Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / 89c586b69136a2366d5991c6d42c6b4809362f2a / . / docs / plat / nxp / nxp-ls-tbbr.rst
blob: 43e15f7ef6ce35542104df6b0d9878efbc3076f6 [file] [log] [blame]
Pankaj Guptac7118c92021-03-25 14:56:16 +0530[diff] [blame]1
2--------------
3NXP Platforms:
4--------------
5TRUSTED_BOARD_BOOT option can be enabled by specifying TRUSTED_BOARD_BOOT=1 on command line during make.
6
7
8
9Bare-Minimum Preparation to run TBBR on NXP Platforms:
10=======================================================
11- OTPMK(One Time Programable Key) needs to be burnt in fuses.
12 -- It is the 256 bit key that stores a secret value used by the NXP SEC 4.0 IP in Trusted or Secure mode.
13
14 Note: It is primarily for the purpose of decrypting additional secrets stored in system non-volatile memory.
15
16 -- NXP CST tool gives an option to generate it.
17
18 Use the below command from directory 'cst', with correct options.
19
20 .. code:: shell
21
22 ./gen_otpmk_drbg
23
24- SRKH (Super Root Key Hash) needs to be burnt in fuses.
25 -- It is the 256 bit hash of the list of the public keys of the SRK key pair.
26 -- NXP CST tool gives an option to generate the RSA key pair and its hash.
27
28 Use the below command from directory 'cst', with correct options.
29
30 .. code:: shell
31
32 ./gen_keys
33
34Refer fuse frovisioning readme 'nxp-ls-fuse-prov.rst' for steps to blow these keys.
35
36
37
38Two options are provided for TRUSTED_BOARD_BOOT:
39================================================
40
41-------------------------------------------------------------------------
42Option 1: CoT using X 509 certificates
43-------------------------------------------------------------------------
44
45- This CoT is as provided by ARM.
46
47- To use this option user needs to specify mbedtld dir path in MBEDTLS_DIR.
48
49- To generate CSF header, path of CST repository needs to be specified as CST_DIR
50
51- CSF header is embedded to each of the BL2 image.
52
53- GENERATE_COT=1 adds the tool 'cert_create' to the build environment to generate:
54 -- X509 Certificates as (.crt) files.
55 -- X509 Pem key file as (.pem) files.
56
57- SAVE_KEYS=1 saves the keys and certificates, if GENERATE_COT=1.
58 -- For this to work, file name for cert and keys are provided as part of compilation or build command.
59
60 --- default file names will be used, incase not provided as part compilation or build command.
61 --- default folder 'BUILD_PLAT' will be used to store them.
62
63- ROTPK for x.509 certificates is generated and embedded in bl2.bin and
64 verified as part of CoT by Boot ROM during secure boot.
65
66- Compilation steps:
67
68All Images
69 .. code:: shell
70
71 make PLAT=$PLAT TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 MBEDTLS_DIR=$MBEDTLS_PATH CST_DIR=$CST_DIR_PATH \
72 BOOT_MODE=<platform_supported_boot_mode> \
73 RCW=$RCW_BIN \
74 BL32=$TEE_BIN SPD=opteed\
75 BL33=$UBOOT_SECURE_BIN \
76 pbl \
77 fip
78
79Additional FIP_DDR Image (For NXP platforms like lx2160a)
80 .. code:: shell
81
82 make PLAT=$PLAT TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 MBEDTLS_DIR=$MBEDTLS_PATH fip_ddr
83
84 Note: make target 'fip_ddr' should never be combine with other make target 'fip', 'pbl' & 'bl2'.
85
86-------------------------------------------------------------------------
87Option 2: CoT using NXP CSF headers.
88-------------------------------------------------------------------------
89
90- This option is automatically selected when TRUSTED_BOARD_BOOT is set but MBEDTLS_DIR path is not specified.
91
92- CSF header is embedded to each of the BL31, BL32 and BL33 image.
93
94- To generate CSF header, path of CST repository needs to be specified as CST_DIR
95
96- Default input files for CSF header generation is added in this repo.
97
98- Default input file requires user to generate RSA key pair named
99 -- srk.pri, and
100 -- srk.pub, and add them in ATF repo.
101 -- These keys can be generated using gen_keys tool of CST.
