|
| 1 | +.. _foundational-secure-boot: |
| 2 | + |
1 | 3 | ********************************** |
2 | 4 | Secure Boot |
3 | 5 | ********************************** |
@@ -30,16 +32,19 @@ The following is an example list where Chain-of-Trust should be maintained. |
30 | 32 | - Disable kernel debug options |
31 | 33 | - Disable/remove userspace debug tools, devmem disable, etc.. |
32 | 34 |
|
33 | | -We provide methods for U-Boot's SPL loader to securely verify/encrypt the U-Boot proper. This is accomplished by calling into TIFS via TI-SCI |
34 | | -(Texas Instruments System Controller Interface). For more infomation using TI_SCI methods refer to the |
35 | | -`TISCI User Guide <https://software-dl.ti.com/tisci/esd/22_01_02/index.html>`__. U-Boot proper then securely verifies/decrypts the Kernel/DTB/initramfs. |
| 35 | +We offer methods for U-Boot's Secondary Program Loader (SPL) to securely verify the U-Boot |
| 36 | +proper. U-Boot calls Texas Instrument Foundational Security (TIFS) through Texas Instruments System Controller Interface (TISCI) |
| 37 | +to do this. For more information about using TISCI methods see the |
| 38 | +`TISCI User Guide <https://software-dl.ti.com/tisci/esd/22_01_02/index.html>`__. U-Boot proper then securely verifies and decrypts the kernel, Device Tree Blobs (DTB), and initramfs. |
36 | 39 |
|
37 | 40 | .. Image:: /images/K3_KF.png |
38 | 41 | :scale: 70% |
39 | 42 |
|
40 | | -Secure boot has layers. Some layers are trusted more than others. Secure ROM has the highest trust and REE (Run-time Execution |
41 | | -Environment) non-trustzone user-space applications have the least. If any higher trust code is to be loaded by a lower trust entity, it must be verified |
42 | | -by an even higher trust entity and not allowed to be accessed by the lower trust entity after that point. Some such trust inversions are listed below: |
| 43 | +Secure boot has layers. Some layers are trusted more than others. Secure ROM has the highest trust and Runtime Execution |
| 44 | +Environment (REE) non-trustzone user-space applications have the least. If a |
| 45 | +lower trust entity must load a higher trust code, an even higher trust entity |
| 46 | +must verify it and not allow access by the lower trust entity after that |
| 47 | +point. Some such trust inversions are as follows: |
43 | 48 |
|
44 | 49 | - R5 U-Boot loading ATF/OP-TEE |
45 | 50 | - R5 Public Boot ROM loading TIFS |
@@ -69,14 +74,20 @@ The exact location is device dependent. More details can be found in the device |
69 | 74 | * DMSC firmware: `Texas Instruments Foundational Security (TIFS)` + Device/Power Manager: After authentication/decryption, DMSC firmware replaces the Secure ROM as the authenticator entity executing on the DMSC core. |
70 | 75 | * R5 SPL: The R5 SPL bootloader is executed on the R5 core. |
71 | 76 |
|
72 | | -.. ifconfig:: CONFIG_part_variant in ('AM62x') |
| 77 | +.. ifconfig:: CONFIG_part_variant not in ('AM64X') |
73 | 78 |
|
74 | | - - `AM62x TRM <https://www.ti.com/lit/pdf/spruiv7>`_ |
| 79 | + .. ifconfig:: CONFIG_part_variant in ('AM62X') |
75 | 80 |
|
76 | | - The contents of this first stage image are authenticated and decrypted by the Secure ROM. Contents include: |
| 81 | + - `AM62x TRM <https://www.ti.com/lit/pdf/spruiv7>`_ |
| 82 | + |
| 83 | + .. ifconfig:: CONFIG_part_variant in ('AM62PX') |
| 84 | + |
| 85 | + - `AM62P TRM <https://www.ti.com/lit/pdf/spruj83>`_ |
| 86 | + |
| 87 | + The contents of this first stage image are authenticated and decrypted by the Secure ROM. Contents include: |
77 | 88 |
|
78 | | - * `Texas Instruments Foundational Security (TIFS)` firmware: After authentication/decryption, TIFS firmware replaces the Secure ROM as the authenticator entity executing on the TIFS core. |
79 | | - * R5 SPL`: The R5 SPL bootloader is executed on the R5 core. |
| 89 | + * `Texas Instruments Foundational Security (TIFS)` firmware: After authentication/decryption, TIFS firmware replaces the Secure ROM as the authenticator entity executing on the TIFS core. |
| 90 | + * R5 SPL`: The R5 SPL bootloader is executed on the R5 core. |
80 | 91 |
|
81 | 92 | .. rubric:: R5 SPL |
82 | 93 |
|
@@ -195,9 +206,9 @@ HS Boot Flow Tools |
195 | 206 |
|
196 | 207 | U-boot: |
197 | 208 |
|
198 | | - The ti-u-boot source is a project used to create tiboot3.bin, tispl.bin, and u-boot.img. To create tiboot3.bin for AM64x family devices, u-boot builds R5 SPL and |
| 209 | + The ti-u-boot source is a project used to create tiboot3.bin, tispl.bin, and u-boot.img. To create tiboot3.bin for K3 family devices, u-boot builds R5 SPL and |
199 | 210 | binman packages it in a `tiboot3.bin` image. To build A53 SPL, binman takes ATF (bl31.bin), OPTEE (bl32.bin), A53 SPL, and A53 DTBs and packages |
200 | | - them in a `tispl.bin` image. The openssl library can then then be used to sign each component as specified in k3-am64x-binman.dtsi. |
| 211 | + them in a `tispl.bin` image. U-Boot can then use the openssl library to sign each component as specified in k3-<soc>-binman.dtsi. |
201 | 212 |
|
202 | 213 | .. code-block:: console |
203 | 214 |
|
@@ -246,7 +257,7 @@ OPTEE: |
246 | 257 | Ti-linux-firmware: |
247 | 258 |
|
248 | 259 | The ti-linux-firmware is a TI repository where all firmware releases are stored. Firmwares for a device family can also be found in the pre-built SDK |
249 | | - under <path-to-tisdk>/board-support/prebuilt-images/am64xx-evm. Binman expects to find the device firmware with the following appended to u-boot build command: |
| 260 | + under :file:`<path-to-tisdk>/board-support/prebuilt-images/<evm>`. Binman expects to find the device firmware with the following appended to u-boot build command: |
250 | 261 | BINMAN_INDIRS=<path-to-tisdk>/board-support/prebuilt-images, and expects to find a ti-sysfw directory in this path. |
251 | 262 |
|
252 | 263 | .. code-block:: console |
|
0 commit comments