[people/ms/u-boot.git] / doc / README.ti-secure

README on how boot images are created for secure TI devices

CONFIG_TI_SECURE_DEVICE:
Secure TI devices require a boot image that is authenticated by ROM
code to function. Without this, even JTAG remains locked and the
device is essentially useless. In order to create a valid boot image for
a secure device from TI, the initial public software image must be signed
and combined with various headers, certificates, and other binary images.

Information on the details on the complete boot image format can be obtained
from Texas Instruments. The tools used to generate boot images for secure
devices are part of a secure development package (SECDEV) that can be
downloaded from:

	http://www.ti.com/mysecuresoftware (login required)

The secure development package is access controlled due to NDA and export
control restrictions. Access must be requested and granted by TI before the
package is viewable and downloadable. Contact TI, either online or by way
of a local TI representative, to request access.

Booting of U-Boot SPL
=====================

	When CONFIG_TI_SECURE_DEVICE is set, the U-Boot SPL build process
	requires the presence and use of these tools in order to create a
	viable boot image. The build process will look for the environment
	variable TI_SECURE_DEV_PKG, which should be the path of the installed
	SECDEV package. If the TI_SECURE_DEV_PKG variable is not defined or
	if it is defined but doesn't point to a valid SECDEV package, a
	warning is issued during the build to indicate that a final secure
	bootable image was not created.

	Within the SECDEV package exists an image creation script:

	${TI_SECURE_DEV_PKG}/scripts/create-boot-image.sh

	This is called as part of the SPL/u-boot build process. As the secure
	boot image formats and requirements differ between secure SOC from TI,
	the purpose of this script is to abstract these details as much as
	possible.

	The script is basically the only required interface to the TI SECDEV
	package for creating a bootable SPL image for secure TI devices.

	Invoking the script for AM33xx Secure Devices
	=============================================

	create-boot-image.sh \
		<IMAGE_FLAG> <INPUT_FILE> <OUTPUT_FILE> <SPL_LOAD_ADDR>

	<IMAGE_FLAG> is a value that specifies the type of the image to
	generate OR the action the image generation tool will take. Valid
	values are:
		SPI_X-LOADER - Generates an image for SPI flash (byte swapped)
		X-LOADER - Generates an image for non-XIP flash
		MLO - Generates an image for SD/MMC/eMMC media
		2ND - Generates an image for USB, UART and Ethernet
		XIP_X-LOADER - Generates a single stage u-boot for NOR/QSPI XiP

	<INPUT_FILE> is the full path and filename of the public world boot
	loaderbinary file (depending on the boot media, this is usually
	either u-boot-spl.bin or u-boot.bin).

	<OUTPUT_FILE> is the full path and filename of the final secure
	image. The output binary images should be used in place of the standard
	non-secure binary images (see the platform-specific user's guides and
	releases notes for how the non-secure images are typically used)
	u-boot-spl_HS_SPI_X-LOADER - byte swapped boot image for SPI flash
	u-boot-spl_HS_X-LOADER - boot image for NAND or SD/MMC/eMMC rawmode
	u-boot-spl_HS_MLO - boot image for SD/MMC/eMMC media
	u-boot-spl_HS_2ND - boot image for USB, UART and Ethernet
	u-boot_HS_XIP_X-LOADER - boot image for NOR or QSPI Xip flash

	<SPL_LOAD_ADDR> is the address at which SOC ROM should load the
	<INPUT_FILE>

	Invoking the script for AM43xx Secure Devices
	=============================================

	create-boot-image.sh \
		<IMAGE_FLAG> <INPUT_FILE> <OUTPUT_FILE> <SPL_LOAD_ADDR>

	<IMAGE_FLAG> is a value that specifies the type of the image to
	generate OR the action the image generation tool will take. Valid
	values are:
		SPI_X-LOADER - Generates an image for SPI flash (byte
			swapped)
		XIP_X-LOADER - Generates a single stage u-boot for
			NOR/QSPI XiP
		ISSW - Generates an image for all other boot modes

	<INPUT_FILE> is the full path and filename of the public world boot
	loaderbinary file (depending on the boot media, this is usually
	either u-boot-spl.bin or u-boot.bin).

