Daniel Allred | 98350f7 | 2016-05-19 19:10:41 -0500 | [diff] [blame] | 1 | README on how boot images are created for secure TI devices |
| 2 | |
| 3 | CONFIG_TI_SECURE_DEVICE: |
| 4 | Secure TI devices require a boot image that is authenticated by ROM |
| 5 | code to function. Without this, even JTAG remains locked and the |
| 6 | device is essentially useless. In order to create a valid boot image for |
| 7 | a secure device from TI, the initial public software image must be signed |
| 8 | and combined with various headers, certificates, and other binary images. |
| 9 | |
| 10 | Information on the details on the complete boot image format can be obtained |
| 11 | from Texas Instruments. The tools used to generate boot images for secure |
| 12 | devices are part of a secure development package (SECDEV) that can be |
| 13 | downloaded from: |
| 14 | |
| 15 | http://www.ti.com/mysecuresoftware (login required) |
| 16 | |
| 17 | The secure development package is access controlled due to NDA and export |
| 18 | control restrictions. Access must be requested and granted by TI before the |
| 19 | package is viewable and downloadable. Contact TI, either online or by way |
| 20 | of a local TI representative, to request access. |
| 21 | |
Andreas Dannenberg | 8662bea | 2016-06-27 09:19:24 -0500 | [diff] [blame] | 22 | Booting of U-Boot SPL |
| 23 | ===================== |
Daniel Allred | 98350f7 | 2016-05-19 19:10:41 -0500 | [diff] [blame] | 24 | |
Andreas Dannenberg | 8662bea | 2016-06-27 09:19:24 -0500 | [diff] [blame] | 25 | When CONFIG_TI_SECURE_DEVICE is set, the U-Boot SPL build process |
| 26 | requires the presence and use of these tools in order to create a |
| 27 | viable boot image. The build process will look for the environment |
| 28 | variable TI_SECURE_DEV_PKG, which should be the path of the installed |
| 29 | SECDEV package. If the TI_SECURE_DEV_PKG variable is not defined or |
| 30 | if it is defined but doesn't point to a valid SECDEV package, a |
| 31 | warning is issued during the build to indicate that a final secure |
| 32 | bootable image was not created. |
Daniel Allred | 98350f7 | 2016-05-19 19:10:41 -0500 | [diff] [blame] | 33 | |
Andreas Dannenberg | 8662bea | 2016-06-27 09:19:24 -0500 | [diff] [blame] | 34 | Within the SECDEV package exists an image creation script: |
Daniel Allred | 98350f7 | 2016-05-19 19:10:41 -0500 | [diff] [blame] | 35 | |
Andreas Dannenberg | 8662bea | 2016-06-27 09:19:24 -0500 | [diff] [blame] | 36 | ${TI_SECURE_DEV_PKG}/scripts/create-boot-image.sh |
Daniel Allred | 98350f7 | 2016-05-19 19:10:41 -0500 | [diff] [blame] | 37 | |
Andreas Dannenberg | 8662bea | 2016-06-27 09:19:24 -0500 | [diff] [blame] | 38 | This is called as part of the SPL/u-boot build process. As the secure |
| 39 | boot image formats and requirements differ between secure SOC from TI, |
| 40 | the purpose of this script is to abstract these details as much as |
| 41 | possible. |
Daniel Allred | 98350f7 | 2016-05-19 19:10:41 -0500 | [diff] [blame] | 42 | |
Andreas Dannenberg | 8662bea | 2016-06-27 09:19:24 -0500 | [diff] [blame] | 43 | The script is basically the only required interface to the TI SECDEV |
| 44 | package for creating a bootable SPL image for secure TI devices. |
Daniel Allred | 98350f7 | 2016-05-19 19:10:41 -0500 | [diff] [blame] | 45 | |
Andrew F. Davis | f7160ea | 2016-08-30 14:06:22 -0500 | [diff] [blame] | 46 | Invoking the script for AM33xx Secure Devices |
| 47 | ============================================= |
| 48 | |
| 49 | create-boot-image.sh \ |
| 50 | <IMAGE_FLAG> <INPUT_FILE> <OUTPUT_FILE> <SPL_LOAD_ADDR> |
| 51 | |
| 52 | <IMAGE_FLAG> is a value that specifies the type of the image to |
