diff --git a/configs/AM62AX/AM62AX_linux_toc.txt b/configs/AM62AX/AM62AX_linux_toc.txt index 4d3f9ce8c..284ce3c48 100644 --- a/configs/AM62AX/AM62AX_linux_toc.txt +++ b/configs/AM62AX/AM62AX_linux_toc.txt @@ -98,6 +98,7 @@ linux/Foundational_Components/System_Security/Security_overview linux/Foundational_Components/System_Security/SELinux linux/Foundational_Components/System_Security/Auth_boot linux/Foundational_Components/System_Security/Memory_Firewalls +linux/Foundational_Components_Secure_Boot linux/Foundational_Components_Kernel_Users_Guide linux/Foundational_Components_Kernel_LTP-DDT_Validation diff --git a/configs/AM62PX/AM62PX_linux_toc.txt b/configs/AM62PX/AM62PX_linux_toc.txt index eff335a52..8e4124b10 100644 --- a/configs/AM62PX/AM62PX_linux_toc.txt +++ b/configs/AM62PX/AM62PX_linux_toc.txt @@ -103,6 +103,7 @@ linux/Foundational_Components/System_Security/Security_overview linux/Foundational_Components/System_Security/SELinux linux/Foundational_Components/System_Security/Auth_boot linux/Foundational_Components/System_Security/Memory_Firewalls +linux/Foundational_Components_Secure_Boot linux/Foundational_Components_Kernel_Users_Guide linux/Foundational_Components_Kernel_LTP-DDT_Validation diff --git a/configs/AM62X/AM62X_linux_toc.txt b/configs/AM62X/AM62X_linux_toc.txt index 96e533da1..73995e6df 100644 --- a/configs/AM62X/AM62X_linux_toc.txt +++ b/configs/AM62X/AM62X_linux_toc.txt @@ -100,6 +100,7 @@ linux/Foundational_Components/System_Security/Security_overview linux/Foundational_Components/System_Security/SELinux linux/Foundational_Components/System_Security/Auth_boot linux/Foundational_Components/System_Security/Memory_Firewalls +linux/Foundational_Components_Secure_Boot linux/Foundational_Components_PRU_Subsystem linux/Foundational_Components/PRU-ICSS-Linux-Drivers diff --git a/configs/AM67/AM67_linux_toc.txt b/configs/AM67/AM67_linux_toc.txt index dc4a64e7b..5ceaf4071 100644 --- a/configs/AM67/AM67_linux_toc.txt +++ b/configs/AM67/AM67_linux_toc.txt @@ -89,6 +89,7 @@ linux/Foundational_Components/Virtualization/Docker linux/Foundational_Components_OPTEE linux/Foundational_Components_ATF linux/Foundational_Components_Multimedia_wave5 +linux/Foundational_Components_Secure_Boot linux/Foundational_Components/Graphics/index linux/Foundational_Components/Graphics/Common/Display diff --git a/configs/AM67A/AM67A_linux_toc.txt b/configs/AM67A/AM67A_linux_toc.txt index 83ad81ca1..0fc4e74fa 100644 --- a/configs/AM67A/AM67A_linux_toc.txt +++ b/configs/AM67A/AM67A_linux_toc.txt @@ -90,6 +90,7 @@ linux/Foundational_Components/Virtualization/Docker linux/Foundational_Components_OPTEE linux/Foundational_Components_ATF linux/Foundational_Components_Multimedia_wave5 +linux/Foundational_Components_Secure_Boot linux/Foundational_Components/Graphics/index linux/Foundational_Components/Graphics/Common/Display linux/Foundational_Components/Graphics/Common/GTK+_Graphics_Framework diff --git a/configs/AM68/AM68_linux_toc.txt b/configs/AM68/AM68_linux_toc.txt index f95e2c7f7..fe0655711 100644 --- a/configs/AM68/AM68_linux_toc.txt +++ b/configs/AM68/AM68_linux_toc.txt @@ -96,6 +96,7 @@ linux/Foundational_Components/Virtualization/Docker linux/Foundational_Components_OPTEE linux/Foundational_Components_ATF linux/Foundational_Components_Multimedia_wave5 +linux/Foundational_Components_Secure_Boot linux/Foundational_Components/Graphics/index linux/Foundational_Components/Graphics/Common/Display diff --git a/configs/AM68A/AM68A_linux_toc.txt b/configs/AM68A/AM68A_linux_toc.txt