DRA7xx Generation

Secure Boot

Secure TI devices require a boot image that is authenticated by ROM code to function. Without this, even JTAG remains locked and the device is essentially useless. In order to create a valid boot image for a secure device from TI, the initial public software image must be signed and combined with various headers, certificates, and other binary images.

Information on the details on the complete boot image format can be obtained from Texas Instruments. The tools used to generate boot images for secure devices are part of a secure development package (SECDEV) that can be downloaded from:

https://www.ti.com/mysecuresoftware (login required)

The secure development package is access controlled due to NDA and export control restrictions. Access must be requested and granted by TI before the package is viewable and downloadable. Contact TI, either online or by way of a local TI representative, to request access.

1. Booting of U-Boot SPL

When CONFIG_TI_SECURE_DEVICE is set, the U-Boot SPL build process requires the presence and use of these tools in order to create a viable boot image. The build process will look for the environment variable TI_SECURE_DEV_PKG, which should be the path of the installed SECDEV package. If the TI_SECURE_DEV_PKG variable is not defined or if it is defined but doesn’t point to a valid SECDEV package, a warning is issued during the build to indicate that a final secure bootable image was not created.

Within the SECDEV package exists an image creation script:

${TI_SECURE_DEV_PKG}/scripts/create-boot-image.sh

This is called as part of the SPL/u-boot build process. As the secure boot image formats and requirements differ between secure SOC from TI, the purpose of this script is to abstract these details as much as possible.

The script is basically the only required interface to the TI SECDEV package for creating a bootable SPL image for secure TI devices.

create-boot-image.sh \
             <IMAGE_FLAG> <INPUT_FILE> <OUTPUT_FILE> <SPL_LOAD_ADDR>

<IMAGE_FLAG> is a value that specifies the type of the image to generate OR the action the image generation tool will take. Valid values are:

X-LOADER	Generates an image for NOR or QSPI boot modes
MLO	Generates an image for NOR or QSPI boot modes
ULO	Generates an image for USB/UART peripheral boot modes

<INPUT_FILE> is the full path and filename of the public world boot loaderbinary file (for this platform, this is always u-boot-spl.bin).

<OUTPUT_FILE> is the full path and filename of the final secure image. The output binary images should be used in place of the standard non-secure binary images (see the platform-specific user’s guides and releases notes for how the non-secure images are typically used)

u-boot-spl_HS_SPI_X-LOADER	boot image for SD/MMC/eMMC. This image is copied to a file named MLO, which is the name that the device ROM bootloader requires for loading from the FAT partition of an SD card (same as on non-secure devices)
u-boot-spl_HS_ULO	boot image for USB/UART peripheral boot modes
u-boot-spl_HS_X-LOADER	boot image for all other flash memories including QSPI and NOR flash

<SPL_LOAD_ADDR> is the address at which SOC ROM should load the <INPUT_FILE>

2. Booting of Primary U-Boot (u-boot.img)

The SPL image is responsible for loading the next stage boot loader, which is the main u-boot image. For secure TI devices, the SPL will be authenticated, as described above, as part of the particular device’s ROM boot process. In order to continue the secure boot process, the authenticated SPL must authenticate the main u-boot image that it loads.

The configurations for secure TI platforms are written to make the boot process use the FIT image format for the u-boot.img (CONFIG_SPL_FRAMEWORK and CONFIG_SPL_LOAD_FIT). With these configurations the binary components that the SPL loads include a specific DTB image and u-boot image. These DTB image may be one of many available to the boot process. In order to secure these components so that they can be authenticated by the SPL as they are loaded from the FIT image, the build procedure for secure TI devices will secure these images before they are integrated into the FIT image. When those images are extracted from the FIT image at boot time, they are post-processed to verify that they are still secure. The outlined security-related SPL post-processing is enabled through the CONFIG_SPL_FIT_IMAGE_POST_PROCESS option which must be enabled for the secure boot scheme to work. In order to allow verifying proper operation of the secure boot chain in case of successful authentication messages like “Authentication passed” are output by the SPL to the console for each blob that got extracted from the FIT image.

The exact details of the how the images are secured is handled by the SECDEV package. Within the SECDEV package exists a script to process an input binary image:

${TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh

This is called as part of the u-boot build process. As the secure image formats and requirements can differ between the various secure SOCs from TI, this script in the SECDEV package abstracts these details. This script is essentially the only required interface to the TI SECDEV package for creating a u-boot.img image for secure TI devices.