	<OUTPUT_FILE> is the full path and filename of the final secure
	image. The output binary images should be used in place of the standard
	non-secure binary images (see the platform-specific user's guides and
	releases notes for how the non-secure images are typically used)
	u-boot-spl_HS_SPI_X-LOADER - byte swapped boot image for SPI flash
	u-boot_HS_XIP_X-LOADER - boot image for NOR or QSPI flash
	u-boot-spl_HS_ISSW - boot image for all other boot media

	<SPL_LOAD_ADDR> is the address at which SOC ROM should load the
	<INPUT_FILE>

	Invoking the script for DRA7xx/AM57xx Secure Devices
	====================================================

	create-boot-image.sh <IMAGE_TYPE> <INPUT_FILE> <OUTPUT_FILE>

	<IMAGE_TYPE> is a value that specifies the type of the image to
	generate OR the action the image generation tool will take. Valid
	values are:
		X-LOADER - Generates an image for NOR or QSPI boot modes
		MLO - Generates an image for SD/MMC/eMMC boot modes
		ULO - Generates an image for USB/UART peripheral boot modes
		Note: ULO is not yet used by the u-boot build process

	<INPUT_FILE> is the full path and filename of the public world boot
	loader binary file (for this platform, this is always u-boot-spl.bin).

	<OUTPUT_FILE> is the full path and filename of the final secure image.
	The output binary images should be used in place of the standard
	non-secure binary images (see the platform-specific user's guides
	and releases notes for how the non-secure images are typically used)
	u-boot-spl_HS_MLO - boot image for SD/MMC/eMMC. This image is
		copied to a file named MLO, which is the name that
		the device ROM bootloader requires for loading from
		the FAT partition of an SD card (same as on
		non-secure devices)
	u-boot-spl_HS_X-LOADER - boot image for all other flash memories
		including QSPI and NOR flash

	Invoking the script for Keystone2 Secure Devices
	=============================================

	create-boot-image.sh \
		<UNUSED> <INPUT_FILE> <OUTPUT_FILE> <UNUSED>

	<UNUSED> is currently ignored and reserved for future use.

	<INPUT_FILE> is the full path and filename of the public world boot
	loader binary file (only u-boot.bin is currently supported on
	Keystone2 devices, u-boot-spl.bin is not currently supported).

	<OUTPUT_FILE> is the full path and filename of the final secure image.
	The output binary images should be used in place of the standard
	non-secure binary images (see the platform-specific user's guides
	and releases notes for how the non-secure images are typically used)
	u-boot_HS_MLO - signed and encrypted boot image that can be used to
		boot from all media. Secure boot from SPI NOR flash is not
		currently supported.

Booting of Primary U-Boot (u-boot.img)
======================================

	The SPL image is responsible for loading the next stage boot loader,
	which is the main u-boot image. For secure TI devices, the SPL will
	be authenticated, as described above, as part of the particular
	device's ROM boot process. In order to continue the secure boot
	process, the authenticated SPL must authenticate the main u-boot
	image that it loads.

	The configurations for secure TI platforms are written to make the boot
	process use the FIT image format for the u-boot.img (CONFIG_SPL_FRAMEWORK
	and CONFIG_SPL_LOAD_FIT). With these configurations the binary
	components that the SPL loads include a specific DTB image and u-boot
	image. These DTB image may be one of many available to the boot
	process. In order to secure these components so that they can be
	authenticated by the SPL as they are loaded from the FIT image,	the
	build procedure for secure TI devices will secure these images before
	they are integrated into the FIT image. When those images are extracted
	from the FIT image at boot time, they are post-processed to verify that
	they are still secure. The outlined security-related SPL post-processing
	is enabled through the CONFIG_SPL_FIT_IMAGE_POST_PROCESS option which
	must be enabled for the secure boot scheme to work. In order to allow
	verifying proper operation of the secure boot chain in case of successful
	authentication messages like "Authentication passed: CERT_U-BOOT-NOD" are
	output by the SPL to the console for each blob that got extracted from the
	FIT image. Note that the last part of this log message is the (truncated)
	name of the signing certificate embedded into the blob that got processed.