index 60906f833..ff92b72f4 100644 --- a/configs/AM68A/AM68A_linux_toc.txt +++ b/configs/AM68A/AM68A_linux_toc.txt @@ -96,6 +96,7 @@ linux/Foundational_Components/Virtualization/Docker linux/Foundational_Components_OPTEE linux/Foundational_Components_ATF linux/Foundational_Components_Multimedia_wave5 +linux/Foundational_Components_Secure_Boot linux/Foundational_Components/Graphics/index linux/Foundational_Components/Graphics/Common/Display linux/Foundational_Components/Graphics/Common/GTK+_Graphics_Framework diff --git a/configs/AM69/AM69_linux_toc.txt b/configs/AM69/AM69_linux_toc.txt index 0b3cc49ae..192684e41 100644 --- a/configs/AM69/AM69_linux_toc.txt +++ b/configs/AM69/AM69_linux_toc.txt @@ -96,6 +96,7 @@ linux/Foundational_Components/Virtualization/Docker linux/Foundational_Components_OPTEE linux/Foundational_Components_ATF linux/Foundational_Components_Multimedia_wave5 +linux/Foundational_Components_Secure_Boot linux/Foundational_Components/Graphics/index linux/Foundational_Components/Graphics/Common/Display diff --git a/configs/AM69A/AM69A_linux_toc.txt b/configs/AM69A/AM69A_linux_toc.txt index ffacdd493..7881abb95 100644 --- a/configs/AM69A/AM69A_linux_toc.txt +++ b/configs/AM69A/AM69A_linux_toc.txt @@ -96,6 +96,7 @@ linux/Foundational_Components/Virtualization/Docker linux/Foundational_Components_OPTEE linux/Foundational_Components_ATF linux/Foundational_Components_Multimedia_wave5 +linux/Foundational_Components_Secure_Boot linux/Foundational_Components/Graphics/index linux/Foundational_Components/Graphics/Common/Display linux/Foundational_Components/Graphics/Common/GTK+_Graphics_Framework diff --git a/configs/J7200/J7200_linux_toc.txt b/configs/J7200/J7200_linux_toc.txt index 5b8f2863b..9ae2e11a5 100644 --- a/configs/J7200/J7200_linux_toc.txt +++ b/configs/J7200/J7200_linux_toc.txt @@ -71,6 +71,7 @@ linux/Foundational_Components/Kernel/Kernel_Drivers/PCIe/PCIe_Root_Complex linux/Foundational_Components/Kernel/Kernel_Drivers/PMIC/pmic_tps6594 linux/Foundational_Components_Power_Management linux/Foundational_Components/Power_Management/pm_dfs +linux/Foundational_Components_Secure_Boot linux/Foundational_Components/Kernel/Kernel_Drivers/QSPI linux/Foundational_Components/Kernel/Kernel_Drivers/SERDES/SERDES linux/Foundational_Components/Kernel/Kernel_Drivers/SPI diff --git a/configs/J721E/J721E_linux_toc.txt b/configs/J721E/J721E_linux_toc.txt index 039c31493..67c5d914f 100644 --- a/configs/J721E/J721E_linux_toc.txt +++ b/configs/J721E/J721E_linux_toc.txt @@ -76,6 +76,7 @@ linux/Foundational_Components/Kernel/Kernel_Drivers/PCIe/PCIe_Root_Complex linux/Foundational_Components/Kernel/Kernel_Drivers/PMIC/pmic_tps6594 linux/Foundational_Components_Power_Management linux/Foundational_Components/Power_Management/pm_dfs +linux/Foundational_Components_Secure_Boot linux/Foundational_Components/Kernel/Kernel_Drivers/QSPI linux/Foundational_Components/Kernel/Kernel_Drivers/SERDES/SERDES linux/Foundational_Components/Kernel/Kernel_Drivers/SPI diff --git a/configs/J721S2/J721S2_linux_toc.txt b/configs/J721S2/J721S2_linux_toc.txt index 2c7c861ce..3d69e5f3b 100644 --- a/configs/J721S2/J721S2_linux_toc.txt +++ b/configs/J721S2/J721S2_linux_toc.txt @@ -74,6 +74,7 @@ linux/Foundational_Components/Kernel/Kernel_Drivers/PCIe/PCIe_Root_Complex linux/Foundational_Components/Kernel/Kernel_Drivers/PMIC/pmic_tps6594 linux/Foundational_Components_Power_Management linux/Foundational_Components/Power_Management/pm_dfs +linux/Foundational_Components_Secure_Boot