The SPL/u-boot code contains calls to dedicated secure ROM functions to perform the validation on the secured images. The details of the interface to those functions is shown in the code. The summary is that they are accessed by invoking an ARM secure monitor call to the device’s secure ROM (fixed read-only-memory that is secure and only accessible when the ARM core is operating in the secure mode).

Invoking the secure-binary-image script for Secure Devices

secure-binary-image.sh <INPUT_FILE> <OUTPUT_FILE>

<INPUT_FILE> is the full path and filename of the input binary image

<OUTPUT_FILE> is the full path and filename of the output secure image.

eMMC Boot Partition Use

It is possible, depending on SYSBOOT configuration to boot from the eMMC boot partitions using (name depending on documentation referenced) Alternative Boot operation mode or Boot Sequence Option 1/2. In this example we load MLO and u-boot.img from the build into DDR and then use ‘mmc bootbus’ to set the required rate (see TRM) and ‘mmc partconfig’ to set boot0 as the boot device.

setenv autoload no
usb start
dhcp
mmc dev 1 1
tftp ${loadaddr} dra7xx/MLO
mmc write ${loadaddr} 0 100
tftp ${loadaddr} dra7xx/u-boot.img
mmc write ${loadaddr} 300 400
mmc bootbus 1 2 0 2
mmc partconf 1 1 1 0
mmc rst-function 1 1

QSPI U-Boot support

Host processor is connected to serial flash device via qpsi interface. QSPI is a kind of spi module that allows single, dual and quad read access to external spi devices. The module has a memory mapped interface which provide direct interface for accessing data form external spi devices.

The one QSPI in the device is primarily intended for fast booting from Quad SPI flash devices.

Usecase

MLO/u-boot.img will be flashed from SD/MMC to the flash device using serial flash erase and write commands. Then, switch settings will be changed to qspi boot. Then, the ROM code will read MLO from the predefined location in the flash, where it was flashed and execute it after storing it in SDRAM. Then, the MLO will read u-boot.img from flash and execute it from SDRAM.

SPI mode

SPI mode uses mtd spi framework for transfer and reception of data. Can be used in:

1. Normal mode: use single pin for transfers

2. Dual Mode: use two pins for transfers.

3. Quad mode: use four pin for transfer

Memory mapped read mode

In this, SPI controller is configured using configuration port and then controller is switched to memory mapped port for data read.

Driver

drivers/qspi/ti_qspi.c

• File which is responsible for configuring the qspi controller and also for providing the low level api which is responsible for transferring the datas from host controller to flash device and vice versa.

Testing

Build the patched U-Boot and load MLO/u-boot.img.

Boot from another medium like MMC

=> mmc dev 0
mmc0 is current device
=> fatload mmc 0 0x82000000 MLO
reading MLO
55872 bytes read in 8 ms (6.7 MiB/s)
=> fatload mmc 0 0x83000000 u-boot.img
reading u-boot.img
248600 bytes read in 19 ms (12.5 MiB/s)

Commands to erase/write u-boot/MLO to flash device

=> sf probe 0
SF: Detected S25FL256S_64K with page size 256 Bytes, erase size 64 KiB, total 32 MiB, mapped at 5c000000
=> sf erase 0 0x10000
SF: 65536 bytes @ 0x0 Erased: OK
=> sf erase 0x20000 0x10000
SF: 65536 bytes @ 0x20000 Erased: OK
=> sf erase 0x30000 0x10000
SF: 65536 bytes @ 0x30000 Erased: OK
=> sf erase 0x40000 0x10000
SF: 65536 bytes @ 0x40000 Erased: OK
=> sf erase 0x50000 0x10000
SF: 65536 bytes @ 0x50000 Erased: OK
=> sf erase 0x60000 0x10000
SF: 65536 bytes @ 0x60000 Erased: OK
=> sf write 82000000 0 0x10000
SF: 65536 bytes @ 0x0 Written: OK
=> sf write 83000000 0x20000 0x60000
SF: 393216 bytes @ 0x20000 Written: OK

Next, set sysboot to QSPI-1 boot mode(SYSBOOT[5:0] = 100110) and power on. ROM should find the GP header at offset 0 and load/execute SPL. SPL then detects that ROM was in QSPI-1 mode (boot code 10) and attempts to find a U-Boot image header at offset 0x20000 (set in the config file) and proceeds to load that image using the U-Boot image payload offset/size from the header. It will then start U-Boot.