From patchwork Mon Apr 11 23:37:03 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Allred, Daniel" <d-allred@ti.com>
X-Patchwork-Id: 65575
Delivered-To: patch@linaro.org
Received: by 10.140.93.198 with SMTP id d64csp1651194qge;
 Mon, 11 Apr 2016 18:18:06 -0700 (PDT)
X-Received: by 10.195.12.68 with SMTP id eo4mr407274wjd.116.1460423886069;
 Mon, 11 Apr 2016 18:18:06 -0700 (PDT)
Return-Path: <u-boot-bounces@lists.denx.de>
Received: from theia.denx.de (theia.denx.de. [85.214.87.163])
 by mx.google.com with ESMTP id
 v207si21188175wmv.63.2016.04.11.18.18.05; 
 Mon, 11 Apr 2016 18:18:06 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
 u-boot-bounces@lists.denx.de designates 85.214.87.163 as
 permitted sender) client-ip=85.214.87.163; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: best guess record for domain of
 u-boot-bounces@lists.denx.de designates 85.214.87.163 as
 permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de
Received: from localhost (localhost [127.0.0.1])
 by theia.denx.de (Postfix) with ESMTP id 9E57AA752C;
 Tue, 12 Apr 2016 03:18:01 +0200 (CEST)
Received: from theia.denx.de ([127.0.0.1])
 by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id s5d427P_0lAL; Tue, 12 Apr 2016 03:18:01 +0200 (CEST)
Received: from theia.denx.de (localhost [127.0.0.1])
 by theia.denx.de (Postfix) with ESMTP id 4A0BAA75C8;
 Tue, 12 Apr 2016 03:17:55 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
 by theia.denx.de (Postfix) with ESMTP id 15959A748A
 for <u-boot@lists.denx.de>; Tue, 12 Apr 2016 01:37:33 +0200 (CEST)
Received: from theia.denx.de ([127.0.0.1])
 by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id P-Q8R68uxxHS for <u-boot@lists.denx.de>;
 Tue, 12 Apr 2016 01:37:33 +0200 (CEST)
X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5
 NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested)
Received: from bear.ext.ti.com (bear.ext.ti.com [192.94.94.41])
 by theia.denx.de (Postfix) with ESMTPS id 9B30DA74E3
 for <u-boot@lists.denx.de>; Tue, 12 Apr 2016 01:37:29 +0200 (CEST)
Received: from dlelxv90.itg.ti.com ([172.17.2.17])
 by bear.ext.ti.com (8.13.7/8.13.7) with ESMTP id u3BNbRtK016811;
 Mon, 11 Apr 2016 18:37:27 -0500
Received: from DLEE70.ent.ti.com (dlee70.ent.ti.com [157.170.170.113])
 by dlelxv90.itg.ti.com (8.14.3/8.13.8) with ESMTP id u3BNbR48022893; 
 Mon, 11 Apr 2016 18:37:27 -0500
Received: from dlep32.itg.ti.com (157.170.170.100) by DLEE70.ent.ti.com
 (157.170.170.113) with Microsoft SMTP Server id 14.3.224.2;
 Mon, 11 Apr 2016 18:37:27 -0500
Received: from legion.dal.design.ti.com (legion.dal.design.ti.com
 [128.247.22.53])	by dlep32.itg.ti.com (8.14.3/8.13.8) with ESMTP id
 u3BNbR8V031525;	Mon, 11 Apr 2016 18:37:27 -0500
Received: from localhost (houapbldadm.hou.asp.ti.com [10.219.18.42])	by
 legion.dal.design.ti.com (8.11.7p1+Sun/8.11.7) with ESMTP id
 u3BNbQ900413; Mon, 11 Apr 2016 18:37:26 -0500 (CDT)
From: Daniel Allred <d-allred@ti.com>
To: <u-boot@lists.denx.de>
Date: Mon, 11 Apr 2016 18:37:03 -0500
Message-ID: <1460417838-22343-2-git-send-email-d-allred@ti.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1460417838-22343-1-git-send-email-d-allred@ti.com>
References: <1460417838-22343-1-git-send-email-d-allred@ti.com>
MIME-Version: 1.0
X-Mailman-Approved-At: Tue, 12 Apr 2016 03:17:50 +0200
Cc: Tom Rini <trini@konsulko.com>, Madan Srinivas <madans@ti.com>,
 Daniel Allred <d-allred@ti.com>
Subject: [U-Boot] [PATCH 01/16] doc: Add info on using secure devices from TI
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <http://lists.denx.de/mailman/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <http://lists.denx.de/mailman/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Adds doc/README.ti-secure file to explain in generic terms
how boot images need to be created for secure devices from
Texas Instruments.

Specific details for creating secure boot images for the
AM43xx, DRA7xx and AM57xx secure devices from Texas
Instruments are also provided in the README file.

Secure devices require a security development package (SECDEV)
package that can be downloaded from:

	http://www.ti.com/mysecuresoftware

Login is required and access is granted under appropriate NDA
and export control restrictions.