linux/Foundational_Components/Kernel/Kernel_Drivers/QSPI linux/Foundational_Components/Kernel/Kernel_Drivers/SERDES/SERDES linux/Foundational_Components/Kernel/Kernel_Drivers/SPI @@ -145,4 +146,4 @@ linux/How_to_Guides/Target/How_To_Carve_Out_CMA linux/Documentation_Tarball -linux/Demo_User_Guides/Chromium_Browser \ No newline at end of file +linux/Demo_User_Guides/Chromium_Browser diff --git a/configs/J722S/J722S_linux_toc.txt b/configs/J722S/J722S_linux_toc.txt index 45115a6aa..d2a0b2b8c 100644 --- a/configs/J722S/J722S_linux_toc.txt +++ b/configs/J722S/J722S_linux_toc.txt @@ -70,6 +70,7 @@ linux/Foundational_Components/Kernel/Kernel_Drivers/Network/CPSW-TSN-Tuning linux/Foundational_Components/Kernel/Kernel_Drivers/PCIe/PCIe_Root_Complex linux/Foundational_Components_Power_Management linux/Foundational_Components/Power_Management/pm_dfs +linux/Foundational_Components_Secure_Boot linux/Foundational_Components/Kernel/Kernel_Drivers/QSPI linux/Foundational_Components/Kernel/Kernel_Drivers/SERDES/SERDES linux/Foundational_Components/Kernel/Kernel_Drivers/SPI diff --git a/configs/J742S2/J742S2_linux_toc.txt b/configs/J742S2/J742S2_linux_toc.txt index 4cd9fc283..450cb1576 100644 --- a/configs/J742S2/J742S2_linux_toc.txt +++ b/configs/J742S2/J742S2_linux_toc.txt @@ -73,6 +73,7 @@ linux/Foundational_Components/Kernel/Kernel_Drivers/PCIe/PCIe_Root_Complex linux/Foundational_Components/Kernel/Kernel_Drivers/PMIC/pmic_tps6594 linux/Foundational_Components_Power_Management linux/Foundational_Components/Power_Management/pm_dfs +linux/Foundational_Components_Secure_Boot linux/Foundational_Components/Kernel/Kernel_Drivers/QSPI linux/Foundational_Components/Kernel/Kernel_Drivers/SERDES/SERDES linux/Foundational_Components/Kernel/Kernel_Drivers/SPI diff --git a/source/images/K3_KF.JPG b/source/images/K3_KF.JPG deleted file mode 100644 index 3ab9593fc..000000000 Binary files a/source/images/K3_KF.JPG and /dev/null differ diff --git a/source/images/K3_KF.png b/source/images/K3_KF.png new file mode 100644 index 000000000..8b83325ec Binary files /dev/null and b/source/images/K3_KF.png differ diff --git a/source/linux/Foundational_Components/System_Security/Security_overview.rst b/source/linux/Foundational_Components/System_Security/Security_overview.rst index 14867038f..f5c9fe4fd 100644 --- a/source/linux/Foundational_Components/System_Security/Security_overview.rst +++ b/source/linux/Foundational_Components/System_Security/Security_overview.rst @@ -71,8 +71,12 @@ The following table lists some of the key Security Features: +-------------------------+-----------------------------------------------------------+--------------------------------------+ | Security Feature | Description | Links | +=========================+===========================================================+======================================+ - | **Authenticated Boot** | Verifies each boot component to ensure only authorized | :ref:`auth_boot_guide` | - | | code executes on the device | | + | **Secure Boot** | Verifies and decrypts each boot stage, establishing a | :ref:`foundational-secure-boot` | + | | hardware-backed chain of trust from ROM to Linux using | | + | | customer-programmable keys | | + +-------------------------+-----------------------------------------------------------+--------------------------------------+ + | **Authenticated Boot** | Transparent disk encryption using the Linux kernel | :ref:`auth_boot_guide` | + | | device mapper (dm-crypt) for data confidentiality | | +-------------------------+-----------------------------------------------------------+--------------------------------------+ | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms | :ref:`crypto-accelerator` | +-------------------------+-----------------------------------------------------------+--------------------------------------+ diff --git a/source/linux/Foundational_Components_Secure_Boot.rst b/source/linux/Foundational_Components_Secure_Boot.rst index f3433a43a..bec38fa84 100644 --- a/source/linux/Foundational_Components_Secure_Boot.rst +++ b/source/linux/Foundational_Components_Secure_Boot.rst @@ -1,9 +1,11 @@ +.. _foundational-secure-boot: + ********************************** Secure Boot ********************************** -Authenticated Boot --------------------- +Introduction +------------ Each device contains customer programmable keys used to authenticate, and optionally decrypt, code/data to be used on the device. A job for the Public Boot ROM of both General Purpose (GP) and High Security (HS) devices is to load the next stage of the boot process into memory. On @@ -30,17 +32,19 @@ The following is an example list where Chain-of-Trust should be maintained. - Disable kernel debug options - Disable/remove userspace debug tools, devmem disable, etc.. -We provide methods for U-Boot's SPL loader to securely verify/decrypt the U-Boot proper, and this U-Boot proper to securely verify/decrypt the -Kernel/DTB/initfamfs. This is accomplished by calling into TIFS via TI-SCI (Texas Instruments System controller Interface). This allows us to use -the same signing/encrypting tools used to authenticate the first-stage image. For more infomation using TI_SCI methods refer to the -`TISCI User Guide `__. +We offer methods for U-Boot's Secondary Program Loader (SPL) to securely verify the U-Boot +proper. U-Boot calls Texas Instrument Foundational Security (TIFS) through Texas Instruments System Controller Interface (TISCI) +to do this. For more information about using TISCI methods see the +`TISCI User Guide `__. U-Boot proper then securely verifies and decrypts the kernel, Device Tree Blobs (DTB), and initramfs. -.. Image:: /images/K3_KF.JPG +.. Image:: /images/K3_KF.png :scale: 70% -Secure boot is like an onion, it has layers. Some layers are trusted more than others. Secure ROM has the highest trust and REE (Run-time Execution -Environment) non-trustzone user-space applications have the least. If any higher trust code is to be loaded by a lower trust entity, it must be verified -by an even higher trust entity and not allowed to be accessed by the lower trust entity after that point. Some such trust inversions are listed below: +Secure boot has layers. Some layers are trusted more than others. Secure ROM has the highest trust and Runtime Execution +Environment (REE) non-trustzone user-space applications have the least. If a +lower trust entity must load a higher trust code, an even higher trust entity +must verify it and not allow access by the lower trust entity after that +point. Some such trust inversions are as follows: - R5 U-Boot loading ATF/OP-TEE - R5 Public Boot ROM loading TIFS @@ -63,21 +67,17 @@ The exact location is device dependent. More details can be found in the device .. ifconfig:: CONFIG_part_variant in ('AM64x') - - `AM64x TRM `_ - The contents of this first stage image are authenticated and decrypted by the Secure ROM. Contents include: * DMSC firmware: `Texas Instruments Foundational Security (TIFS)` + Device/Power