Prerequisites
Verify TrustZone/device configuration/Hypervisor image loading
By verifying the TrustZone (secure) environment, you ensure that the device’s security architecture is robust and reliable, providing a foundation for secure operations. The following XBL logs contain information about the TrustZone/Device configuration/Hypervisor image loading. For example:- Device configuration (DEVCFG)
B - 1206031 - QSEE Dev Config - Image Load, StartD - 763 - Auth MetadataD - 549 - Segments hash checkD - 13054 - QSEE Dev Config - Image Loaded, Delta - (53248 Bytes) - TrustZone
B - 1228113 - QSEE - Image Load, StartD - 26382 - Auth MetadataD - 22234 - Segments hash checkD - 88999 - QSEE - Image Loaded, Delta - (4027792 Bytes) - Hypervisor
B - 1402237 - QHEE - Image Load, StartD - 26383 - Auth MetadataD - 7045 - Segments hash checkD - 35258 - QHEE - Image Loaded, Delta - (1491024 Bytes) - APDP
B - 978348 - APDP - Image Load, StartD - 42212 - Auth MetadataD - 458 - Segments hash checkD - 48434 - APDP - Image Loaded, Delta - (17332 Bytes)
Verify secure boot and UEFI secure boot
- Secure boot feature is designed to ensure that a device boots using only software that’s trusted by the manufacturer.
- UEFI secure boot is an extension of secure boot that operates within the unified extensible firmware interface (UEFI) environment.
- Enabling secure boot for the hardware is crucial for achieving hardware security and protecting intellectual property. For instructions, see Enable secure boot and Enable UEFI secure boot.
- The XBL logs contain the secure boot status of the device. The logs include information about the boot interface, secure boot status, boot configuration, JTAG ID, OEM ID, and serial number.
Verify SELinux status and customize SELinux policies
- Security-Enhanced Linux (SELinux) is a security architecture integrated into the Linux kernel that provides a mechanism for supporting access control security policies.
- Verifying the SELinux status for the device software prevents unauthorized access to critical software modules or drivers. For instructions, see Enable SELinux.
- SEPolicy is the SELinux policy that defines rules for process and user interactions with system resources, enforcing mandatory access controls (MAC) in Linux.
- Default SEPolicy may not address all the specific requirements of your applications. By creating custom policies, you can define precise rules that align with your application’s requirements. For instructions, see Customize SEPolicy.
-
To verify the SELinux status, do the following:
- Verify the kernel configuration.
- Connect to the device using SSH.
- View the SELinux enable status and other details, by running the
seinfocommands.
- Verify the SELinux enforce status from the console or connect to the device using SSH.
Verify PIL image loading - Sample logs
The following sample logs show the initialization and status of remote processors and hardware components loaded through PIL.- WLAN (remoteproc1)
- cDSP (remoteproc3)
- aDSP (remoteproc2)
- MODEM (remoteproc0)
- A660_zap
- Video (Vpu20_1v.mbn)
Verify QCOMTEE driver status
Check for the TEE device node.Verify Qualcomm TEE Mink and GlobalPlatform API availability
Qualcomm® Trusted Execution Environment (Qualcomm TEE) supports Mink and Global Platform based APIs to provide access to secure services implemented within it. Mink is an Object-IPC based protocol implemented by the Mink Adaptor library, whereas the Mink TEEC library implements the Global Platform standardized APIs to allow interoperability of and security across devices. The verification process involves checking that these APIs are correctly implemented and available for use.- Verify the availability of the Mink Adaptor and Mink Teec libraries on the device.
Verify if the Qualcomm TEE supplicant is running
The QTEE supplicant daemon provides Rich Execution Environment (Linux) services to QTEE such as file system and time services.- Verify that the QTEE supplicant daemon is running.
Verify RPMB provisioning status
The replay protected memory block (RPMB) is a secure partition defined within the UFS or eMMC storage device. The storage must be provisioned with either a Test or Production key RPMB before it can be used. To verify the RPMB provisioning status, do the following:- Connect to the device using SSH and run the following command.
The following message is displayed.
- Select option
2: Check RPMB key provision status.For a non-provisioned device,RPMB_KEY_NOT_PROVISIONEDoutput is expected. - You may choose option 1: To provision RPMB with test key only if necessary and after reading below caution before proceeding.
Verify Qualcomm WES status
- Qualcomm® wireless edge services (Qualcomm WES) helps deploy many edge devices easily and manage them without manual intervention. It includes the following services:
- Plug‑and‑play setup
- On‑demand updates
- Emergency and routine upgrades
- Third‑party services throughout the device lifecycle.
- If you need to develop applications that offer hardware-based attestation, zero-touch device provisioning, and chipset feature management, see Develop trusted and client applications.
- To install or upgrade QCS5430 SoftSKU feature packs, see Install or upgrade SoftSKU feature packs.
This feature is available to licensed users with authorized access to verify the Qualcomm WES status. If you have access, see Qualcomm Linux Wireless Edge Services Guide.
Verify Trusted and Client applications
- Trusted applications function within a trusted execution environment (TEE), offering a secure and isolated environment to keep the integrity and confidentiality of code and data.
- Client applications function within the normal world operating system, communicating with trusted applications using TEE client APIs to perform secure services.
- To execute the security-critical applications in the secure world (TrustZone), you must develop your own trusted applications. You must have access to the Qualcomm TEE software development kit (SDK) to develop corresponding client applications that launch the trusted applications. For more information, see Develop trusted and client applications.
This feature is available to licensed users with authorized access to develop and run trusted and client applications. If you have access, see Qualcomm Linux Security Guide - Addendum.
Next steps
- To configure Qualcomm TEE for securing devices that handle sensitive data and run trusted applications, see Configure security services.
- To customize memory and SEPolicy, see Customize security services.

