[people/ms/u-boot.git] / doc / README.armada-secureboot

The trusted boot framework on Marvell Armada 38x
================================================

Contents:

1. Overview of the trusted boot
2. Terminology
3. Boot image layout
4. The secured header
5. The secured boot flow
6. Usage example
7. Work to be done
8. Bibliography

1. Overview of the trusted boot
-------------------------------

The Armada's trusted boot framework enables the SoC to cryptographically verify
a specially prepared boot image. This can be used to establish a chain of trust
from the boot firmware all the way to the OS.

To achieve this, the Armada SoC requires a specially prepared boot image, which
contains the relevant cryptographic data, as well as other information
pertaining to the boot process. Furthermore, a eFuse structure (a
one-time-writeable memory) need to be configured in the correct way.

Roughly, the secure boot process works as follows:

* Load the header block of the boot image, extract a special "root" public RSA
  key from it, and verify its SHA-256 hash against a SHA-256 stored in a eFuse
  field.
* Load an array of code signing public RSA keys from the header block, and
  verify its RSA signature (contained in the header block as well) using the
  "root" RSA key.
* Choose a code signing key, and use it to verify the header block (excluding
  the key array).
* Verify the binary image's signature (contained in the header block) using the
  code signing key.
* If all checks pass successfully, boot the image.

The chain of trust is thus as follows:

* The SHA-256 value in the eFuse field verifies the "root" public key.
* The "root" public key verifies the code signing key array.
* The selected code signing key verifies the header block and the binary image.

In the special case of building a boot image containing U-Boot as the binary
image, which employs this trusted boot framework, the following tasks need to
be addressed:

1. Creation of the needed cryptographic key material.
2. Creation of a conforming boot image containing the U-Boot image as binary
   image.
3. Burning the necessary eFuse values.

(1) will be addressed later, (2) will be taken care of by U-Boot's build
system (some user configuration is required, though), and for (3) the necessary
data (essentially a series of U-Boot commands to be entered at the U-Boot
command prompt) will be created by the build system as well.

The documentation of the trusted boot mode is contained in part 1, chapter
7.2.5 in the functional specification [1], and in application note [2].

2. Terminology
--------------

	           CSK - Code Signing Key(s): An array of RSA key pairs, which
                         are used to sign and verify the secured header and the
                         boot loader image.
	           KAK - Key Authentication Key: A RSA key pair, which is used
                         to sign and verify the array of CSKs.
	  Header block - The first part of the boot image, which contains the
			 image's headers (also known as "headers block", "boot
			 header", and "image header")
                 eFuse - A one-time-writeable memory.
               BootROM - The Armada's built-in boot firmware, which is
                         responsible for verifying and starting secure images.
	    Boot image - The complete image the SoC's boot firmware loads
			 (contains the header block and the binary image)
	   Main header - The header in the header block containing information
			 and data pertaining to the boot process (used for both
			 the regular and secured boot processes)
	  Binary image - The binary code payload of the boot image; in this
			 case the U-Boot's code (also known as "source image",
			 or just "image")
	Secured header - The specialized header in the header block that
			 contains information and data pertaining to the
			 trusted boot (also known as "security header")
     Secured boot mode - A special boot mode of the Armada SoC in which secured
                         images are verified (non-secure images won't boot);
                         the mode is activated by setting a eFuse field.
    Trusted debug mode - A special mode for the trusted boot that allows
			 debugging of devices employing the trusted boot
			 framework in a secure manner (untested in the current
			 implementation).
Trusted boot framework - The ARMADA SoC's implementation of a secure verified
                         boot process.

3. Boot image layout
--------------------

+-- Boot image --------------------------------------------+
|                                                          |
| +-- Header block --------------------------------------+ |
| | Main header                                          | |
| +------------------------------------------------------+ |
| | Secured header                                       | |
| +------------------------------------------------------+ |
| | BIN header(s)                                        | |
| +------------------------------------------------------+ |
| | REG header(s)                                        | |
| +------------------------------------------------------+ |
| | Padding                                              | |
| +------------------------------------------------------+ |
|                                                          |
| +------------------------------------------------------+ |
| | Binary image + checksum                              | |
| +------------------------------------------------------+ |
+----------------------------------------------------------+

4. The secured header
---------------------

For the trusted boot framework, a additional header is added to the boot image.
The following data are relevant for the secure boot:

		   KAK: The KAK is contained in the secured header in the form
		        of a RSA-2048 public key in DER format with a length of
			524 bytes.
Header block signature: The RSA signature of the header block (excluding the
                        CSK array), created using the selected CSK.
Binary image signature: The RSA signature of the binary image, created using
                        the selected CSK.
             CSK array: The array of the 16 CSKs as RSA-2048 public keys in DER
	                format with a length of 8384 = 16 * 524 bytes.
   CSK block signature: The RSA signature of the CSK array, created using the
                        KAK.

