secure OMAP-L138 boot resources restricted

Hi, 
   
  I do following some experiments：

The test environment：
  Device          ： OMAPL132BZTE      Basic Secure Boot Enabled
  Oscillator clock:  12MHz
  mDDR            ： 128MB  MT46H8M16LFBF
  NoR flash       ： 8MB    ST M58WR064KB   -- 16bit , conect emifa CS2
  The test program:  app_test.out make by ccs 4.2 IDE
                     run on C6748 dsp core，  loading and Entering address : 0x11820000 at L2 RAM , function: Loop to print string from uart2

  PC terminal     :  SecureCRT.exe   --  A serial port monitoring software
  boot mode       ： Secure AIS NOR BOOT mode
  flash tool      :  sfh_sec_OMAP-L138.exe  -- I Modify serial download tools from non secure device software "OMAP-L138_FlashAndBootUtils_2_40.tar.gz" with SecureHexAIS
  Secure HEX tool :  SecureHexAIS_OMAP-L138.exe
  ini.file        :  The following
;***************************************************************
;  TI OMAP-L138 / C6748 Security Utilities                     *
;  (C) 2009-2012 Texas Instruments, Inc.                       *
;***************************************************************
;
; This INI file will create a header that contains:
;     NOR config word          (1 word)
;     AIS magic number         (1 word)
;     AIS key load command     (1 word)
;     AIS key header           (8 words)
;     AIS set exit type        (2 words)
;     AIS set command + params (5 words)
;     Signature                (16 words)
;
; The AIS set command at the bottom of the INI file is a dummy write
; in order to force a signature check.  This is necessary in order to
; create a well defined header that can be bound to the device.  If
; the AIS set command is not used, then you will have to determine
; where the first signature occurs so that you can bind the entire
; section.
;
; *********************** INI ************************
; General settings that can be overwritten in the host code
; that calls the AISGen library.
[General]      
; Can be 8 or 16 - used in emifa
busWidth=16 

; SPIMASTER,I2CMASTER,EMIFA,NAND,EMAC,UART,PCI,HPI,USB,MMC_SD,VLYNQ,RAW
BootMode=EMIFA 

; NO_CRC,SECTION_CRC,SINGLE_CRC
crcCheckType=NO_CRC

; Security settings (keys, options, list of sections to encrypt, etc.)
[Security]
; Security Type: GENERIC, CUSTOM, NONE
securityType=GENERIC

; Boot Exit Type: NONSECURE, SECUREWITHSK
; NONSECURE = Device switches from secure type to non-secure type, jumping to loaded code
;             (no secure kernel since no longer secure device).
; SECUREWITHSK = Device remains as secure type, secure kernel is loaded, allowing run-time
;                security context switching.
bootExitType = SECUREWITHSK

; Encrypt section list (ALL or comma-separated list of section names)
encryptSections=ALL

; CEK used for AES encryption of data - must be string of 32 hexadecimal characters
; Device uses KEK to encrypt CEK, and then SECURE KEY LOAD command load this CEK, uses to
; decrypt the data by ENCRYPTED SECTION LOAD command
encryptionKey=4A7E1F56AE545D487C452388A65B0C05

; SHA Algorithm Selection
genericSHASelection = SHA256

;<<OMAP-L132 DSP+ARM Technical Reference Manual>> Chapter 6: Processor Memory Protection Unit (MPU)  6.2.8 Reset Considerations
;    After reset, the memory protection page attribute registers (MPPA) default to 0. This disables all protection features. 1: enable protection.
; This section allow setting the MPU1 or MPU2. If the
; rangenum is out of the allowed range then all the ranges
; (including the fixed range) take the start, end, and
; protection values.
;            |------24|------16|----------8|----------0|
; MPUSELECT: |      RSVD       |   mpuNum  | rangeNum  |
; STARTADDR: |              startAddr                  |
; ENDADDR:   |               endAddr                   |
; MPPAVALUE: |              mppaValue                  |
[MPUCONFIG]
MPUSELECT = 0x000001FF
STARTADDR = 0x00000000
ENDADDR   = 0xFFFFFFFF
MPPAVALUE = 0xFFFFFFFF