	The exact details of the how the images are secured is handled by the
	SECDEV package. Within the SECDEV package exists a script to process
	an input binary image:

	${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh

	This is called as part of the u-boot build process. As the secure
	image formats and requirements can differ between the various secure
	SOCs from TI, this script in the SECDEV package abstracts these
	details. This script is essentially the only required interface to the
	TI SECDEV package for creating a u-boot.img image for secure TI
	devices.

	The SPL/u-boot code contains calls to dedicated secure ROM functions
	to perform the validation on the secured images. The details of the
	interface to those functions is shown in the code. The summary
	is that they are accessed by invoking an ARM secure monitor call to
	the device's secure ROM (fixed read-only-memory that is secure and
	only accessible when the ARM core is operating in the secure mode).

	Invoking the secure-binary-image script for Secure Devices
	==========================================================

	secure-binary-image.sh <INPUT_FILE> <OUTPUT_FILE>

	<INPUT_FILE> is the full path and filename of the input binary image

	<OUTPUT_FILE> is the full path and filename of the output secure image.
Commit	Line	Data
98350f7f DA	1	README on how boot images are created for secure TI devices
	2
	3	CONFIG_TI_SECURE_DEVICE:
	4	Secure TI devices require a boot image that is authenticated by ROM
	5	code to function. Without this, even JTAG remains locked and the
	6	device is essentially useless. In order to create a valid boot image for
	7	a secure device from TI, the initial public software image must be signed
	8	and combined with various headers, certificates, and other binary images.
	9
	10	Information on the details on the complete boot image format can be obtained
	11	from Texas Instruments. The tools used to generate boot images for secure
	12	devices are part of a secure development package (SECDEV) that can be
	13	downloaded from:
	14
	15	http://www.ti.com/mysecuresoftware (login required)
	16
	17	The secure development package is access controlled due to NDA and export
	18	control restrictions. Access must be requested and granted by TI before the
	19	package is viewable and downloadable. Contact TI, either online or by way
	20	of a local TI representative, to request access.
	21
8662bea3 AD	22	Booting of U-Boot SPL
	23	=====================
	24
	25	When CONFIG_TI_SECURE_DEVICE is set, the U-Boot SPL build process
	26	requires the presence and use of these tools in order to create a
	27	viable boot image. The build process will look for the environment
	28	variable TI_SECURE_DEV_PKG, which should be the path of the installed
	29	SECDEV package. If the TI_SECURE_DEV_PKG variable is not defined or
	30	if it is defined but doesn't point to a valid SECDEV package, a
	31	warning is issued during the build to indicate that a final secure
	32	bootable image was not created.
	33
	34	Within the SECDEV package exists an image creation script:
	35
	36	${TI_SECURE_DEV_PKG}/scripts/create-boot-image.sh
	37
	38	This is called as part of the SPL/u-boot build process. As the secure
	39	boot image formats and requirements differ between secure SOC from TI,
	40	the purpose of this script is to abstract these details as much as
	41	possible.
	42
	43	The script is basically the only required interface to the TI SECDEV
	44	package for creating a bootable SPL image for secure TI devices.
	45
f7160eac AD	46	Invoking the script for AM33xx Secure Devices
	47	=============================================
	48
	49	create-boot-image.sh \
	50	<IMAGE_FLAG> <INPUT_FILE> <OUTPUT_FILE> <SPL_LOAD_ADDR>
	51
	52	<IMAGE_FLAG> is a value that specifies the type of the image to
	53	generate OR the action the image generation tool will take. Valid
	54	values are:
	55	SPI_X-LOADER - Generates an image for SPI flash (byte swapped)
	56	X-LOADER - Generates an image for non-XIP flash
	57	MLO - Generates an image for SD/MMC/eMMC media