Manager: After authentication/decryption, DMSC firmware replaces the Secure ROM as the authenticator entity executing on the DMSC core. * R5 SPL: The R5 SPL bootloader is executed on the R5 core. -.. ifconfig:: CONFIG_part_variant in ('AM62x') - - - `AM62x TRM `_ +.. ifconfig:: CONFIG_part_variant not in ('AM64X') - The contents of this first stage image are authenticated and decrypted by the Secure ROM. Contents include: + The contents of this first stage image are authenticated and decrypted by the Secure ROM. Contents include: - * `Texas Instruments Foundational Security (TIFS)` firmware: After authentication/decryption, TIFS firmware replaces the Secure ROM as the authenticator entity executing on the TIFS core. - * R5 SPL`: The R5 SPL bootloader is executed on the R5 core. + * `Texas Instruments Foundational Security (TIFS)` firmware: After authentication/decryption, TIFS firmware replaces the Secure ROM as the authenticator entity executing on the TIFS core. + * R5 SPL`: The R5 SPL bootloader is executed on the R5 core. .. rubric:: R5 SPL @@ -122,9 +122,9 @@ A53 SPL's output will be similar to this: (notice the "Authentication passed" li .. rubric:: U-Boot The boot flow continues as it does on a non-secure device, until loading the next FIT image named `fitImage`. This FIT image includes the Linux kernel, DTB, and -other required boot artifacts. Each component is extracted and authenticated from this FIT image. Once all components are authenticated, U-boot starts Linux. +other required boot artifacts. U-boot verifies the signed images on boot independently, without using TIFS. U-boot extracts each component from the FIT image and verifies its signature. Once u-boot verifies all components, it starts Linux. For more information, see: `U-Boot FIT Signature Documentation `__ -U-boot's output will be similar to this: (notice the "Authentication passed" lines as we authenticate the Linux kernel and DTB). +U-boot's output will be similar to this: (notice the "Authentication passed" lines as u-boot verifies the Linux kernel and DTB). .. code-block:: console @@ -196,9 +196,9 @@ HS Boot Flow Tools U-boot: - The ti-u-boot source is a project used to create tiboot3.bin, tispl.bin, and u-boot.img. To create tiboot3.bin for AM64x family devices, u-boot builds R5 SPL and + The ti-u-boot source is a project used to create tiboot3.bin, tispl.bin, and u-boot.img. To create tiboot3.bin for K3 family devices, u-boot builds R5 SPL and binman packages it in a `tiboot3.bin` image. To build A53 SPL, binman takes ATF (bl31.bin), OPTEE (bl32.bin), A53 SPL, and A53 DTBs and packages - them in a `tispl.bin` image. The openssl library can then then be used to sign each component as specified in k3-am64x-binman.dtsi. + them in a `tispl.bin` image. U-Boot can then use the openssl library to sign each component as specified in k3--binman.dtsi. .. code-block:: console @@ -247,7 +247,7 @@ OPTEE: Ti-linux-firmware: The ti-linux-firmware is a TI repository where all firmware releases are stored. Firmwares for a device family can also be found in the pre-built SDK - under /board-support/prebuilt-images/am64xx-evm. Binman expects to find the device firmware with the following appended to u-boot build command: + under :file:`/board-support/prebuilt-images/`. Binman expects to find the device firmware with the following appended to u-boot build command: BINMAN_INDIRS=/board-support/prebuilt-images, and expects to find a ti-sysfw directory in this path. .. code-block:: console