NOTE: The JTAG delay, Box ID, and Flash ID header fields do play a role in the
trusted boot process to enable and configure secure debugging, but they were
not tested in the current implementation of the trusted boot in U-Boot.

5. The secured boot flow
------------------------

The steps in the boot flow that are relevant for the trusted boot framework
proceed as follows:

1) Check if trusted boot is enabled, and perform regular boot if it is not.
2) Load the secured header, and verify its checksum.
3) Select the lowest valid CSK from CSK0 to CSK15.
4) Verify the SHA-256 hash of the KAK embedded in the secured header.
5) Verify the RSA signature of the CSK block from the secured header with the
   KAK.
6) Verify the header block signature (which excludes the CSK block) from the
   secured header with the selected CSK.
7) Load the binary image to the main memory and verify its checksum.
8) Verify the binary image's RSA signature from the secured header with the
   selected CSK.
9) Continue the boot process as in the case of the regular boot.

NOTE: All RSA signatures are verified according to the PKCS #1 v2.1 standard
described in [3].

NOTE: The Box ID and Flash ID are checked after step 6, and the trusted debug
mode may be entered there, but since this mode is untested in the current
implementation, it is not described further.

6. Usage example
----------------

### Create key material

To employ the trusted boot framework, cryptographic key material needs to be
created. In the current implementation, two keys are needed to build a valid
secured boot image: The KAK private key and a CSK private key (both have to be
2048 bit RSA keys in PEM format). Note that the usage of more than one CSK is
currently not supported.

NOTE: Since the public key can be generated from the private key, it is
sufficient to store the private key for each key pair.

OpenSSL can be used to generate the needed files kwb_kak.key and kwb_csk.key
(the names of these files have to be configured, see the next section on
kwbimage.cfg settings):

openssl genrsa -out kwb_kak.key 2048
openssl genrsa -out kwb_csk.key 2048

The generated files have to be placed in the U-Boot root directory.

Alternatively, instead of copying the files, symlinks to the private keys can
be placed in the U-Boot root directory.

WARNING: Knowledge of the KAK or CSK private key would enable an attacker to
generate secured boot images containing arbitrary code. Hence, the private keys
should be carefully guarded.

### Create/Modifiy kwbimage.cfg

The Kirkwook architecture in U-Boot employs a special board-specific
configuration file (kwbimage.cfg), which controls various boot image settings
that are interpreted by the BootROM, such as the boot medium. The support the
trusted boot framework, several new options were added to faciliate
configuration of the secured boot.

The configuration file's layout has been retained, only the following new
options were added:

		KAK - The name of the KAK RSA private key file in the U-Boot
                      root directory, without the trailing extension of ".key".
		CSK - The name of the (active) CSK RSA private key file in the
		      U-Boot root directory, without the trailing extension of
		      ".key".
	     BOX_ID - The BoxID to be used for trusted debugging (a integer
	              value).
	   FLASH_ID - The FlashID to be used for trusted debugging (a integer
	              value).
	 JTAG_DELAY - The JTAG delay to be used for trusted debugging (a
	              integer value).
          CSK_INDEX - The index of the active CSK (a integer value).
SEC_SPECIALIZED_IMG - Flag to indicate whether to include the BoxID and FlashID
		      in the image (that is, whether to use the trusted debug
		      mode or not); no parameters.
       SEC_BOOT_DEV - The boot device from which the trusted boot is allowed to
		      proceed, identified via a numeric ID. The tested values
		      are 0x34 = NOR flash, 0x31 = SDIO/MMC card; for
		      additional ID values, consult the documentation in [1].
      SEC_FUSE_DUMP - Dump the "fuse prog" commands necessary for writing the
		      correct eFuse values to a text file in the U-Boot root
		      directory. The parameter is the architecture for which to
		      dump the commands (currently only "a38x" is supported).