Signed-off-by: Madan Srinivas <madans@ti.com>
Signed-off-by: Daniel Allred <d-allred@ti.com>
---
 doc/README.ti-secure | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 92 insertions(+)
 create mode 100644 doc/README.ti-secure

-- 
1.9.1

_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
http://lists.denx.de/mailman/listinfo/u-boot
Reviewed-by: Andreas Dannenberg <dannenberg@ti.com>

diff --git a/doc/README.ti-secure b/doc/README.ti-secure
new file mode 100644
index 0000000..fa818ae
--- /dev/null
+++ b/doc/README.ti-secure
@@ -0,0 +1,92 @@
+README on how boot images are created for secure TI devices
+
+CONFIG_TI_SECURE_DEVICE:
+Secure TI devices require a boot image that is authenticated by ROM
+code to function. Without this, even JTAG remains locked and the
+device is essentially useless. In order to create a valid boot image for
+a secure device from TI, the initial public software image must be signed
+and combined with various headers, certificates, and other binary images.
+
+Information on the details on the complete boot image format can be obtained
+from Texas Instruments. The tools used to generate boot images for secure
+devices are part of a secure development package (SECDEV) that can be
+downloaded from:
+
+	http://www.ti.com/mysecuresoftware (login required)
+
+The secure development package is access controlled due to NDA and export
+control restrictions. Access must be requested and granted by TI before the
+package is viewable and downloadable. Contact TI, either online or by way
+of a local TI representative, to request access.
+
+When CONFIG_TI_SECURE_DEVICE is set, the U-Boot SPL build process requires
+the presence and use of these tools in order to create a viable boot image.
+The build process will look for the environment variable TI_SECURE_DEV_PKG,
+which should be the path of the installed SECDEV package. If the
+TI_SECURE_DEV_PKG variable is not defined or if it is defined but doesn't
+point to a valid SECDEV package, a warning is issued during the build to
+indicate that a final secure bootable image was not created.
+
+Within the SECDEV package exists an image creation script:
+
+${TI_SECURE_DEV_PKG}/scripts/create-boot-image.sh
+
+This is called as part of the SPL/u-boot build process. As the secure boot
+image formats and requirements differ between secure SOC from TI, the
+purpose of this script is to abstract these details as much as possible.
+
+The script is basically the only required interface to the TI SECDEV package
+for secure TI devices.
+
+Invoking the script for AM43xx Secure Devices
+=============================================
+
+create-boot-image.sh <IMAGE_FLAG> <INPUT_FILE> <OUTPUT_FILE> <SPL_LOAD_ADDR>
+
+<IMAGE_FLAG> is a value that specifies the type of the image to generate OR
+the action the image generation tool will take. Valid values are:
+	SPI_X-LOADER - Generates an image for SPI flash (byte swapped)
+	XIP_X-LOADER - Generates a single stage u-boot for NOR/QSPI XiP
+	ISSW - Generates an image for all other boot modes
+
+<INPUT_FILE> is the full path and filename of the public world boot loader
+binary file (depending on the boot media, this is usually either
+u-boot-spl.bin or u-boot.bin).
+
+<OUTPUT_FILE> is the full path and filename of the final secure image. The
+output binary images should be used in place of the standard non-secure
+binary images (see the platform-specific user's guides and releases notes
+for how the non-secure images are typically used)
+	u-boot-spl_HS_SPI_X-LOADER - byte swapped boot image for SPI flash
+	u-boot_HS_XIP_X-LOADER - boot image for NOR or QSPI flash
+	u-boot-spl_HS_ISSW - boot image for all other boot media
+
+<SPL_LOAD_ADDR> is the address at which SOC ROM should load the <INPUT_FILE>
+
+Invoking the script for DRA7xx/AM57xx Secure Devices
+====================================================
+
+create-boot-image.sh <IMAGE_TYPE> <INPUT_FILE> <OUTPUT_FILE>
+
+<IMAGE_TYPE> is a value that specifies the type of the image to generate OR
+the action the image generation tool will take. Valid values are:
+	X-LOADER - Generates an image for NOR or QSPI boot modes
+	MLO - Generates an image for SD/MMC/eMMC boot modes
+	ULO - Generates an image for USB/UART peripheral boot modes
+	Note: ULO is not yet used by the u-boot build process
+
+<INPUT_FILE> is the full path and filename of the public world boot loader
+binary file (for this platform, this is always u-boot-spl.bin).
+
+
+<OUTPUT_FILE> is the full path and filename of the final secure image. The
+output binary images should be used in place of the standard non-secure
+binary images (see the platform-specific user's guides and releases notes
+for how the non-secure images are typically used)
+	u-boot-spl_HS_MLO - boot image for SD/MMC/eMMC.This image is
+		copied to a file named MLO, which is the name that
+		the device ROM bootloader requires for loading from
+		the FAT partition of an SD card (same as on
+		non-secure devices)
+	u-boot-spl_HS_X-LOADER - boot image for all other flash memories
+		including QSPI and NOR flash