[U-Boot] [PATCH v4 08/12] doc: TEE: Add documentation describing TEE in u-boot
Bryan O'Donoghue
bryan.odonoghue at linaro.org
Mon Feb 26 12:36:02 UTC 2018
This patch adds a brief description of TEE in u-boot.
It gives a basic introduction, description of image generation with mkimage
plus the various ways u-boot can install or chainload a TEE.
Methods covered in this patch are
- tee-standalone
This is method where u-boot loads a TEE into an area of DRAM or SRAM
hands off control to a ROM callback or jumps into the TEE intself and
then once the TEE is installed, returns control to u-boot.
- tee-bootable
This is the method where u-boot chain-loads the TEE. In this case once
u-boot hands off control to the TEE execution does not return to u-boot.
Subsequent methods of performing a TEE boot with u-boot may be added over
time, for example "tee-combo" is being discussed.
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue at linaro.org>
---
doc/README.trusted-execution-environment | 123 +++++++++++++++++++++++++++++++
1 file changed, 123 insertions(+)
create mode 100644 doc/README.trusted-execution-environment
diff --git a/doc/README.trusted-execution-environment b/doc/README.trusted-execution-environment
new file mode 100644
index 0000000..12bf615
--- /dev/null
+++ b/doc/README.trusted-execution-environment
@@ -0,0 +1,123 @@
+Trusted Execution Environment
+=============================
+
+Overview
+--------
+Trusted Execution Environment (TEE) specifies a secure mode of execution of a
+processor. The TEE provides an isolted environment that runs in parallel to the
+rich execution environment meaning an environment such as a Linux based
+operating system.
+
+TEE may provide access to crypto keys or other pieces of secure silicon that are
+not available to the rich execution environment or TEE implementations may
+reside in secure sections of memory only accessible when running in a TEE
+context.
+
+The TEE specification is available here:
+https://www.globalplatform.org/specificationsdevice.asp
+
+In u-boot currently all TEE versions supported are based on the Open Portable
+Trusted Execution Environment project. OP-TEE is an open source implementation
+of a TEE.
+
+See https://www.op-tee.org/ for more details.
+
+Supported TEE methods
+---------------------
+
+In u-boot there are two means of installing a TEE
+
+- Installing a TEE (tee-standalone)
+
+ In this case u-boot is responsible for loading the TEE into memory, jumping
+ into the TEE and subsequently handling return of control back to u-boot.
+
+ u-boot then is responsible to load and boot a kernel and DTB in the normal
+ way.
+
+ BootROM/SPL
+ |
+ v
+ u-boot ---->
+ TEE
+ u-boot <----
+ |
+ v
+ Linux
+
+- Chainloading via a TEE (tee-bootable)
+
+ In this case u-boot is responsible for loading the TEE into memory and handing
+ control to the TEE. The TEE then will enter into secure mode boot-strap itself
+ and hand control onto a subsequent boot stage - typically a Linux kernel.
+
+ When chain-loading in this way u-boot is reponsible for loading bootscripts,
+ Kernel, DTB etc into memory.
+
+ BootROM/SPL
+ |
+ v
+ u-boot
+ |
+ v
+ TEE
+ |
+ v
+ Linux
+
+Creating a TEE image with mkimage
+---------------------------------
+
+- "tee" (tee-standalone)
+
+ To identify this type of image to u-boot you should use mkimage like this:
+
+ mkimage -A arm -T tee -C none -d tee-image.bin uTee-standalone
+
+- "tee-bootable"
+
+ mkimage -A arm -T tee-bootable -C none -d tee.bin uTee-bootable
+
+Booting the image types
+-----------------------
+
+- tee-standalone
+
+ For a standalone TEE image you should create or reuse an existing board-port
+ and install the TEE into memory in the appropriate way for your architecture.
+
+ Some TEE implementations may reside in a special SRAM area or have special
+ ROM callbacks in order to setup the TEE correctly.
+
+ eg:
+ board/company/board_name.c
+
+ void board_tee_image_process(ulong tee_image, size_t tee_size)
+ {
+ /* Install TEE into memory as approrpiate here */
+ }
+
+ U_BOOT_FIT_LOADABLE_HANDLER(IH_TYPE_TEE, board_tee_image_process);
+
+- tee-bootable
+
+ For a bootable TEE image you need to load the TEE into an appropriate address
+ in DRAM.
+
+ Once done use the bootm command to execute the image.
+
+ eg:
+ => ext4load mmc 0:1 /lib/firmware/uTee-bootable 0x84000000
+ => bootm 0x84000000
+
+ ## Booting kernel from Legacy Image at 84000000 ...
+ Image Name:
+ Image Type: ARM Linux Trusted Execution Environment Bootable Image (uncompressed)
+ Data Size: 249844 Bytes = 244 KiB
+ Load Address: 9dffffe4
+ Entry Point: 9e000000
+ Verifying Checksum ... OK
+ ## Flattened Device Tree blob at 83000000
+ Booting using the fdt blob at 0x83000000
+ Loading Trusted Execution Environment Bootable Image ... OK
+ Using Device Tree in place at 83000000, end 83009b4d
--
2.7.4
More information about the U-Boot
mailing list