The parameter values may be hardcoded into the file, but it is also possible to
employ a dynamic approach of creating a Autoconf-like kwbimage.cfg.in, then
reading configuration values from Kconfig options or from the board config
file, and generating the actual kwbimage.cfg from this template using Makefile
mechanisms (see board/gdsys/a38x/Makefile as an example for this approach).

### Set config options

To enable the generation of trusted boot images, the corresponding support
needs to be activated, and a index for the active CSK needs to be selected as
well.

Furthermore, eFuse writing support has to be activated in order to burn the
eFuse structure's values (this option is just needed for programming the eFuse
structure; production boot images may disable it).

ARM architecture
 -> [*] Build image for trusted boot
    (0)   Index of active CSK
 -> [*] Enable eFuse support
    [ ]   Fake eFuse access (dry run)

### Build and test boot image

The creation of the boot image is done via the usual invocation of make (with a
suitably set CROSS_COMPILE environment variable, of course). The resulting boot
image u-boot-spl.kwb can then be tested, if so desired. The hdrparser from [5]
can be used for this purpose. To build the tool, invoke make in the
'tools/marvell/doimage_mv' directory of [5], which builds a stand-alone
hdrparser executable. A test can be conducted by calling hdrparser with the
produced boot image and the following (mandatory) parameters:

./hdrparser -k 0 -t u-boot-spl.kwb

Here we assume that the CSK index is 0 and the boot image file resides in the
same directory (adapt accordingly if needed). The tool should report that all
checksums are valid ("GOOD"), that all signature verifications succeed
("PASSED"), and, finally, that the overall test was successful
("T E S T   S U C C E E D E D" in the last line of output).

### Burn eFuse structure

+----------------------------------------------------------+
| WARNING: Burning the eFuse structure is a irreversible   |
| operation! Should wrong or corrupted values be used, the |
| board won't boot anymore, and recovery is likely         |
| impossible!                                              |
+----------------------------------------------------------+

After the build process has finished, and the SEC_FUSE_DUMP option was set in
the kwbimage.cfg was set, a text file kwb_fuses_a38x.txt should be present in
the U-Boot top-level directory. It contains all the necessary commands to set
the eFuse structure to the values needed for the used KAK digest, as well as
the CSK index, Flash ID and Box ID that were selected in kwbimage.cfg.

Sequentially executing the commands in this file at the U-Boot command prompt
will write these values to the eFuse structure.

If the SEC_FUSE_DUMP option was not set, the commands needed to burn the fuses
have to be crafted by hand. The needed fuse lines can be looked up in [1]; a
rough overview of the process is:

* Burn the KAK public key hash. The hash itself can be found in the file
  pub_kak_hash.txt in the U-Boot top-level directory; be careful to account for
  the endianness!
* Burn the CSK selection, BoxID, and FlashID
* Enable trusted boot by burning the corresponding fuse (WARNING: this must be
  the last fuse line written!)
* Lock the unused fuse lines

The command to employ is the "fuse prog" command previously enabled by setting
the corresponding configuration option.

For the trusted boot, the fuse prog command has a special syntax, since the
ARMADA SoC demands that whole fuse lines (64 bit values) have to be written as
a whole. The fuse prog command itself allows lists of 32 bit words to be
written at a time, but this is translated to a series of single 32 bit write
operations to the fuse line, where the individual 32 bit words are identified
by a "word" counter that is increased for each write.

To work around this restriction, we interpret each line to have three "words"
(0-2): The first and second words are the values to be written to the fuse
line, and the third is a lock flag, which is supposed to lock the fuse line
when set to 1. Writes to the first and second words are memoized between
function calls, and the fuse line is only really written and locked (on writing
the third word) if both words were previously set, so that "incomplete" writes
are prevented. An exception to this is a single write to the third word (index
2) without previously writing neither the first nor the second word, which
locks the fuse line without setting any value; this is needed to lock the
unused fuse lines.

As an example, to write the value 0011223344556677 to fuse line 10, we would
use the following command:

fuse prog -y 10 0 00112233 44556677 1

Here 10 is the fuse line number, 0 is the index of the first word to be
written, 00112233 and 44556677 are the values to be written to the fuse line
(first and second word) and the trailing 1 is the value for the third word
responsible for locking the line.

A "lock-only" command would look like this:

fuse prog -y 11 2 1

Here 11 is the fuse number, 2 is the index of the first word to be written
(notice that we only write to word 2 here; the third word for fuse line
locking), and the 1 is the value for the word we are writing to.

