[U-Boot] [PATCH v3 0/7] Adds support for secure boot on Keystone SoCs (K2E)

Srinivas, Madan madans at ti.com
Fri Sep 9 04:53:22 CEST 2016


This series adds support for secure keystone family of devices, more
specifically for K2E (Edison).This work is similar to what has already
been done for the AM43xx and AM57xx SoCs and leverages much of the
infrastructure from them.

The big difference here is the ROM on keystone2 devices does not provide
any APIs for image authentication. Rather, the image authentication and
decryption routines and other security functions are provided by
software and can run on the ARM in Trustzone as well as on secure DSPs.

A component known as the boot monitor acts as they gateway to this secure
processing, and abstracts out the details from the public world. Unlike
OMAP class devices, where u-boot calls ROM APIs, u-boot calls into the boot-
monitor on keystone devices.

Other than this difference, most of the secure framework for AMxx and
DRAxx devices have been re-used.

Couple of other points to note :-

	-Support for SPL on secure keystone devices is still TBD,
	so boot from SPI flash, which needs SPL, is not supported currently
	on K2 devices.

	-A single image will work across all other boot media for secure K2
	devices.

Changes in v3:
- Corrects commit message in patch 5/7 in this series to refer
   to u-boot_HS_MLO

Changes in v2:
- Corrects typo in commit message for PATCH 1/7 in this series
- The following changes are  made to mon.c based on review comments
	Adds NULL pointer check before calling authentication interface
	Removes an unnecessary printf
	Updates size of signed FIT blob after post processing removes header
- Adds a new name for the signed output image in config_secure.mk
   to keep it in line with the image name used by non-secure keystone
   devices.
- Changes the target for secure keystone devices in config.mk
   to u-boot_HS_MLO to keep it in line with the MLO target that
   is built for non-secure keystone devices.
- Updates the secure keystone image name to u-boot_HS_MLO
   in README.ti-secure to match with the changes made to
   config.mk in this series version.
- Updates k2e_hs_evm_defconfig to reduce the delta seen if one
   regenerates it using savedefconfig or similar tools.

Madan Srinivas (4):
   include: image.h: Fixes build warning with
     CONFIG_FIT_IMAGE_POST_PROCESS
   arm: omap-common: adds secure image name common to OMAP and keystone
   arm: mach-keystone: config.mk: Adds support for secure images on K2
   doc: Updates info on using keystone secure devices from TI

Vitaly Andrianov (3):
   arm: mach-keystone: Implements FIT post-processing call for keystone
     SoCs
   arm: omap-common: Enable support for K2 HS devices in u-boot
   configs: Adds a defconfig for K2E High Security EVM

  arch/arm/cpu/armv7/omap-common/Kconfig          |  2 +-
  arch/arm/cpu/armv7/omap-common/config_secure.mk |  6 +++
  arch/arm/mach-keystone/config.mk                |  6 +++
  arch/arm/mach-keystone/mon.c                    | 55 
+++++++++++++++++++++++++
  configs/k2e_hs_evm_defconfig                    | 43 +++++++++++++++++++
  doc/README.ti-secure                            | 20 +++++++++
  include/image.h                                 |  3 +-
  7 files changed, 133 insertions(+), 2 deletions(-)
  create mode 100644 configs/k2e_hs_evm_defconfig

-- 
2.7.4



More information about the U-Boot mailing list