This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

OMAP-L138: OMAPL138EZWT3 Security Features Support

Part Number: OMAP-L138
Other Parts Discussed in Thread: OMAPL138, SECDEVTOOL-OMAPL138C6748

Hello, 

Currently I am using an OMAPL138EZWT3, and there are some new requirements that may require the use of Secure Boot and JTAG disable. Looking at the documentation for the OMAP-L138 specficially SPRUGQ9, Processor Data sheet, and Technical Reference Manual. I see that the processor does indeed support these features, but further research is showing that its only supported on specific SKUs of the OMAP. I am not seeing any concrete specific information that confirms this SKU supports the potentially required features.

Can I get a confirmation that my processor supports these features? If it does not support them is their a secure enabled processor SKU directly equivalant to the one I am using? 

  • Hello 

    We no longer support secure boot for OMAPL1x family of devices. This is not an area of focus for us and no expertise remain to support this. This may also not fully meet your needs if this is context of CRA compliance etc.  I am not aware of any specific 3P who can support you on such development, so your only resource will be previous Q&A on this E2E platform if you get stuck. 

    Here is an AI assisted response on the resources you can review , the response is reasonably accurate, but does not comprehend the current state of lack of support on new development for secure boot. 

    Your OMAPL138EZWT3 does support Secure Boot and JTAG lock-down. The 'E' immediately following "OMAPL138" in your part number designates "Enhanced Security" (Basic Secure Boot Enabled) [1][2]. This is confirmed by the device nomenclature diagram in the OMAP-L138 datasheet (Figure 7-1), which specifies that the 'E' in that position indicates Basic Secure Boot capability [3].

    Specifically, your SKU includes:

    • Authenticated/encrypted boot (secure ROM validates images on power-up) [4]
    • JTAG locked by default after every power-on reset — requiring an unlock sequence via the KICK registers and System TAP Enable Register to regain debug access [2]
    • Anti-cloning protection [4]
    • Device-unique encryption key per part [2]

    Important Architectural Differences vs. Non-Secure Parts

    Because your device is a secure variant, be aware of these behavioral differences compared to standard (non-secure, 'B'-designated) OMAP-L138 parts:

    Characteristic
    Non-Secure ('B') Variant
    Your Secure ('E') Variant
    Boot master
    ARM
    DSP
    JTAG on reset
    Unlocked
    Locked (requires unlock sequence)
    ARM startup
    Direct
    Requires PRU firmware to bring ARM out of reset
    Memory firewalls
    None
    Active — restricts certain memory regions

    These are non-trivial differences that fundamentally change system behavior . If your existing software was developed assuming ARM-boot-first behavior, you will need to adapt your boot flow.

    JTAG "Disable" Clarification

    The secure OMAP-L138 locks JTAG by default on every boot. During development, you can unlock it by loading a JTAG unlock image via UART boot mode using the Secure UART Host Tool [5]. However, the retrieved documentation confirms lock-on-boot behavior rather than a permanent, irreversible JTAG disable (e.g., via eFuse). If your requirement is permanent JTAG disable, that distinction may matter — the available evidence describes the default-locked behavior but doesn't explicitly confirm a one-time permanent disable mechanism for this SKU.

    No SKU Change Needed

    Since your OMAPL138EZWT3 already carries the 'E' security designation, you do not need a different SKU. You already have the secure-enabled part. The secure development tools and documentation are available at TI's SECDEVTOOL-OMAPL138C6748 package [4].


    To help refine this recommendation, it would be helpful to know:

    • Whether your existing software architecture uses ARM or DSP as the primary boot core (secure variants are DSP-boot-master)
    • Whether you need permanent/irreversible JTAG disable or if the default locked-on-boot behavior satisfies your requirement
    • Whether you have access to TI's secure development tools (SECDEVTOOL-OMAPL138C6748) and NDA documentation
    • Whether the memory restrictions and security firewalls are compatible with your current system design

      1. E2E: OMAPL138EZWT3 vs OMAPL138EZWTA3 — Device Nomenclature
      2. E2E: TMS320C6748 Standard vs Basic Secure Boot Edition
      3. OMAP-L138 Datasheet (SPRS586J) — Device Nomenclature, Figure 7-1
      4. E2E: TMDSLCDK138 Secure Kernel API Availability

    1. E2E: How to Download Code into OMAPL138EZWTD4E