WARNING: According to application note [4], the VHV pin of the SoC must be
connected to a 1.8V source during eFuse programming, but *must* be disconnected
for normal operation. The AN [4] describes a software-controlled circuit (based
on a N-channel or P-channel FET and a free GPIO pin of the SoC) to achieve
this, but a jumper-based circuit should suffice as well. Regardless of the
chosen circuit, the issue needs to be addressed accordingly!

7. Work to be done
------------------

* Add the ability to populate more than one CSK
* Test secure debug
* Test on Armada XP

8. Bibliography
---------------

[1] ARMADA(R) 38x Family High-Performance Single/Dual CPU System on Chip
    Functional Specification; MV-S109094-00, Rev. C; August 2, 2015,
    Preliminary
[2] AN-383: ARMADA(R) 38x Families Secure Boot Mode Support; MV-S302501-00
    Rev.  A; March 11, 2015, Preliminary
[3] Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography
    Specifications Version 2.1; February 2003;
    https://www.ietf.org/rfc/rfc3447.txt
[4] AN-389: ARMADA(R) VHV Power; MV-S302545-00 Rev. B; January 28, 2016,
    Released
[5] Marvell Armada 38x U-Boot support; November 25, 2015;
    https://github.com/MarvellEmbeddedProcessors/u-boot-marvell

