[U-Boot] [PATCH 01/16] doc: Add info on using secure devices from TI
Andreas Dannenberg
dannenberg at ti.com
Tue Apr 19 17:21:08 CEST 2016
On Mon, Apr 11, 2016 at 06:37:03PM -0500, Daniel Allred wrote:
> Adds doc/README.ti-secure file to explain in generic terms
> how boot images need to be created for secure devices from
> Texas Instruments.
>
> Specific details for creating secure boot images for the
> AM43xx, DRA7xx and AM57xx secure devices from Texas
> Instruments are also provided in the README file.
>
> Secure devices require a security development package (SECDEV)
> package that can be downloaded from:
>
> http://www.ti.com/mysecuresoftware
>
> Login is required and access is granted under appropriate NDA
> and export control restrictions.
>
> Signed-off-by: Madan Srinivas <madans at ti.com>
> Signed-off-by: Daniel Allred <d-allred at ti.com>
> ---
> doc/README.ti-secure | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 92 insertions(+)
> create mode 100644 doc/README.ti-secure
>
> diff --git a/doc/README.ti-secure b/doc/README.ti-secure
> new file mode 100644
> index 0000000..fa818ae
> --- /dev/null
> +++ b/doc/README.ti-secure
> @@ -0,0 +1,92 @@
> +README on how boot images are created for secure TI devices
> +
> +CONFIG_TI_SECURE_DEVICE:
> +Secure TI devices require a boot image that is authenticated by ROM
> +code to function. Without this, even JTAG remains locked and the
> +device is essentially useless. In order to create a valid boot image for
> +a secure device from TI, the initial public software image must be signed
> +and combined with various headers, certificates, and other binary images.
> +
> +Information on the details on the complete boot image format can be obtained
> +from Texas Instruments. The tools used to generate boot images for secure
> +devices are part of a secure development package (SECDEV) that can be
> +downloaded from:
> +
> + http://www.ti.com/mysecuresoftware (login required)
> +
> +The secure development package is access controlled due to NDA and export
> +control restrictions. Access must be requested and granted by TI before the
> +package is viewable and downloadable. Contact TI, either online or by way
> +of a local TI representative, to request access.
> +
> +When CONFIG_TI_SECURE_DEVICE is set, the U-Boot SPL build process requires
> +the presence and use of these tools in order to create a viable boot image.
> +The build process will look for the environment variable TI_SECURE_DEV_PKG,
> +which should be the path of the installed SECDEV package. If the
> +TI_SECURE_DEV_PKG variable is not defined or if it is defined but doesn't
> +point to a valid SECDEV package, a warning is issued during the build to
> +indicate that a final secure bootable image was not created.
> +
> +Within the SECDEV package exists an image creation script:
> +
> +${TI_SECURE_DEV_PKG}/scripts/create-boot-image.sh
> +
> +This is called as part of the SPL/u-boot build process. As the secure boot
> +image formats and requirements differ between secure SOC from TI, the
> +purpose of this script is to abstract these details as much as possible.
> +
> +The script is basically the only required interface to the TI SECDEV package
> +for secure TI devices.
> +
> +Invoking the script for AM43xx Secure Devices
> +=============================================
> +
> +create-boot-image.sh <IMAGE_FLAG> <INPUT_FILE> <OUTPUT_FILE> <SPL_LOAD_ADDR>
> +
> +<IMAGE_FLAG> is a value that specifies the type of the image to generate OR
> +the action the image generation tool will take. Valid values are:
> + SPI_X-LOADER - Generates an image for SPI flash (byte swapped)
> + XIP_X-LOADER - Generates a single stage u-boot for NOR/QSPI XiP
> + ISSW - Generates an image for all other boot modes
> +
> +<INPUT_FILE> is the full path and filename of the public world boot loader
> +binary file (depending on the boot media, this is usually either
> +u-boot-spl.bin or u-boot.bin).
> +
> +<OUTPUT_FILE> is the full path and filename of the final secure image. The
> +output binary images should be used in place of the standard non-secure
> +binary images (see the platform-specific user's guides and releases notes
> +for how the non-secure images are typically used)
> + u-boot-spl_HS_SPI_X-LOADER - byte swapped boot image for SPI flash
> + u-boot_HS_XIP_X-LOADER - boot image for NOR or QSPI flash
> + u-boot-spl_HS_ISSW - boot image for all other boot media
> +
> +<SPL_LOAD_ADDR> is the address at which SOC ROM should load the <INPUT_FILE>
> +
> +Invoking the script for DRA7xx/AM57xx Secure Devices
> +====================================================
> +
> +create-boot-image.sh <IMAGE_TYPE> <INPUT_FILE> <OUTPUT_FILE>
> +
> +<IMAGE_TYPE> is a value that specifies the type of the image to generate OR
> +the action the image generation tool will take. Valid values are:
> + X-LOADER - Generates an image for NOR or QSPI boot modes
> + MLO - Generates an image for SD/MMC/eMMC boot modes
> + ULO - Generates an image for USB/UART peripheral boot modes
> + Note: ULO is not yet used by the u-boot build process
> +
> +<INPUT_FILE> is the full path and filename of the public world boot loader
> +binary file (for this platform, this is always u-boot-spl.bin).
> +
> +
Minor nit-picks... Extra blank line.
> +<OUTPUT_FILE> is the full path and filename of the final secure image. The
> +output binary images should be used in place of the standard non-secure
> +binary images (see the platform-specific user's guides and releases notes
> +for how the non-secure images are typically used)
> + u-boot-spl_HS_MLO - boot image for SD/MMC/eMMC.This image is
Missing space after punctuation mark.
Reviewed-by: Andreas Dannenberg <dannenberg at ti.com>
--
Andreas Dannenberg
Texas Instruments Inc
> + copied to a file named MLO, which is the name that
> + the device ROM bootloader requires for loading from
> + the FAT partition of an SD card (same as on
> + non-secure devices)
> + u-boot-spl_HS_X-LOADER - boot image for all other flash memories
> + including QSPI and NOR flash
> --
> 1.9.1
>
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> http://lists.denx.de/mailman/listinfo/u-boot
More information about the U-Boot
mailing list