fix(security): Correct key flow diagram and text around it for AM64X#654
fix(security): Correct key flow diagram and text around it for AM64X#654jsuhaas22 wants to merge 2 commits intoTexasInstruments:masterfrom
Conversation
jsuhaas22
requested review from
StaticRocket,
VeeruPrudhvi,
cshilwant,
gehariprasath,
jeevantelukula,
praneethbajjuri and
uditkumarti
as code owners
|
@jsuhaas22 let's enable the secure boot doc for am62x platforms in general, for am62l we should also highlight the FIT signing part |
The key-flow diagram and the information around it in AM64X's Secure Boot page state that U-Boot uses TI-SCI to authenticate the kernel image. This is no longer the case: U-Boot verifies the kernel image using the fitImage key contained in it without invoking TIFS. Therefore change the docs to reflect this. Signed-off-by: Suhaas Joshi <s-joshi@ti.com>
jsuhaas22
force-pushed
the
diagram-bootflow
branch
from
0905fa3 to
4c41802
Compare
For AM62x and AM62P, I have added changes to include the doc. AM62L will require more work, so I will send a separate PR for that in a day or two. |
| U-boot: | ||
|
|
||
| The ti-u-boot source is a project used to create tiboot3.bin, tispl.bin, and u-boot.img. To create tiboot3.bin for AM64x family devices, u-boot builds R5 SPL and | ||
| The ti-u-boot source is a project used to create tiboot3.bin, tispl.bin, and u-boot.img. To create tiboot3.bin for Sitara family devices, u-boot builds R5 SPL and |
There was a problem hiding this comment.
Better to use K3 instead of Sitara
@jsuhaas22 sure, please address the relevant comments by the bot, looks fine otherwise. |
jsuhaas22
force-pushed
the
diagram-bootflow
branch
from
4c41802 to
5ae0b72
Compare
@shiva-ti Done. There are still some warnings left but those are invalid. |
Currently, the secure boot section is tailored for AM64x. But the same information is applicable to non-AM64x SoCs, that is AM62x, AM62P. Therefore generalize the page and add it these other devices' TOCs. In addition, fix the language in the file to simplify it by changing a few passive voice statements into active voice, using easier words etc. Signed-off-by: Suhaas Joshi <s-joshi@ti.com>
jsuhaas22
force-pushed
the
diagram-bootflow
branch
from
5ae0b72 to
ab2bac8
Compare
github-actions
bot
assigned
devarsht,
gehariprasath,
praneethbajjuri,
r-vignesh and
uditkumarti
| Kernel/DTB/initfamfs. This is accomplished by calling into TIFS via TI-SCI (Texas Instruments System controller Interface). This allows us to use | ||
| the same signing/encrypting tools used to authenticate the first-stage image. For more infomation using TI_SCI methods refer to the | ||
| `TISCI User Guide <https://software-dl.ti.com/tisci/esd/22_01_02/index.html>`__. | ||
| We offer methods for U-Boot's SPL loader to securely verify and encrypt the U-Boot proper. U-Boot calls TIFS through TI-SCI (Texas Instruments System Controller Interface) |
There was a problem hiding this comment.
@jsuhaas22 It should be "verify and decrypt the U-Boot proper".
Btw, we don't support the encrypted boot atleast for the U-Boot in the PSDK so it should only be "verify the U-Boot proper".
There was a problem hiding this comment.
The fitImage box shows "u-boot-dtb*.dtb". Is it correct? It should be Kernel DTBs, right?
9 participants
The key-flow diagram and the information around it in AM64X's Secure Boot page state that U-Boot uses TI-SCI to authenticate the kernel image. This is no longer the case: U-Boot verifies the kernel image using the fitImage key contained in it without invoking TIFS. Therefore change the docs to reflect this.
New diagram:
