| Message ID | 1460417838-22343-2-git-send-email-d-allred@ti.com |
|---|---|
| State | Superseded |
| Headers | show |
On Mon, Apr 11, 2016 at 06:37:03PM -0500, Daniel Allred wrote: > Adds doc/README.ti-secure file to explain in generic terms > how boot images need to be created for secure devices from > Texas Instruments. > > Specific details for creating secure boot images for the > AM43xx, DRA7xx and AM57xx secure devices from Texas > Instruments are also provided in the README file. > > Secure devices require a security development package (SECDEV) > package that can be downloaded from: > > http://www.ti.com/mysecuresoftware > > Login is required and access is granted under appropriate NDA > and export control restrictions. > > Signed-off-by: Madan Srinivas <madans@ti.com> > Signed-off-by: Daniel Allred <d-allred@ti.com> > --- > doc/README.ti-secure | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 92 insertions(+) > create mode 100644 doc/README.ti-secure > > diff --git a/doc/README.ti-secure b/doc/README.ti-secure > new file mode 100644 > index 0000000..fa818ae > --- /dev/null > +++ b/doc/README.ti-secure > @@ -0,0 +1,92 @@ > +README on how boot images are created for secure TI devices > + > +CONFIG_TI_SECURE_DEVICE: > +Secure TI devices require a boot image that is authenticated by ROM > +code to function. Without this, even JTAG remains locked and the > +device is essentially useless. In order to create a valid boot image for > +a secure device from TI, the initial public software image must be signed > +and combined with various headers, certificates, and other binary images. > + > +Information on the details on the complete boot image format can be obtained > +from Texas Instruments. The tools used to generate boot images for secure > +devices are part of a secure development package (SECDEV) that can be > +downloaded from: > + > + http://www.ti.com/mysecuresoftware (login required) > + > +The secure development package is access controlled due to NDA and export > +control restrictions. Access must be requested and granted by TI before the > +package is viewable and downloadable. Contact TI, either online or by way > +of a local TI representative, to request access. > + > +When CONFIG_TI_SECURE_DEVICE is set, the U-Boot SPL build process requires > +the presence and use of these tools in order to create a viable boot image. > +The build process will look for the environment variable TI_SECURE_DEV_PKG, > +which should be the path of the installed SECDEV package. If the > +TI_SECURE_DEV_PKG variable is not defined or if it is defined but doesn't > +point to a valid SECDEV package, a warning is issued during the build to > +indicate that a final secure bootable image was not created. > + > +Within the SECDEV package exists an image creation script: > + > +${TI_SECURE_DEV_PKG}/scripts/create-boot-image.sh > + > +This is called as part of the SPL/u-boot build process. As the secure boot > +image formats and requirements differ between secure SOC from TI, the > +purpose of this script is to abstract these details as much as possible. > + > +The script is basically the only required interface to the TI SECDEV package > +for secure TI devices. > + > +Invoking the script for AM43xx Secure Devices > +============================================= > + > +create-boot-image.sh <IMAGE_FLAG> <INPUT_FILE> <OUTPUT_FILE> <SPL_LOAD_ADDR> > + > +<IMAGE_FLAG> is a value that specifies the type of the image to generate OR > +the action the image generation tool will take. Valid values are: > + SPI_X-LOADER - Generates an image for SPI flash (byte swapped) > + XIP_X-LOADER - Generates a single stage u-boot for NOR/QSPI XiP > + ISSW - Generates an image for all other boot modes > + > +<INPUT_FILE> is the full path and filename of the public world boot loader > +binary file (depending on the boot media, this is usually either > +u-boot-spl.bin or u-boot.bin). > + > +<OUTPUT_FILE> is the full path and filename of the final secure image. The > +output binary images should be used in place of the standard non-secure > +binary images (see the platform-specific user's guides and releases notes > +for how the non-secure images are typically used) > + u-boot-spl_HS_SPI_X-LOADER - byte swapped boot image for SPI flash > + u-boot_HS_XIP_X-LOADER - boot image for NOR or QSPI flash > + u-boot-spl_HS_ISSW - boot image for all other boot media > + > +<SPL_LOAD_ADDR> is the address at which SOC ROM should load the <INPUT_FILE> > + > +Invoking the script for DRA7xx/AM57xx Secure Devices > +==================================================== > + > +create-boot-image.sh <IMAGE_TYPE> <INPUT_FILE> <OUTPUT_FILE> > + > +<IMAGE_TYPE> is a value that specifies the type of the image to generate OR > +the action the image generation tool will take. Valid values are: > + X-LOADER - Generates an image for NOR or QSPI boot modes > + MLO - Generates an image for SD/MMC/eMMC boot modes > + ULO - Generates an image for USB/UART peripheral boot modes > + Note: ULO is not yet used by the u-boot build process > + > +<INPUT_FILE> is the full path and filename of the public world boot loader > +binary file (for this platform, this is always u-boot-spl.bin). > + > + Minor nit-picks... Extra blank line. > +<OUTPUT_FILE> is the full path and filename of the final secure image. The > +output binary images should be used in place of the standard non-secure > +binary images (see the platform-specific user's guides and releases notes > +for how the non-secure images are typically used) > + u-boot-spl_HS_MLO - boot image for SD/MMC/eMMC.This image is Missing space after punctuation mark. Reviewed-by: Andreas Dannenberg <dannenberg@ti.com> -- Andreas Dannenberg Texas Instruments Inc > + copied to a file named MLO, which is the name that > + the device ROM bootloader requires for loading from > + the FAT partition of an SD card (same as on > + non-secure devices) > + u-boot-spl_HS_X-LOADER - boot image for all other flash memories > + including QSPI and NOR flash > -- > 1.9.1 > > _______________________________________________ > U-Boot mailing list > U-Boot@lists.denx.de > http://lists.denx.de/mailman/listinfo/u-boot _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