[MPUCONFIG]
MPUSELECT = 0x000002FF
STARTADDR = 0x00000000
ENDADDR   = 0xFFFFFFFF
MPPAVALUE = 0xFFFFFFFF

; This section allows configuration of one the systme IOPUs.
; The iopuNum field must be valid (0-5) and then mppaStart
; and mppaend fields allow setting a range of mppa MMRs to the
; same supplied mppa value.
; IOPUSELECT: |  RSVD  | iopuNum| mppaStart |  mppaEnd  |
; MPPAVALUE:  |              mppaValue                  |
[IOPUCONFIG]
IOPUSELECT = 0x000000FF
MPPAVALUE  = 0xFFFFFFFF

[IOPUCONFIG]
IOPUSELECT = 0x000100FF
MPPAVALUE  = 0xFFFFFFFF

[IOPUCONFIG]
IOPUSELECT = 0x000200FF
MPPAVALUE  = 0xFFFFFFFF

[IOPUCONFIG]
IOPUSELECT = 0x000300FF
MPPAVALUE  = 0xFFFFFFFF

[IOPUCONFIG]
IOPUSELECT = 0x000600FF
MPPAVALUE  = 0xFFFFFFFF

;[TAPSCONFIG]
;TAPSCFG = 0x0000FFFF

[AIS_Set]
; Generic AIS set instruction to a reserved register to force a signature check
TYPE=2
ADDRESS=0x01E2C020
DATA=0
SLEEP=0

【test1】:  Secure AIS NOR BOOT mode  with bootExitType = SECUREWITHSK
      step1:  use In front of the ini.file  ,
              use "SecureHexAIS_OMAP-L138.exe" convert "app_test.out" application image file into secure boot image "app_test_secais.bin"
      step2:  Dial the code switch to set uart2 boot way, use "sfh_sec_OMAP-L138.exe"  bund "app_test_secais.bin" at 0x60000000 start adress of nor flash.
      step2:  Dial the code switch to set nor boot way, run pc software "SecureCRT.exe" to monitor data from uart 2 or omapl132 device;
      result: failure  , no any data received.
 
【test2】:  Secure AIS NOR BOOT mode  with bootExitType = NONSECURE
      step1:  use In front of the ini.file  , only modify:  "bootExitType = NONSECURE " ,other same with test1 seep1;
      step2:  same with test1.
      step2:  same with test1;
      result: successful  , received string in accordance with "app_test.out" application.

Due to can't finding Search Similar routines in TI E2E Community and guide documentation from "C674x_OMAPL1x_Generic_Security_Flash_Boot_Utils.tar.gz" and "Security_collateral_update.zip"
 
so I make other test:
【test3】: "app_test.out" app run Secure AIS UART BOOT mode(modify "BootMode=UART")  with bootExitType = SECUREWITHSK or NONSECURE , downloaded by GenericSecureUartHost.exe tool.
           two bootExitType way Can all be successful.
           note:  at bootExitType = SECUREWITHSK   ,modify ini file : delete IOPUs seting. application can't print any data on uart.

【test4】: "nor_test.out" app run Secure AIS UART BOOT mode(modify "BootMode=UART")  with bootExitType = SECUREWITHSK or NONSECURE , downloaded by GenericSecureUartHost.exe tool.
           1) Initialize nor failure at "bootExitType = SECUREWITHSK";
           2) Initialize nor OK, after, can write and read nor at "bootExitType = NONSECURE";

As so far our test,For“bootExitType = SECUREWITHSK”， We guess there are some resources are protected (protect IOPUS and MPUS such as：IO connect nor flash 、DSP ), and currently we haven't find this in TI's documents.
Could someone provide detail documents for Secure AIS NOR BOOT with “bootExitType = SECUREWITHSK”, and we are appreciating someone could provide demo for AIS nor flash boot mode in secure kernel mode.
Thanks!