	58	2ND - Generates an image for USB, UART and Ethernet
	59	XIP_X-LOADER - Generates a single stage u-boot for NOR/QSPI XiP
	60
	61	<INPUT_FILE> is the full path and filename of the public world boot
	62	loaderbinary file (depending on the boot media, this is usually
	63	either u-boot-spl.bin or u-boot.bin).
	64
	65	<OUTPUT_FILE> is the full path and filename of the final secure
	66	image. The output binary images should be used in place of the standard
	67	non-secure binary images (see the platform-specific user's guides and
	68	releases notes for how the non-secure images are typically used)
	69	u-boot-spl_HS_SPI_X-LOADER - byte swapped boot image for SPI flash
	70	u-boot-spl_HS_X-LOADER - boot image for NAND or SD/MMC/eMMC rawmode
	71	u-boot-spl_HS_MLO - boot image for SD/MMC/eMMC media
	72	u-boot-spl_HS_2ND - boot image for USB, UART and Ethernet
	73	u-boot_HS_XIP_X-LOADER - boot image for NOR or QSPI Xip flash
	74
	75	<SPL_LOAD_ADDR> is the address at which SOC ROM should load the
	76	<INPUT_FILE>
	77
8662bea3 AD	78	Invoking the script for AM43xx Secure Devices
	79	=============================================
	80
	81	create-boot-image.sh \
	82	<IMAGE_FLAG> <INPUT_FILE> <OUTPUT_FILE> <SPL_LOAD_ADDR>
	83
	84	<IMAGE_FLAG> is a value that specifies the type of the image to
	85	generate OR the action the image generation tool will take. Valid
	86	values are:
	87	SPI_X-LOADER - Generates an image for SPI flash (byte
	88	swapped)
	89	XIP_X-LOADER - Generates a single stage u-boot for
	90	NOR/QSPI XiP
	91	ISSW - Generates an image for all other boot modes
	92
	93	<INPUT_FILE> is the full path and filename of the public world boot
	94	loaderbinary file (depending on the boot media, this is usually
	95	either u-boot-spl.bin or u-boot.bin).
	96
	97	<OUTPUT_FILE> is the full path and filename of the final secure
	98	image. The output binary images should be used in place of the standard
	99	non-secure binary images (see the platform-specific user's guides and
	100	releases notes for how the non-secure images are typically used)
98350f7f DA	101	u-boot-spl_HS_SPI_X-LOADER - byte swapped boot image for SPI flash
	102	u-boot_HS_XIP_X-LOADER - boot image for NOR or QSPI flash
	103	u-boot-spl_HS_ISSW - boot image for all other boot media
	104
8662bea3 AD	105	<SPL_LOAD_ADDR> is the address at which SOC ROM should load the
8662bea3 AD	106	<INPUT_FILE>
98350f7f	107
8662bea3 AD	108	Invoking the script for DRA7xx/AM57xx Secure Devices
8662bea3 AD	109	====================================================
98350f7f	110
8662bea3	111	create-boot-image.sh <IMAGE_TYPE> <INPUT_FILE> <OUTPUT_FILE>
98350f7f	112
8662bea3 AD	113	<IMAGE_TYPE> is a value that specifies the type of the image to
	114	generate OR the action the image generation tool will take. Valid
	115	values are:
	116	X-LOADER - Generates an image for NOR or QSPI boot modes
	117	MLO - Generates an image for SD/MMC/eMMC boot modes
	118	ULO - Generates an image for USB/UART peripheral boot modes
	119	Note: ULO is not yet used by the u-boot build process
98350f7f	120
8662bea3 AD	121	<INPUT_FILE> is the full path and filename of the public world boot
8662bea3 AD	122	loader binary file (for this platform, this is always u-boot-spl.bin).
98350f7f	123
8662bea3 AD	124	<OUTPUT_FILE> is the full path and filename of the final secure image.
	125	The output binary images should be used in place of the standard
	126	non-secure binary images (see the platform-specific user's guides
	127	and releases notes for how the non-secure images are typically used)
98350f7f DA	128	u-boot-spl_HS_MLO - boot image for SD/MMC/eMMC. This image is
	129	copied to a file named MLO, which is the name that
	130	the device ROM bootloader requires for loading from
	131	the FAT partition of an SD card (same as on
	132	non-secure devices)
	133	u-boot-spl_HS_X-LOADER - boot image for all other flash memories
	134	including QSPI and NOR flash
8662bea3	135
4fce6554 MS	136	Invoking the script for Keystone2 Secure Devices
	137	=============================================
	138
	139	create-boot-image.sh \