2017-01-05, Mario Six <mario.six@gdsys.cc>
Commit	Line	Data
a1b6b0a9 MS	1	The trusted boot framework on Marvell Armada 38x
	2	================================================
	3
	4	Contents:
	5
	6	1. Overview of the trusted boot
	7	2. Terminology
	8	3. Boot image layout
	9	4. The secured header
	10	5. The secured boot flow
	11	6. Usage example
	12	7. Work to be done
	13	8. Bibliography
	14
	15	1. Overview of the trusted boot
	16	-------------------------------
	17
	18	The Armada's trusted boot framework enables the SoC to cryptographically verify
	19	a specially prepared boot image. This can be used to establish a chain of trust
	20	from the boot firmware all the way to the OS.
	21
	22	To achieve this, the Armada SoC requires a specially prepared boot image, which
	23	contains the relevant cryptographic data, as well as other information
	24	pertaining to the boot process. Furthermore, a eFuse structure (a
	25	one-time-writeable memory) need to be configured in the correct way.
	26
	27	Roughly, the secure boot process works as follows:
	28
	29	* Load the header block of the boot image, extract a special "root" public RSA
	30	key from it, and verify its SHA-256 hash against a SHA-256 stored in a eFuse
	31	field.
	32	* Load an array of code signing public RSA keys from the header block, and
	33	verify its RSA signature (contained in the header block as well) using the
	34	"root" RSA key.
	35	* Choose a code signing key, and use it to verify the header block (excluding
	36	the key array).
	37	* Verify the binary image's signature (contained in the header block) using the
	38	code signing key.
	39	* If all checks pass successfully, boot the image.
	40
	41	The chain of trust is thus as follows:
	42
	43	* The SHA-256 value in the eFuse field verifies the "root" public key.
	44	* The "root" public key verifies the code signing key array.
	45	* The selected code signing key verifies the header block and the binary image.
	46
	47	In the special case of building a boot image containing U-Boot as the binary
	48	image, which employs this trusted boot framework, the following tasks need to
	49	be addressed:
	50
	51	1. Creation of the needed cryptographic key material.
	52	2. Creation of a conforming boot image containing the U-Boot image as binary
	53	image.
	54	3. Burning the necessary eFuse values.
	55
	56	(1) will be addressed later, (2) will be taken care of by U-Boot's build
	57	system (some user configuration is required, though), and for (3) the necessary
	58	data (essentially a series of U-Boot commands to be entered at the U-Boot
	59	command prompt) will be created by the build system as well.
	60
	61	The documentation of the trusted boot mode is contained in part 1, chapter
	62	7.2.5 in the functional specification [1], and in application note [2].
	63
	64	2. Terminology
65	--------------
66
67	CSK - Code Signing Key(s): An array of RSA key pairs, which
68	are used to sign and verify the secured header and the
69	boot loader image.
70	KAK - Key Authentication Key: A RSA key pair, which is used
71	to sign and verify the array of CSKs.
72	Header block - The first part of the boot image, which contains the
73	image's headers (also known as "headers block", "boot
74	header", and "image header")
75	eFuse - A one-time-writeable memory.
76	BootROM - The Armada's built-in boot firmware, which is
77	responsible for verifying and starting secure images.
78	Boot image - The complete image the SoC's boot firmware loads
79	(contains the header block and the binary image)
80	Main header - The header in the header block containing information
81	and data pertaining to the boot process (used for both
82	the regular and secured boot processes)
83	Binary image - The binary code payload of the boot image; in this
84	case the U-Boot's code (also known as "source image",
85	or just "image")
86	Secured header - The specialized header in the header block that
87	contains information and data pertaining to the
88	trusted boot (also known as "security header")
89	Secured boot mode - A special boot mode of the Armada SoC in which secured
90	images are verified (non-secure images won't boot);
91	the mode is activated by setting a eFuse field.
92	Trusted debug mode - A special mode for the trusted boot that allows
93	debugging of devices employing the trusted boot
94	framework in a secure manner (untested in the current
95	implementation).
96	Trusted boot framework - The ARMADA SoC's implementation of a secure verified
97	boot process.
98
99	3. Boot image layout
100	--------------------
101
102	+-- Boot image --------------------------------------------+
103	\| \|
104	\| +-- Header block --------------------------------------+ \|
105	\| \| Main header \| \|
106	\| +------------------------------------------------------+ \|
107	\| \| Secured header \| \|
108	\| +------------------------------------------------------+ \|
109	\| \| BIN header(s) \| \|
110	\| +------------------------------------------------------+ \|
111	\| \| REG header(s) \| \|
112	\| +------------------------------------------------------+ \|
113	\| \| Padding \| \|
114	\| +------------------------------------------------------+ \|
115	\| \|
116	\| +------------------------------------------------------+ \|
117	\| \| Binary image + checksum \| \|
118	\| +------------------------------------------------------+ \|
119	+----------------------------------------------------------+
120
121	4. The secured header
122	---------------------
123
124	For the trusted boot framework, a additional header is added to the boot image.
125	The following data are relevant for the secure boot:
126
127	KAK: The KAK is contained in the secured header in the form
128	of a RSA-2048 public key in DER format with a length of
129	524 bytes.
130	Header block signature: The RSA signature of the header block (excluding the
131	CSK array), created using the selected CSK.
