diff options
Diffstat (limited to 'doc/README.ti-secure')
| -rw-r--r-- | doc/README.ti-secure | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/doc/README.ti-secure b/doc/README.ti-secure new file mode 100644 index 0000000000..7fc9b9bc30 --- /dev/null +++ b/doc/README.ti-secure @@ -0,0 +1,91 @@ +README on how boot images are created for secure TI devices + +CONFIG_TI_SECURE_DEVICE: +Secure TI devices require a boot image that is authenticated by ROM +code to function. Without this, even JTAG remains locked and the +device is essentially useless. In order to create a valid boot image for +a secure device from TI, the initial public software image must be signed +and combined with various headers, certificates, and other binary images. + +Information on the details on the complete boot image format can be obtained +from Texas Instruments. The tools used to generate boot images for secure +devices are part of a secure development package (SECDEV) that can be +downloaded from: + + http://www.ti.com/mysecuresoftware (login required) + +The secure development package is access controlled due to NDA and export +control restrictions. Access must be requested and granted by TI before the +package is viewable and downloadable. Contact TI, either online or by way +of a local TI representative, to request access. + +When CONFIG_TI_SECURE_DEVICE is set, the U-Boot SPL build process requires +the presence and use of these tools in order to create a viable boot image. +The build process will look for the environment variable TI_SECURE_DEV_PKG, +which should be the path of the installed SECDEV package. If the +TI_SECURE_DEV_PKG variable is not defined or if it is defined but doesn't +point to a valid SECDEV package, a warning is issued during the build to +indicate that a final secure bootable image was not created. + +Within the SECDEV package exists an image creation script: + +${TI_SECURE_DEV_PKG}/scripts/create-boot-image.sh + +This is called as part of the SPL/u-boot build process. As the secure boot +image formats and requirements differ between secure SOC from TI, the +purpose of this script is to abstract these details as much as possible. + +The script is basically the only required interface to the TI SECDEV package +for secure TI devices. + +Invoking the script for AM43xx Secure Devices +============================================= + +create-boot-image.sh <IMAGE_FLAG> <INPUT_FILE> <OUTPUT_FILE> <SPL_LOAD_ADDR> + +<IMAGE_FLAG> is a value that specifies the type of the image to generate OR +the action the image generation tool will take. Valid values are: + SPI_X-LOADER - Generates an image for SPI flash (byte swapped) + XIP_X-LOADER - Generates a single stage u-boot for NOR/QSPI XiP + ISSW - Generates an image for all other boot modes + +<INPUT_FILE> is the full path and filename of the public world boot loader +binary file (depending on the boot media, this is usually either +u-boot-spl.bin or u-boot.bin). + +<OUTPUT_FILE> is the full path and filename of the final secure image. The +output binary images should be used in place of the standard non-secure +binary images (see the platform-specific user's guides and releases notes +for how the non-secure images are typically used) + u-boot-spl_HS_SPI_X-LOADER - byte swapped boot image for SPI flash + u-boot_HS_XIP_X-LOADER - boot image for NOR or QSPI flash + u-boot-spl_HS_ISSW - boot image for all other boot media + +<SPL_LOAD_ADDR> is the address at which SOC ROM should load the <INPUT_FILE> + +Invoking the script for DRA7xx/AM57xx Secure Devices +==================================================== + +create-boot-image.sh <IMAGE_TYPE> <INPUT_FILE> <OUTPUT_FILE> + +<IMAGE_TYPE> is a value that specifies the type of the image to generate OR +the action the image generation tool will take. Valid values are: + X-LOADER - Generates an image for NOR or QSPI boot modes + MLO - Generates an image for SD/MMC/eMMC boot modes + ULO - Generates an image for USB/UART peripheral boot modes + Note: ULO is not yet used by the u-boot build process + +<INPUT_FILE> is the full path and filename of the public world boot loader +binary file (for this platform, this is always u-boot-spl.bin). + +<OUTPUT_FILE> is the full path and filename of the final secure image. The +output binary images should be used in place of the standard non-secure +binary images (see the platform-specific user's guides and releases notes +for how the non-secure images are typically used) + u-boot-spl_HS_MLO - boot image for SD/MMC/eMMC. This image is + copied to a file named MLO, which is the name that + the device ROM bootloader requires for loading from + the FAT partition of an SD card (same as on + non-secure devices) + u-boot-spl_HS_X-LOADER - boot image for all other flash memories + including QSPI and NOR flash |