SHARED_NS_NIDEN_DISABLE7801C4371A shared CP non-invasive debug disable bucket. A corresponding Qualcomm fuse can override this OEM‑controlled fuse.
APPS_DBGEN_DISABLE7801C4381Blow this bit for a secure solution. This configuration disables the application processor global invasive debug capabilities (JTAG and monitor mode). The OVERRIDE registers can override this configuration.
APPS_NIDEN_DISABLE7801C4391Blow this bit for a secure solution. This configuration disables the application processor global non-invasive debug capabilities (trace and performance monitoring). This configuration can be overridden with the OVERRIDE registers.
SHARED_MISC_DEBUG_DISABLE7801C4401A shared miscellaneous debug disable bucket. A corresponding Qualcomm fuse can override this OEM-controlled fuse.
EKU_ENFORCEMENT_EN7801C8301To enable enforcement of the EKU field in the certificate, blow this device.
OEM_HW_ID[0:15]7801CC[47:32]0Represents the OEM hardware ID. Bits 15:0.
OEM_PRODUCT_ID[0:15]7801CC[63:48]0Represents the OEM product ID. Bits 15:0.
ANTI_ROLLBACK_FEATURE_EN[0]7801D4321
  • Bit 0 - BOOT_ANTI_ROLLBACK_EN
  • Bit 1 - TZAPPS_ANTI_ROLLBACK_EN
  • Bit 2 - PILSUBSYS_ANTI_ROLLBACK_EN
  • Bit 3 - MSA_ANTI_ROLLBACK_EN
ANTI_ROLLBACK_FEATURE_EN[1]7801D4331
ANTI_ROLLBACK_FEATURE_EN[2]7801D4341
ANTI_ROLLBACK_FEATURE_EN[3]7801D4351
PK hash
PK hash 0[383:0]780248[383:0]The OEM-specific root certificate PK hash value.
OEM secure boot
OEM_SECURE_BOOT1_PK_HASH_IN_FUSE78072841When this bit is ‘1’, use the value stored in OEM_PK_HASH for the root certificate hash.
OEM_SECURE_BOOT1_AUTH_EN78072851To enable secure boot for apps and other peripheral images, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot configuration 1.
OEM_SECURE_BOOT2_PK_HASH_IN_FUSE780728121For boot configuration 2: If this bit is ‘0’, use the internal ROM hash index and OEM_SECURE_BOOT1_ROM_PK_HASH_IDX[3:0] for the root certificate hash. If this bit is ‘1’, use the value stored in OEM_PK_HASH for the root certificate hash.
OEM_SECURE_BOOT2_AUTH_EN780728131To enable the secure boot, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot.
OEM_SECURE_BOOT3_PK_HASH_IN_FUSE780728201For boot configuration 3: If this bit is ‘0’, use the internal ROM hash index and OEM_SECURE_BOOT1_ROM_PK_HASH_IDX[3:0] for the root certificate hash. When this bit is ‘1’, use the value stored in OEM_PK_HASH for the root certificate hash.
OEM_SECURE_BOOT3_AUTH_EN780728211To enable the secure boot, blow this bit. When this bit is ‘1’, it enables authentication for any code that references secure boot configuration 3.
Sec key derivation key
Sec Key derivation Key[255:0]780738[255:0]This 256‑bit value is used as the secondary key derivation input, which is used to generate the secondary key for the crypto engine. When running in an insecure mode (no secure boot or Debug enabled), the SKDK is fed into the key derivation function to generate a unique non‑secure secondary key for use by the crypto engine. When running in a secure mode (secure boot and debug disabled), the SKDK is fed directly to the crypto engine as the secondary key. After the SKDK value has been correctly programmed, the SKDK Read Disable must be blown to permanently protect the SKDK value. The software reads the SKDK value from the QFPROM before this correction is made. The SBL fuse blow API can automatically generate a random number for use as the SKDK, ensuring that the SKDK value is never available outside of the device.

Next steps

  • To ensure the that the cryptographic keys and certificates are generated and managed in a secure and trusted environment, see Generate keys and certificates.
  • To ensure the authenticity and integrity of software images and to write a complete software image, see Sign and flash the images.