diff --git a/doc/README.ti-secure b/doc/README.ti-secure new file mode 100644 index 0000000..fa818ae --- /dev/null +++ b/doc/README.ti-secure @@ -0,0 +1,92 @@ +README on how boot images are created for secure TI devices + +CONFIG_TI_SECURE_DEVICE: +Secure TI devices require a boot image that is authenticated by ROM +code to function. Without this, even JTAG remains locked and the +device is essentially useless. In order to create a valid boot image for +a secure device from TI, the initial public software image must be signed +and combined with various headers, certificates, and other binary images. + +Information on the details on the complete boot image format can be obtained +from Texas Instruments. The tools used to generate boot images for secure +devices are part of a secure development package (SECDEV) that can be +downloaded from: + + http://www.ti.com/mysecuresoftware (login required) + +The secure development package is access controlled due to NDA and export +control restrictions. Access must be requested and granted by TI before the +package is viewable and downloadable. Contact TI, either online or by way +of a local TI representative, to request access. + +When CONFIG_TI_SECURE_DEVICE is set, the U-Boot SPL build process requires +the presence and use of these tools in order to create a viable boot image. +The build process will look for the environment variable TI_SECURE_DEV_PKG, +which should be the path of the installed SECDEV package. If the +TI_SECURE_DEV_PKG variable is not defined or if it is defined but doesn't +point to a valid SECDEV package, a warning is issued during the build to +indicate that a final secure bootable image was not created. + +Within the SECDEV package exists an image creation script: + +${TI_SECURE_DEV_PKG}/scripts/create-boot-image.sh + +This is called as part of the SPL/u-boot build process. As the secure boot +image formats and requirements differ between secure SOC from TI, the +purpose of this script is to abstract these details as much as possible. + +The script is basically the only required interface to the TI SECDEV package +for secure TI devices. + +Invoking the script for AM43xx Secure Devices +============================================= + +create-boot-image.sh <IMAGE_FLAG> <INPUT_FILE> <OUTPUT_FILE> <SPL_LOAD_ADDR> + +<IMAGE_FLAG> is a value that specifies the type of the image to generate OR +the action the image generation tool will take. Valid values are: + SPI_X-LOADER - Generates an image for SPI flash (byte swapped) + XIP_X-LOADER - Generates a single stage u-boot for NOR/QSPI XiP + ISSW - Generates an image for all other boot modes + +<INPUT_FILE> is the full path and filename of the public world boot loader +binary file (depending on the boot media, this is usually either +u-boot-spl.bin or u-boot.bin). + +<OUTPUT_FILE> is the full path and filename of the final secure image. The +output binary images should be used in place of the standard non-secure +binary images (see the platform-specific user's guides and releases notes +for how the non-secure images are typically used) + u-boot-spl_HS_SPI_X-LOADER - byte swapped boot image for SPI flash + u-boot_HS_XIP_X-LOADER - boot image for NOR or QSPI flash + u-boot-spl_HS_ISSW - boot image for all other boot media + +<SPL_LOAD_ADDR> is the address at which SOC ROM should load the <INPUT_FILE> + +Invoking the script for DRA7xx/AM57xx Secure Devices +==================================================== + +create-boot-image.sh <IMAGE_TYPE> <INPUT_FILE> <OUTPUT_FILE> + +<IMAGE_TYPE> is a value that specifies the type of the image to generate OR +the action the image generation tool will take. Valid values are: + X-LOADER - Generates an image for NOR or QSPI boot modes + MLO - Generates an image for SD/MMC/eMMC boot modes + ULO - Generates an image for USB/UART peripheral boot modes + Note: ULO is not yet used by the u-boot build process + +<INPUT_FILE> is the full path and filename of the public world boot loader +binary file (for this platform, this is always u-boot-spl.bin). + + +<OUTPUT_FILE> is the full path and filename of the final secure image. The +output binary images should be used in place of the standard non-secure +binary images (see the platform-specific user's guides and releases notes +for how the non-secure images are typically used) + u-boot-spl_HS_MLO - boot image for SD/MMC/eMMC.This image is + copied to a file named MLO, which is the name that + the device ROM bootloader requires for loading from + the FAT partition of an SD card (same as on + non-secure devices) + u-boot-spl_HS_X-LOADER - boot image for all other flash memories + including QSPI and NOR flash