102
103- To change the input file , user can use the options BL33_INPUT_FILE, BL32_INPUT_FILE, BL31_INPUT_FILE
104
105- There are 2 paths in secure boot flow :
106 -- Development Mode (sb_en in RCW = 1, SFP->OSPR, ITS = 0)
107
108 --- In this flow , even on ROTPK comparison failure, flow would continue.
109 --- However SNVS is transitioned to non-secure state
110
111 -- Production mode (SFP->OSPR, ITS = 1)
112
113 --- Any failure is fatal failure
114
115- Compilation steps:
116
117All Images
118 .. code:: shell
119
120 make PLAT=$PLAT TRUSTED_BOARD_BOOT=1 CST_DIR=$CST_DIR_PATH \
121 BOOT_MODE=<platform_supported_boot_mode> \
122 RCW=$RCW_BIN \
123 BL32=$TEE_BIN SPD=opteed\
124 BL33=$UBOOT_SECURE_BIN \
125 pbl \
126 fip
127
128Additional FIP_DDR Image (For NXP platforms like lx2160a)
129 .. code:: shell
130
131 make PLAT=$PLAT TRUSTED_BOARD_BOOT=1 CST_DIR=$CST_DIR_PATH fip_ddr
132
133- Compilation Steps with build option for generic image processing filters to prepend CSF header:
134 -- Generic image processing filters to prepend CSF header
135
136 BL32_INPUT_FILE = < file name>
137 BL33_INPUT_FILE = <file name>
138
139 .. code:: shell
140
141 make PLAT=$PLAT TRUSTED_BOARD_BOOT=1 CST_DIR=$CST_DIR_PATH \
142 BOOT_MODE=<platform_supported_boot_mode> \
143 RCW=$RCW_BIN \
144 BL32=$TEE_BIN SPD=opteed\
145 BL33=$UBOOT_SECURE_BIN \
146 BL33_INPUT_FILE = <ip file> \
147 BL32_INPUT_FILE = <ip_file> \
148 BL31_INPUT_FILE = <ip file> \
149 pbl \
150 fip
151
152
153Deploy ATF Images
154=================
155Same steps as mentioned in the readme "nxp-layerscape.rst".
156
157
158
159Verification to check if Secure state is achieved:
160==================================================
161
162+---+----------------+-----------------+------------------------+----------------------------------+-------------------------------+
163| | Platform | SNVS_HPSR_REG | SYS_SECURE_BIT(=value) | SYSTEM_SECURE_CONFIG_BIT(=value) | SSM_STATE |
164+===+================+=================+========================+==================================+===============================+
165| 1.| lx2160ardb or | 0x01E90014 | 15 | 14-12 | 11-8 |
166| | lx2160aqds or | | ( = 1, BootROM Booted) | ( = 010 means Intent to Secure, | (=1111 means secure boot) |
167| | lx2162aqds | | | ( = 000 Unsecure) | (=1011 means Non-secure Boot) |
168+---+----------------+-----------------+------------------------+----------------------------------+-------------------------------+
169
170- Production mode (SFP->OSPR, ITS = 1)
171 -- Linux prompt will successfully come. if the TBBR is successful.
172
173 --- Else, Linux boot will be successful.
174
175 -- For secure-boot status, read SNVS Register $SNVS_HPSR_REG from u-boot prompt:
176
177 .. code:: shell
178
179 md $SNVS_HPSR_REG
180
181 Command Output:
182 1e90014: 8000AF00
183
184 In case it is read as 00000000, then read this register using jtag (in development mode only through CW tap).
185 +0 +4 +8 +C
186 [0x01E90014] 8000AF00
187
188
189- Development Mode (sb_en in RCW = 1, SFP->OSPR, ITS = 0)
190 -- Refer the SoC specific table to read the register to interpret whether the secure boot is achieved or not.
191 -- Using JTAG (in development environment only, using CW tap):
192
193 --- For secure-boot status, read SNVS Register $SNVS_HPSR_REG
194
195 .. code:: shell
196
197 ccs::display_regs 86 0x01E90014 4 0 1
198
199 Command Output:
200 Using the SAP chain position number 86, following is the output.
201
202 +0 +4 +8 +C
203 [0x01E90014] 8000AF00
204
205 Note: Chain position number will vary from one SoC to other SoC.
206
207- Interpretation of the value:
208
209 -- 0xA indicates BootROM booted, with intent to secure.
210 -- 0xF = secure boot, as SSM_STATE.