	140	<UNUSED> <INPUT_FILE> <OUTPUT_FILE> <UNUSED>
	141
	142	<UNUSED> is currently ignored and reserved for future use.
	143
	144	<INPUT_FILE> is the full path and filename of the public world boot
	145	loader binary file (only u-boot.bin is currently supported on
	146	Keystone2 devices, u-boot-spl.bin is not currently supported).
	147
	148	<OUTPUT_FILE> is the full path and filename of the final secure image.
	149	The output binary images should be used in place of the standard
	150	non-secure binary images (see the platform-specific user's guides
	151	and releases notes for how the non-secure images are typically used)
	152	u-boot_HS_MLO - signed and encrypted boot image that can be used to
	153	boot from all media. Secure boot from SPI NOR flash is not
	154	currently supported.
	155
8662bea3 AD	156	Booting of Primary U-Boot (u-boot.img)
	157	======================================
	158
	159	The SPL image is responsible for loading the next stage boot loader,
	160	which is the main u-boot image. For secure TI devices, the SPL will
	161	be authenticated, as described above, as part of the particular
	162	device's ROM boot process. In order to continue the secure boot
	163	process, the authenticated SPL must authenticate the main u-boot
	164	image that it loads.
	165
	166	The configurations for secure TI platforms are written to make the boot
	167	process use the FIT image format for the u-boot.img (CONFIG_SPL_FRAMEWORK
	168	and CONFIG_SPL_LOAD_FIT). With these configurations the binary
	169	components that the SPL loads include a specific DTB image and u-boot
	170	image. These DTB image may be one of many available to the boot
	171	process. In order to secure these components so that they can be
	172	authenticated by the SPL as they are loaded from the FIT image, the
	173	build procedure for secure TI devices will secure these images before
	174	they are integrated into the FIT image. When those images are extracted
	175	from the FIT image at boot time, they are post-processed to verify that
	176	they are still secure. The outlined security-related SPL post-processing
	177	is enabled through the CONFIG_SPL_FIT_IMAGE_POST_PROCESS option which
	178	must be enabled for the secure boot scheme to work. In order to allow
	179	verifying proper operation of the secure boot chain in case of successful
	180	authentication messages like "Authentication passed: CERT_U-BOOT-NOD" are
	181	output by the SPL to the console for each blob that got extracted from the
	182	FIT image. Note that the last part of this log message is the (truncated)
	183	name of the signing certificate embedded into the blob that got processed.
	184
	185	The exact details of the how the images are secured is handled by the
	186	SECDEV package. Within the SECDEV package exists a script to process
	187	an input binary image:
	188
	189	${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh
	190
	191	This is called as part of the u-boot build process. As the secure
	192	image formats and requirements can differ between the various secure
	193	SOCs from TI, this script in the SECDEV package abstracts these
	194	details. This script is essentially the only required interface to the
	195	TI SECDEV package for creating a u-boot.img image for secure TI
	196	devices.
	197
	198	The SPL/u-boot code contains calls to dedicated secure ROM functions
	199	to perform the validation on the secured images. The details of the
	200	interface to those functions is shown in the code. The summary
	201	is that they are accessed by invoking an ARM secure monitor call to
	202	the device's secure ROM (fixed read-only-memory that is secure and
	203	only accessible when the ARM core is operating in the secure mode).
	204
	205	Invoking the secure-binary-image script for Secure Devices
	206	==========================================================
	207
	208	secure-binary-image.sh <INPUT_FILE> <OUTPUT_FILE>
	209
	210	<INPUT_FILE> is the full path and filename of the input binary image
	211
	212	<OUTPUT_FILE> is the full path and filename of the output secure image.