132	Binary image signature: The RSA signature of the binary image, created using
133	the selected CSK.
134	CSK array: The array of the 16 CSKs as RSA-2048 public keys in DER
135	format with a length of 8384 = 16 * 524 bytes.
136	CSK block signature: The RSA signature of the CSK array, created using the
137	KAK.
138
139	NOTE: The JTAG delay, Box ID, and Flash ID header fields do play a role in the
140	trusted boot process to enable and configure secure debugging, but they were
141	not tested in the current implementation of the trusted boot in U-Boot.
142
143	5. The secured boot flow
144	------------------------
145
146	The steps in the boot flow that are relevant for the trusted boot framework
147	proceed as follows:
148
149	1) Check if trusted boot is enabled, and perform regular boot if it is not.
150	2) Load the secured header, and verify its checksum.
151	3) Select the lowest valid CSK from CSK0 to CSK15.
152	4) Verify the SHA-256 hash of the KAK embedded in the secured header.
153	5) Verify the RSA signature of the CSK block from the secured header with the
154	KAK.
155	6) Verify the header block signature (which excludes the CSK block) from the
156	secured header with the selected CSK.
157	7) Load the binary image to the main memory and verify its checksum.
158	8) Verify the binary image's RSA signature from the secured header with the
159	selected CSK.
160	9) Continue the boot process as in the case of the regular boot.
161
162	NOTE: All RSA signatures are verified according to the PKCS #1 v2.1 standard
163	described in [3].
164
165	NOTE: The Box ID and Flash ID are checked after step 6, and the trusted debug
166	mode may be entered there, but since this mode is untested in the current
167	implementation, it is not described further.
168
169	6. Usage example
170	----------------
171
172	### Create key material
173
174	To employ the trusted boot framework, cryptographic key material needs to be
175	created. In the current implementation, two keys are needed to build a valid
176	secured boot image: The KAK private key and a CSK private key (both have to be
177	2048 bit RSA keys in PEM format). Note that the usage of more than one CSK is
178	currently not supported.
179
180	NOTE: Since the public key can be generated from the private key, it is
181	sufficient to store the private key for each key pair.
182
183	OpenSSL can be used to generate the needed files kwb_kak.key and kwb_csk.key
184	(the names of these files have to be configured, see the next section on
185	kwbimage.cfg settings):
186
187	openssl genrsa -out kwb_kak.key 2048
188	openssl genrsa -out kwb_csk.key 2048
189
190	The generated files have to be placed in the U-Boot root directory.
191
192	Alternatively, instead of copying the files, symlinks to the private keys can
193	be placed in the U-Boot root directory.
194
195	WARNING: Knowledge of the KAK or CSK private key would enable an attacker to
196	generate secured boot images containing arbitrary code. Hence, the private keys
197	should be carefully guarded.
198
199	### Create/Modifiy kwbimage.cfg
200
201	The Kirkwook architecture in U-Boot employs a special board-specific
202	configuration file (kwbimage.cfg), which controls various boot image settings
203	that are interpreted by the BootROM, such as the boot medium. The support the
204	trusted boot framework, several new options were added to faciliate
205	configuration of the secured boot.
206
207	The configuration file's layout has been retained, only the following new
208	options were added:
209
210	KAK - The name of the KAK RSA private key file in the U-Boot
211	root directory, without the trailing extension of ".key".
212	CSK - The name of the (active) CSK RSA private key file in the
213	U-Boot root directory, without the trailing extension of
214	".key".
215	BOX_ID - The BoxID to be used for trusted debugging (a integer
216	value).
217	FLASH_ID - The FlashID to be used for trusted debugging (a integer
218	value).
219	JTAG_DELAY - The JTAG delay to be used for trusted debugging (a
220	integer value).
221	CSK_INDEX - The index of the active CSK (a integer value).
222	SEC_SPECIALIZED_IMG - Flag to indicate whether to include the BoxID and FlashID
223	in the image (that is, whether to use the trusted debug
224	mode or not); no parameters.
225	SEC_BOOT_DEV - The boot device from which the trusted boot is allowed to
226	proceed, identified via a numeric ID. The tested values
227	are 0x34 = NOR flash, 0x31 = SDIO/MMC card; for
228	additional ID values, consult the documentation in [1].
229	SEC_FUSE_DUMP - Dump the "fuse prog" commands necessary for writing the
230	correct eFuse values to a text file in the U-Boot root
231	directory. The parameter is the architecture for which to
232	dump the commands (currently only "a38x" is supported).
233
234	The parameter values may be hardcoded into the file, but it is also possible to
235	employ a dynamic approach of creating a Autoconf-like kwbimage.cfg.in, then
236	reading configuration values from Kconfig options or from the board config
237	file, and generating the actual kwbimage.cfg from this template using Makefile
238	mechanisms (see board/gdsys/a38x/Makefile as an example for this approach).
239
240	### Set config options
241
242	To enable the generation of trusted boot images, the corresponding support
243	needs to be activated, and a index for the active CSK needs to be selected as
244	well.
245
246	Furthermore, eFuse writing support has to be activated in order to burn the
247	eFuse structure's values (this option is just needed for programming the eFuse
248	structure; production boot images may disable it).
249
250	ARM architecture
251	-> [*] Build image for trusted boot
252	(0) Index of active CSK
253	-> [*] Enable eFuse support
254	[ ] Fake eFuse access (dry run)
255
256	### Build and test boot image
257
258	The creation of the boot image is done via the usual invocation of make (with a