| 53 | generate OR the action the image generation tool will take. Valid |
| 54 | values are: |
| 55 | SPI_X-LOADER - Generates an image for SPI flash (byte swapped) |
| 56 | X-LOADER - Generates an image for non-XIP flash |
| 57 | MLO - Generates an image for SD/MMC/eMMC media |
| 58 | 2ND - Generates an image for USB, UART and Ethernet |
| 59 | XIP_X-LOADER - Generates a single stage u-boot for NOR/QSPI XiP |
| 60 | |
| 61 | <INPUT_FILE> is the full path and filename of the public world boot |
| 62 | loaderbinary file (depending on the boot media, this is usually |
| 63 | either u-boot-spl.bin or u-boot.bin). |
| 64 | |
| 65 | <OUTPUT_FILE> is the full path and filename of the final secure |
| 66 | image. The output binary images should be used in place of the standard |
| 67 | non-secure binary images (see the platform-specific user's guides and |
| 68 | releases notes for how the non-secure images are typically used) |
| 69 | u-boot-spl_HS_SPI_X-LOADER - byte swapped boot image for SPI flash |
| 70 | u-boot-spl_HS_X-LOADER - boot image for NAND or SD/MMC/eMMC rawmode |
| 71 | u-boot-spl_HS_MLO - boot image for SD/MMC/eMMC media |
| 72 | u-boot-spl_HS_2ND - boot image for USB, UART and Ethernet |
| 73 | u-boot_HS_XIP_X-LOADER - boot image for NOR or QSPI Xip flash |
| 74 | |
| 75 | <SPL_LOAD_ADDR> is the address at which SOC ROM should load the |
| 76 | <INPUT_FILE> |
| 77 | |
Andreas Dannenberg | 8662bea | 2016-06-27 09:19:24 -0500 | [diff] [blame] | 78 | Invoking the script for AM43xx Secure Devices |
| 79 | ============================================= |
Daniel Allred | 98350f7 | 2016-05-19 19:10:41 -0500 | [diff] [blame] | 80 | |
Andreas Dannenberg | 8662bea | 2016-06-27 09:19:24 -0500 | [diff] [blame] | 81 | create-boot-image.sh \ |
| 82 | <IMAGE_FLAG> <INPUT_FILE> <OUTPUT_FILE> <SPL_LOAD_ADDR> |
Daniel Allred | 98350f7 | 2016-05-19 19:10:41 -0500 | [diff] [blame] | 83 | |
Andreas Dannenberg | 8662bea | 2016-06-27 09:19:24 -0500 | [diff] [blame] | 84 | <IMAGE_FLAG> is a value that specifies the type of the image to |
| 85 | generate OR the action the image generation tool will take. Valid |
| 86 | values are: |
| 87 | SPI_X-LOADER - Generates an image for SPI flash (byte |
| 88 | swapped) |
| 89 | XIP_X-LOADER - Generates a single stage u-boot for |
| 90 | NOR/QSPI XiP |
| 91 | ISSW - Generates an image for all other boot modes |
Daniel Allred | 98350f7 | 2016-05-19 19:10:41 -0500 | [diff] [blame] | 92 | |
Andreas Dannenberg | 8662bea | 2016-06-27 09:19:24 -0500 | [diff] [blame] | 93 | <INPUT_FILE> is the full path and filename of the public world boot |
| 94 | loaderbinary file (depending on the boot media, this is usually |
| 95 | either u-boot-spl.bin or u-boot.bin). |
| 96 | |
| 97 | <OUTPUT_FILE> is the full path and filename of the final secure |
| 98 | image. The output binary images should be used in place of the standard |
| 99 | non-secure binary images (see the platform-specific user's guides and |
| 100 | releases notes for how the non-secure images are typically used) |
Daniel Allred | 98350f7 | 2016-05-19 19:10:41 -0500 | [diff] [blame] | 101 | u-boot-spl_HS_SPI_X-LOADER - byte swapped boot image for SPI flash |
| 102 | u-boot_HS_XIP_X-LOADER - boot image for NOR or QSPI flash |
| 103 | u-boot-spl_HS_ISSW - boot image for all other boot media |
| 104 | |
Andreas Dannenberg | 8662bea | 2016-06-27 09:19:24 -0500 | [diff] [blame] | 105 | <SPL_LOAD_ADDR> is the address at which SOC ROM should load the |
| 106 | <INPUT_FILE> |
Daniel Allred | 98350f7 | 2016-05-19 19:10:41 -0500 | [diff] [blame] | 107 | |
