]>
Commit | Line | Data |
---|---|---|
98350f7f DA |
1 | README on how boot images are created for secure TI devices |
2 | ||
3 | CONFIG_TI_SECURE_DEVICE: | |
4 | Secure TI devices require a boot image that is authenticated by ROM | |
5 | code to function. Without this, even JTAG remains locked and the | |
6 | device is essentially useless. In order to create a valid boot image for | |
7 | a secure device from TI, the initial public software image must be signed | |
8 | and combined with various headers, certificates, and other binary images. | |
9 | ||
10 | Information on the details on the complete boot image format can be obtained | |
11 | from Texas Instruments. The tools used to generate boot images for secure | |
12 | devices are part of a secure development package (SECDEV) that can be | |
13 | downloaded from: | |
14 | ||
15 | http://www.ti.com/mysecuresoftware (login required) | |
16 | ||
17 | The secure development package is access controlled due to NDA and export | |
18 | control restrictions. Access must be requested and granted by TI before the | |
19 | package is viewable and downloadable. Contact TI, either online or by way | |
20 | of a local TI representative, to request access. | |
21 | ||
22 | When CONFIG_TI_SECURE_DEVICE is set, the U-Boot SPL build process requires | |
23 | the presence and use of these tools in order to create a viable boot image. | |
24 | The build process will look for the environment variable TI_SECURE_DEV_PKG, | |
25 | which should be the path of the installed SECDEV package. If the | |
26 | TI_SECURE_DEV_PKG variable is not defined or if it is defined but doesn't | |
27 | point to a valid SECDEV package, a warning is issued during the build to | |
28 | indicate that a final secure bootable image was not created. | |
29 | ||
30 | Within the SECDEV package exists an image creation script: | |
31 | ||
32 | ${TI_SECURE_DEV_PKG}/scripts/create-boot-image.sh | |
33 | ||
34 | This is called as part of the SPL/u-boot build process. As the secure boot | |
35 | image formats and requirements differ between secure SOC from TI, the | |
36 | purpose of this script is to abstract these details as much as possible. | |
37 | ||
38 | The script is basically the only required interface to the TI SECDEV package | |
39 | for secure TI devices. | |
40 | ||
41 | Invoking the script for AM43xx Secure Devices | |
42 | ============================================= | |
43 | ||
44 | create-boot-image.sh <IMAGE_FLAG> <INPUT_FILE> <OUTPUT_FILE> <SPL_LOAD_ADDR> | |
45 | ||
46 | <IMAGE_FLAG> is a value that specifies the type of the image to generate OR | |
47 | the action the image generation tool will take. Valid values are: | |
48 | SPI_X-LOADER - Generates an image for SPI flash (byte swapped) | |
49 | XIP_X-LOADER - Generates a single stage u-boot for NOR/QSPI XiP | |
50 | ISSW - Generates an image for all other boot modes | |
51 | ||
52 | <INPUT_FILE> is the full path and filename of the public world boot loader | |
53 | binary file (depending on the boot media, this is usually either | |
54 | u-boot-spl.bin or u-boot.bin). | |
55 | ||
56 | <OUTPUT_FILE> is the full path and filename of the final secure image. The | |
57 | output binary images should be used in place of the standard non-secure | |
58 | binary images (see the platform-specific user's guides and releases notes | |
59 | for how the non-secure images are typically used) | |
60 | u-boot-spl_HS_SPI_X-LOADER - byte swapped boot image for SPI flash | |
61 | u-boot_HS_XIP_X-LOADER - boot image for NOR or QSPI flash | |
62 | u-boot-spl_HS_ISSW - boot image for all other boot media | |
63 | ||
64 | <SPL_LOAD_ADDR> is the address at which SOC ROM should load the <INPUT_FILE> | |
65 | ||
66 | Invoking the script for DRA7xx/AM57xx Secure Devices | |
67 | ==================================================== | |
68 | ||
69 | create-boot-image.sh <IMAGE_TYPE> <INPUT_FILE> <OUTPUT_FILE> | |
70 | ||
71 | <IMAGE_TYPE> is a value that specifies the type of the image to generate OR | |
72 | the action the image generation tool will take. Valid values are: | |
73 | X-LOADER - Generates an image for NOR or QSPI boot modes | |
74 | MLO - Generates an image for SD/MMC/eMMC boot modes | |
75 | ULO - Generates an image for USB/UART peripheral boot modes | |
76 | Note: ULO is not yet used by the u-boot build process | |
77 | ||
78 | <INPUT_FILE> is the full path and filename of the public world boot loader | |
79 | binary file (for this platform, this is always u-boot-spl.bin). | |
80 | ||
81 | <OUTPUT_FILE> is the full path and filename of the final secure image. The | |
82 | output binary images should be used in place of the standard non-secure | |
83 | binary images (see the platform-specific user's guides and releases notes | |
84 | for how the non-secure images are typically used) | |
85 | u-boot-spl_HS_MLO - boot image for SD/MMC/eMMC. This image is | |
86 | copied to a file named MLO, which is the name that | |
87 | the device ROM bootloader requires for loading from | |
88 | the FAT partition of an SD card (same as on | |
89 | non-secure devices) | |
90 | u-boot-spl_HS_X-LOADER - boot image for all other flash memories | |
91 | including QSPI and NOR flash |