[PATCH v6 8/8] docs: k3: Add secure booting documentation

Manorit Chawdhry m-chawdhry at ti.com
Wed Dec 6 10:51:30 CET 2023 

This commit adds a general flow to explain the usage of firewalls and
the chain of trust in K3 devices.

Signed-off-by: Manorit Chawdhry <m-chawdhry at ti.com>
---
 doc/board/ti/k3.rst | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/doc/board/ti/k3.rst b/doc/board/ti/k3.rst
index 947b86ba8292..60d04c5708be 100644
--- a/doc/board/ti/k3.rst
+++ b/doc/board/ti/k3.rst
@@ -104,6 +104,51 @@ firmware can be loaded on the now free core in the wakeup domain.
 For more information on the bootup process of your SoC, consult the
 device specific boot flow documentation.
 
+Secure Boot
+^^^^^^^^^^^
+
+K3 HS-SE devices are used for authenticated boot flow with secure boot.
+HS-FS devices have optional authentication in the flow and doesn't "require"
+authentication unless converted to HS-SE devices.
+
+Chain of trust
+""""""""""""""
+
+1) SMS starts up and loads the authenticated ROM code in Wakeup Domain
+2) ROM code starts up and loads the authenticated tiboot3.bin in Wakeup
+   Domain
+3) Wakeup SPL (tiboot3.bin) would authenticate the next set of binaries
+   (ATF,OP-TEE,DM,SPL,etc.)
+4) After ATF and OP-TEE load, ARMV8 U-boot authenticates the next set of
+   binaries (Linux and DTBs) if using FIT Image authentication and having a
+   signature node in U-boot.
+
+Steps 1-3 are all authenticated by either the ROM code or TIFS as the
+authenticating entity and step 4 uses U-boot standard mechanism for
+authenticating.
+
+All the authentication that are done for ROM/TIFS are done through x509
+certificates that are signed.
+
+Firewalls
+"""""""""
+
+1) ROM comes up and sets up firewalls that are needed by itself
+2) TIFS (in multicertificate will setup it's own firewalls)
+3) R5 SPL comes along and opens up other firewalls ( that are not owned by
+   anyone - essentially firewalls that were setup by ROM but are not needed
+   anymore)
+4) Each stage beyond this: such as tispl.bin containing TFA/OPTEE uses OIDs to
+   set up firewalls to protect themselves (enforced by TIFS)
+5) TFA/OP-TEE can configure other firewalls at runtime if required as they
+   are already authenticated and firewalled off from illegal access.
+6) A53 SPL and U-boot itself startups but has no ability to change the
+   protection firewalls enforced by x509 OIDs or any other firewalls
+   configured by ROM/TIFS in the beginning.
+
+Futhur, firewalls have a lockdown bit in hardware that enforces the setting
+(and cannot be over-ridden) till the full system is resetted.
+
 Software Sources
 ----------------
 

-- 
2.41.0

More information about the U-Boot mailing list