The script is basically the only required interface to the TI SECDEV
package for creating a bootable SPL image for secure TI devices.
+ Invoking the script for AM33xx Secure Devices
+ =============================================
+
+ create-boot-image.sh \
+ <IMAGE_FLAG> <INPUT_FILE> <OUTPUT_FILE> <SPL_LOAD_ADDR>
+
+ <IMAGE_FLAG> is a value that specifies the type of the image to
+ generate OR the action the image generation tool will take. Valid
+ values are:
+ SPI_X-LOADER - Generates an image for SPI flash (byte swapped)
+ X-LOADER - Generates an image for non-XIP flash
+ MLO - Generates an image for SD/MMC/eMMC media
+ 2ND - Generates an image for USB, UART and Ethernet
+ XIP_X-LOADER - Generates a single stage u-boot for NOR/QSPI XiP
+
+ <INPUT_FILE> is the full path and filename of the public world boot
+ loaderbinary file (depending on the boot media, this is usually
+ either u-boot-spl.bin or u-boot.bin).
+
+ <OUTPUT_FILE> is the full path and filename of the final secure
+ image. The output binary images should be used in place of the standard
+ non-secure binary images (see the platform-specific user's guides and
+ releases notes for how the non-secure images are typically used)
+ u-boot-spl_HS_SPI_X-LOADER - byte swapped boot image for SPI flash
+ u-boot-spl_HS_X-LOADER - boot image for NAND or SD/MMC/eMMC rawmode
+ u-boot-spl_HS_MLO - boot image for SD/MMC/eMMC media
+ u-boot-spl_HS_2ND - boot image for USB, UART and Ethernet
+ u-boot_HS_XIP_X-LOADER - boot image for NOR or QSPI Xip flash
+
+ <SPL_LOAD_ADDR> is the address at which SOC ROM should load the
+ <INPUT_FILE>
+
Invoking the script for AM43xx Secure Devices
=============================================
Invoking the script for DRA7xx/AM57xx Secure Devices
====================================================
- create-boot-image.sh <IMAGE_TYPE> <INPUT_FILE> <OUTPUT_FILE>
+ create-boot-image.sh \
+ <IMAGE_TYPE> <INPUT_FILE> <OUTPUT_FILE> <SPL_LOAD_ADDR>
<IMAGE_TYPE> is a value that specifies the type of the image to
generate OR the action the image generation tool will take. Valid
X-LOADER - Generates an image for NOR or QSPI boot modes
MLO - Generates an image for SD/MMC/eMMC boot modes
ULO - Generates an image for USB/UART peripheral boot modes
- Note: ULO is not yet used by the u-boot build process
<INPUT_FILE> is the full path and filename of the public world boot
loader binary file (for this platform, this is always u-boot-spl.bin).
the device ROM bootloader requires for loading from
the FAT partition of an SD card (same as on
non-secure devices)
+ u-boot-spl_HS_ULO - boot image for USB/UART peripheral boot modes
u-boot-spl_HS_X-LOADER - boot image for all other flash memories
including QSPI and NOR flash
+ <SPL_LOAD_ADDR> is the address at which SOC ROM should load the
+ <INPUT_FILE>
+
+ Invoking the script for Keystone2 Secure Devices
+ ================================================
+
+ create-boot-image.sh \
+ <UNUSED> <INPUT_FILE> <OUTPUT_FILE> <UNUSED>
+
+ <UNUSED> is currently ignored and reserved for future use.
+
+ <INPUT_FILE> is the full path and filename of the public world boot
+ loader binary file (only u-boot.bin is currently supported on
+ Keystone2 devices, u-boot-spl.bin is not currently supported).
+
+ <OUTPUT_FILE> is the full path and filename of the final secure image.
+ The output binary images should be used in place of the standard
+ non-secure binary images (see the platform-specific user's guides
+ and releases notes for how the non-secure images are typically used)
+ u-boot_HS_MLO - signed and encrypted boot image that can be used to
+ boot from all media. Secure boot from SPI NOR flash is not
+ currently supported.
+
+ Invoking the script for K3 Secure Devices
+ =========================================
+
+ The signing steps required to produce a bootable SPL image on secure
+ K3 TI devices are the same as those performed on non-secure devices.
+ The only difference is the key is not checked on non-secure devices so
+ a dummy key is used when building U-Boot for those devices. For secure
+ K3 TI devices simply use the real hardware key for your device. This
+ real key can be set with the Kconfig option "K3_KEY". The environment
+ variable TI_SECURE_DEV_PKG is also searched for real keys when the
+ build targets secure devices.
+
Booting of Primary U-Boot (u-boot.img)
======================================
is enabled through the CONFIG_SPL_FIT_IMAGE_POST_PROCESS option which
must be enabled for the secure boot scheme to work. In order to allow
verifying proper operation of the secure boot chain in case of successful
- authentication messages like "Authentication passed: CERT_U-BOOT-NOD" are
- output by the SPL to the console for each blob that got extracted from the
- FIT image. Note that the last part of this log message is the (truncated)
- name of the signing certificate embedded into the blob that got processed.
+ authentication messages like "Authentication passed" are output by the
+ SPL to the console for each blob that got extracted from the FIT image.
The exact details of the how the images are secured is handled by the
SECDEV package. Within the SECDEV package exists a script to process
projects / oweals / u-boot.git / blobdiff