Andreas Dannenberg | 8662bea | 2016-06-27 09:19:24 -0500 | [diff] [blame] | 108 | Invoking the script for DRA7xx/AM57xx Secure Devices |
| 109 | ==================================================== |
Daniel Allred | 98350f7 | 2016-05-19 19:10:41 -0500 | [diff] [blame] | 110 | |
Andrew F. Davis | eca61ae | 2019-01-28 11:43:26 -0600 | [diff] [blame] | 111 | create-boot-image.sh \ |
| 112 | <IMAGE_TYPE> <INPUT_FILE> <OUTPUT_FILE> <SPL_LOAD_ADDR> |
Daniel Allred | 98350f7 | 2016-05-19 19:10:41 -0500 | [diff] [blame] | 113 | |
Andreas Dannenberg | 8662bea | 2016-06-27 09:19:24 -0500 | [diff] [blame] | 114 | <IMAGE_TYPE> is a value that specifies the type of the image to |
| 115 | generate OR the action the image generation tool will take. Valid |
| 116 | values are: |
| 117 | X-LOADER - Generates an image for NOR or QSPI boot modes |
| 118 | MLO - Generates an image for SD/MMC/eMMC boot modes |
| 119 | ULO - Generates an image for USB/UART peripheral boot modes |
Daniel Allred | 98350f7 | 2016-05-19 19:10:41 -0500 | [diff] [blame] | 120 | |
Andreas Dannenberg | 8662bea | 2016-06-27 09:19:24 -0500 | [diff] [blame] | 121 | <INPUT_FILE> is the full path and filename of the public world boot |
| 122 | loader binary file (for this platform, this is always u-boot-spl.bin). |
Daniel Allred | 98350f7 | 2016-05-19 19:10:41 -0500 | [diff] [blame] | 123 | |
Andreas Dannenberg | 8662bea | 2016-06-27 09:19:24 -0500 | [diff] [blame] | 124 | <OUTPUT_FILE> is the full path and filename of the final secure image. |
| 125 | The output binary images should be used in place of the standard |
| 126 | non-secure binary images (see the platform-specific user's guides |
| 127 | and releases notes for how the non-secure images are typically used) |
Daniel Allred | 98350f7 | 2016-05-19 19:10:41 -0500 | [diff] [blame] | 128 | u-boot-spl_HS_MLO - boot image for SD/MMC/eMMC. This image is |
| 129 | copied to a file named MLO, which is the name that |
| 130 | the device ROM bootloader requires for loading from |
| 131 | the FAT partition of an SD card (same as on |
| 132 | non-secure devices) |
Andrew F. Davis | eca61ae | 2019-01-28 11:43:26 -0600 | [diff] [blame] | 133 | u-boot-spl_HS_ULO - boot image for USB/UART peripheral boot modes |
Daniel Allred | 98350f7 | 2016-05-19 19:10:41 -0500 | [diff] [blame] | 134 | u-boot-spl_HS_X-LOADER - boot image for all other flash memories |
| 135 | including QSPI and NOR flash |
Andreas Dannenberg | 8662bea | 2016-06-27 09:19:24 -0500 | [diff] [blame] | 136 | |
Andrew F. Davis | eca61ae | 2019-01-28 11:43:26 -0600 | [diff] [blame] | 137 | <SPL_LOAD_ADDR> is the address at which SOC ROM should load the |
| 138 | <INPUT_FILE> |
| 139 | |
Madan Srinivas | 4fce655 | 2017-04-07 10:00:07 -0500 | [diff] [blame] | 140 | Invoking the script for Keystone2 Secure Devices |
| 141 | ============================================= |
| 142 | |
| 143 | create-boot-image.sh \ |
| 144 | <UNUSED> <INPUT_FILE> <OUTPUT_FILE> <UNUSED> |
| 145 | |
| 146 | <UNUSED> is currently ignored and reserved for future use. |
| 147 | |
| 148 | <INPUT_FILE> is the full path and filename of the public world boot |
| 149 | loader binary file (only u-boot.bin is currently supported on |
| 150 | Keystone2 devices, u-boot-spl.bin is not currently supported). |
| 151 | |
| 152 | <OUTPUT_FILE> is the full path and filename of the final secure image. |
| 153 | The output binary images should be used in place of the standard |
| 154 | non-secure binary images (see the platform-specific user's guides |
| 155 | and releases notes for how the non-secure images are typically used) |
| 156 | u-boot_HS_MLO - signed and encrypted boot image that can be used to |
| 157 | boot from all media. Secure boot from SPI NOR flash is not |