259	suitably set CROSS_COMPILE environment variable, of course). The resulting boot
260	image u-boot-spl.kwb can then be tested, if so desired. The hdrparser from [5]
261	can be used for this purpose. To build the tool, invoke make in the
262	'tools/marvell/doimage_mv' directory of [5], which builds a stand-alone
263	hdrparser executable. A test can be conducted by calling hdrparser with the
264	produced boot image and the following (mandatory) parameters:
265
266	./hdrparser -k 0 -t u-boot-spl.kwb
267
268	Here we assume that the CSK index is 0 and the boot image file resides in the
269	same directory (adapt accordingly if needed). The tool should report that all
270	checksums are valid ("GOOD"), that all signature verifications succeed
271	("PASSED"), and, finally, that the overall test was successful
272	("T E S T S U C C E E D E D" in the last line of output).
273
274	### Burn eFuse structure
275
276	+----------------------------------------------------------+
277	\| WARNING: Burning the eFuse structure is a irreversible \|
278	\| operation! Should wrong or corrupted values be used, the \|
279	\| board won't boot anymore, and recovery is likely \|
280	\| impossible! \|
281	+----------------------------------------------------------+
282
283	After the build process has finished, and the SEC_FUSE_DUMP option was set in
284	the kwbimage.cfg was set, a text file kwb_fuses_a38x.txt should be present in
285	the U-Boot top-level directory. It contains all the necessary commands to set
286	the eFuse structure to the values needed for the used KAK digest, as well as
287	the CSK index, Flash ID and Box ID that were selected in kwbimage.cfg.
288
289	Sequentially executing the commands in this file at the U-Boot command prompt
290	will write these values to the eFuse structure.
291
292	If the SEC_FUSE_DUMP option was not set, the commands needed to burn the fuses
293	have to be crafted by hand. The needed fuse lines can be looked up in [1]; a
294	rough overview of the process is:
295
296	* Burn the KAK public key hash. The hash itself can be found in the file
297	pub_kak_hash.txt in the U-Boot top-level directory; be careful to account for
298	the endianness!
299	* Burn the CSK selection, BoxID, and FlashID
300	* Enable trusted boot by burning the corresponding fuse (WARNING: this must be
301	the last fuse line written!)
302	* Lock the unused fuse lines
303
304	The command to employ is the "fuse prog" command previously enabled by setting
305	the corresponding configuration option.
306
307	For the trusted boot, the fuse prog command has a special syntax, since the
308	ARMADA SoC demands that whole fuse lines (64 bit values) have to be written as
309	a whole. The fuse prog command itself allows lists of 32 bit words to be
310	written at a time, but this is translated to a series of single 32 bit write
311	operations to the fuse line, where the individual 32 bit words are identified
312	by a "word" counter that is increased for each write.
313
314	To work around this restriction, we interpret each line to have three "words"
315	(0-2): The first and second words are the values to be written to the fuse
316	line, and the third is a lock flag, which is supposed to lock the fuse line
317	when set to 1. Writes to the first and second words are memoized between
318	function calls, and the fuse line is only really written and locked (on writing
319	the third word) if both words were previously set, so that "incomplete" writes
320	are prevented. An exception to this is a single write to the third word (index
321	2) without previously writing neither the first nor the second word, which
322	locks the fuse line without setting any value; this is needed to lock the
323	unused fuse lines.
324
325	As an example, to write the value 0011223344556677 to fuse line 10, we would
326	use the following command:
327
328	fuse prog -y 10 0 00112233 44556677 1
329
330	Here 10 is the fuse line number, 0 is the index of the first word to be
331	written, 00112233 and 44556677 are the values to be written to the fuse line
332	(first and second word) and the trailing 1 is the value for the third word
333	responsible for locking the line.
334
335	A "lock-only" command would look like this:
336
337	fuse prog -y 11 2 1
338
339	Here 11 is the fuse number, 2 is the index of the first word to be written
340	(notice that we only write to word 2 here; the third word for fuse line
341	locking), and the 1 is the value for the word we are writing to.
342
343	WARNING: According to application note [4], the VHV pin of the SoC must be
344	connected to a 1.8V source during eFuse programming, but must be disconnected
345	for normal operation. The AN [4] describes a software-controlled circuit (based
346	on a N-channel or P-channel FET and a free GPIO pin of the SoC) to achieve
347	this, but a jumper-based circuit should suffice as well. Regardless of the
348	chosen circuit, the issue needs to be addressed accordingly!
349
350	7. Work to be done
351	------------------
352
353	* Add the ability to populate more than one CSK
354	* Test secure debug
355	* Test on Armada XP
356
357	8. Bibliography
358	---------------
359
360	[1] ARMADA(R) 38x Family High-Performance Single/Dual CPU System on Chip
361	Functional Specification; MV-S109094-00, Rev. C; August 2, 2015,
362	Preliminary
363	[2] AN-383: ARMADA(R) 38x Families Secure Boot Mode Support; MV-S302501-00
364	Rev. A; March 11, 2015, Preliminary
365	[3] Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography
366	Specifications Version 2.1; February 2003;
367	https://www.ietf.org/rfc/rfc3447.txt
368	[4] AN-389: ARMADA(R) VHV Power; MV-S302545-00 Rev. B; January 28, 2016,
369	Released
370	[5] Marvell Armada 38x U-Boot support; November 25, 2015;
371	https://github.com/MarvellEmbeddedProcessors/u-boot-marvell
372
373	2017-01-05, Mario Six <mario.six@gdsys.cc>