TexasInstruments · jsuhaas22 · Apr 8, 2026 · Apr 13, 2026
@@ -103,6 +103,7 @@ linux/Foundational_Components/System_Security/Security_overview
 linux/Foundational_Components/System_Security/SELinux
 linux/Foundational_Components/System_Security/Auth_boot
 linux/Foundational_Components/System_Security/Memory_Firewalls
+linux/Foundational_Components_Secure_Boot
 
 linux/Foundational_Components_Kernel_Users_Guide
 linux/Foundational_Components_Kernel_LTP-DDT_Validation

@@ -100,6 +100,7 @@ linux/Foundational_Components/System_Security/Security_overview
 linux/Foundational_Components/System_Security/SELinux
 linux/Foundational_Components/System_Security/Auth_boot
 linux/Foundational_Components/System_Security/Memory_Firewalls
+linux/Foundational_Components_Secure_Boot
 
 linux/Foundational_Components_PRU_Subsystem
 linux/Foundational_Components/PRU-ICSS-Linux-Drivers

@@ -30,15 +30,14 @@
 - Disable kernel debug options
 - Disable/remove userspace debug tools, devmem disable, etc..
 
-We provide methods for U-Boot's SPL loader to securely verify/decrypt the U-Boot proper, and this U-Boot proper to securely verify/decrypt the
-Kernel/DTB/initfamfs. This is accomplished by calling into TIFS via TI-SCI (Texas Instruments System controller Interface). This allows us to use
-the same signing/encrypting tools used to authenticate the first-stage image. For more infomation using TI_SCI methods refer to the
-`TISCI User Guide <https://software-dl.ti.com/tisci/esd/22_01_02/index.html>`__.
+We provide methods for U-Boot's SPL loader to securely verify/encrypt the U-Boot proper. This is accomplished by calling into TIFS via TI-SCI
+(Texas Instruments System Controller Interface). For more infomation using TI_SCI methods refer to the
+`TISCI User Guide <https://software-dl.ti.com/tisci/esd/22_01_02/index.html>`__. U-Boot proper then securely verifies/decrypts the Kernel/DTB/initramfs.
 
-.. Image:: /images/K3_KF.JPG
+.. Image:: /images/K3_KF.png
         :scale: 70%
 
-Secure boot is like an onion, it has layers. Some layers are trusted more than others. Secure ROM has the highest trust and REE (Run-time Execution
+Secure boot has layers. Some layers are trusted more than others. Secure ROM has the highest trust and REE (Run-time Execution
 Environment) non-trustzone user-space applications have the least. If any higher trust code is to be loaded by a lower trust entity, it must be verified
 by an even higher trust entity and not allowed to be accessed by the lower trust entity after that point. Some such trust inversions are listed below:
 
@@ -70,14 +69,20 @@
     * DMSC firmware: `Texas Instruments Foundational Security (TIFS)` + Device/Power Manager: After authentication/decryption, DMSC firmware replaces the Secure ROM as the authenticator entity executing on the DMSC core.
     * R5 SPL: The R5 SPL bootloader is executed on the R5 core.
 
-.. ifconfig:: CONFIG_part_variant in ('AM62x')
+.. ifconfig:: CONFIG_part_variant not in ('AM64X')
 
-    - `AM62x TRM <https://www.ti.com/lit/pdf/spruiv7>`_
+   .. ifconfig:: CONFIG_part_variant in ('AM62X')
 
-    The contents of this first stage image are authenticated and decrypted by the Secure ROM. Contents include:
+       - `AM62x TRM <https://www.ti.com/lit/pdf/spruiv7>`_
+
+   .. ifconfig:: CONFIG_part_variant in ('AM62PX')
+
+      - `AM62P TRM <https://www.ti.com/lit/pdf/spruj83>`_
+
+   The contents of this first stage image are authenticated and decrypted by the Secure ROM. Contents include:
 
-    * `Texas Instruments Foundational Security (TIFS)` firmware: After authentication/decryption, TIFS firmware replaces the Secure ROM as the authenticator entity executing on the TIFS core.
-    * R5 SPL`: The R5 SPL bootloader is executed on the R5 core.
+   * `Texas Instruments Foundational Security (TIFS)` firmware: After authentication/decryption, TIFS firmware replaces the Secure ROM as the authenticator entity executing on the TIFS core.
+   * R5 SPL`: The R5 SPL bootloader is executed on the R5 core.
 
 .. rubric:: R5 SPL
 
@@ -196,9 +201,9 @@
 
 U-boot:
 
-    The ti-u-boot source is a project used to create tiboot3.bin, tispl.bin, and u-boot.img. To create  tiboot3.bin for AM64x family devices, u-boot builds R5 SPL and
+    The ti-u-boot source is a project used to create tiboot3.bin, tispl.bin, and u-boot.img. To create  tiboot3.bin for Sitara family devices, u-boot builds R5 SPL and
     binman packages it in a `tiboot3.bin` image. To build A53 SPL, binman takes ATF (bl31.bin), OPTEE (bl32.bin), A53 SPL, and A53 DTBs and packages
-    them in a `tispl.bin` image. The openssl library can then then be used to sign each component as specified in k3-am64x-binman.dtsi.
+    them in a `tispl.bin` image. The openssl library can then then be used to sign each component as specified in k3-<soc>-binman.dtsi.
 
     .. code-block:: console
 
@@ -247,7 +252,7 @@
 Ti-linux-firmware:
 
     The ti-linux-firmware is a TI repository where all firmware releases are stored. Firmwares for a device family can also be found in the pre-built SDK
-    under <path-to-tisdk>/board-support/prebuilt-images/am64xx-evm. Binman expects to find the device firmware with the following appended to u-boot build command:
+    under <path-to-tisdk>/board-support/prebuilt-images/<evm>. Binman expects to find the device firmware with the following appended to u-boot build command:
     BINMAN_INDIRS=<path-to-tisdk>/board-support/prebuilt-images, and expects to find a ti-sysfw directory in this path.
 
     .. code-block:: console