| 158 | currently supported. |
| 159 | |
Andreas Dannenberg | 8662bea | 2016-06-27 09:19:24 -0500 | [diff] [blame] | 160 | Booting of Primary U-Boot (u-boot.img) |
| 161 | ====================================== |
| 162 | |
| 163 | The SPL image is responsible for loading the next stage boot loader, |
| 164 | which is the main u-boot image. For secure TI devices, the SPL will |
| 165 | be authenticated, as described above, as part of the particular |
| 166 | device's ROM boot process. In order to continue the secure boot |
| 167 | process, the authenticated SPL must authenticate the main u-boot |
| 168 | image that it loads. |
| 169 | |
| 170 | The configurations for secure TI platforms are written to make the boot |
| 171 | process use the FIT image format for the u-boot.img (CONFIG_SPL_FRAMEWORK |
| 172 | and CONFIG_SPL_LOAD_FIT). With these configurations the binary |
| 173 | components that the SPL loads include a specific DTB image and u-boot |
| 174 | image. These DTB image may be one of many available to the boot |
| 175 | process. In order to secure these components so that they can be |
| 176 | authenticated by the SPL as they are loaded from the FIT image, the |
| 177 | build procedure for secure TI devices will secure these images before |
| 178 | they are integrated into the FIT image. When those images are extracted |
| 179 | from the FIT image at boot time, they are post-processed to verify that |
| 180 | they are still secure. The outlined security-related SPL post-processing |
| 181 | is enabled through the CONFIG_SPL_FIT_IMAGE_POST_PROCESS option which |
| 182 | must be enabled for the secure boot scheme to work. In order to allow |
| 183 | verifying proper operation of the secure boot chain in case of successful |
| 184 | authentication messages like "Authentication passed: CERT_U-BOOT-NOD" are |
| 185 | output by the SPL to the console for each blob that got extracted from the |
| 186 | FIT image. Note that the last part of this log message is the (truncated) |
| 187 | name of the signing certificate embedded into the blob that got processed. |
| 188 | |
| 189 | The exact details of the how the images are secured is handled by the |
| 190 | SECDEV package. Within the SECDEV package exists a script to process |
| 191 | an input binary image: |
| 192 | |
| 193 | ${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh |
| 194 | |
| 195 | This is called as part of the u-boot build process. As the secure |
| 196 | image formats and requirements can differ between the various secure |
| 197 | SOCs from TI, this script in the SECDEV package abstracts these |
| 198 | details. This script is essentially the only required interface to the |
| 199 | TI SECDEV package for creating a u-boot.img image for secure TI |
| 200 | devices. |
| 201 | |
| 202 | The SPL/u-boot code contains calls to dedicated secure ROM functions |
| 203 | to perform the validation on the secured images. The details of the |
| 204 | interface to those functions is shown in the code. The summary |
| 205 | is that they are accessed by invoking an ARM secure monitor call to |
| 206 | the device's secure ROM (fixed read-only-memory that is secure and |
| 207 | only accessible when the ARM core is operating in the secure mode). |
| 208 | |
| 209 | Invoking the secure-binary-image script for Secure Devices |
| 210 | ========================================================== |
| 211 | |
| 212 | secure-binary-image.sh <INPUT_FILE> <OUTPUT_FILE> |
| 213 | |
| 214 | <INPUT_FILE> is the full path and filename of the input binary image |
| 215 | |
| 216 | <OUTPUT_FILE> is the full path and filename of the output secure image. |