TexasInstruments
diff --git a/‎configs/AM62LX/AM62LX_linux_toc.txt‎
Lines changed: 1 addition & 0 deletions b/‎configs/AM62LX/AM62LX_linux_toc.txt‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎source/images/AM62L_BF.png‎
162 KB b/‎source/images/AM62L_BF.png‎
162 KB
diff --git a/‎source/images/AM62L_KF.png‎
53.6 KB b/‎source/images/AM62L_KF.png‎
53.6 KB
diff --git a/‎source/linux/Foundational_Components_Secure_Boot.rst‎
Lines changed: 168 additions & 56 deletions b/‎source/linux/Foundational_Components_Secure_Boot.rst‎
Lines changed: 168 additions & 56 deletions
@@ -84,6 +84,7 @@ linux/Foundational_Components/System_Security/Security_overview
 #linux/Foundational_Components/System_Security/SELinux
 linux/Foundational_Components/System_Security/Auth_boot
 linux/Foundational_Components/System_Security/Memory_Firewalls
+linux/Foundational_Components_Secure_Boot
 
 linux/Foundational_Components_Kernel_Users_Guide
 linux/Foundational_Components_Kernel_LTP-DDT_Validation
 
@@ -32,92 +32,183 @@ The following is an example list where Chain-of-Trust should be maintained.
 - Disable kernel debug options
 - Disable/remove userspace debug tools, devmem disable, etc..
 
-We offer methods for U-Boot's Secondary Program Loader (SPL) to securely verify the U-Boot
-proper. U-Boot calls Texas Instrument Foundational Security (TIFS) through Texas Instruments System Controller Interface (TISCI)
-to do this. For more information about using TISCI methods see the
-`TISCI User Guide <https://software-dl.ti.com/tisci/esd/latest/index.html>`__. U-Boot proper then securely verifies and decrypts the kernel, Device Tree Blobs (DTB), and initramfs.
+.. ifconfig:: CONFIG_part_variant in ('AM62LX')
 
-.. Image:: /images/K3_KF.png
+   The U-Boot's Secondary Program Loader (SPL) securely verifies the U-Boot
+   proper. U-Boot uses its verified boot framework to do this. U-Boot proper
+   then securely verifies and decrypts the kernel, Device Tree Blobs (DTB),
+   and initramfs.
+
+   .. Image:: /images/AM62L_KF.png
         :scale: 70%
 
+.. ifconfig:: CONFIG_part_variant not in ('AM62LX')
+
+   We offer methods for U-Boot's Secondary Program Loader (SPL) to securely
+   verify the U-Boot proper. U-Boot calls Texas Instrument Foundational
+   Security (TIFS) through Texas Instruments System Controller Interface
+   (TISCI) to do this. For more information about using TISCI methods see the
+   `TISCI User Guide <https://software-dl.ti.com/tisci/esd/latest/index.html>`__.
+   U-Boot proper then securely verifies and decrypts the kernel, Device Tree
+   Blobs (DTB), and initramfs.
+
+   .. Image:: /images/K3_KF.png
+         :scale: 70%
+
 Secure boot has layers. Some layers are trusted more than others. Secure ROM has the highest trust and Runtime Execution
 Environment (REE) non-trustzone user-space applications have the least. If a
 lower trust entity must load a higher trust code, an even higher trust entity
 must verify it and not allow access by the lower trust entity after that
 point. Some such trust inversions are as follows:
 
-- R5 U-Boot loading ATF/OP-TEE
-- R5 Public Boot ROM loading TIFS
-- Linux loading Trusted applications(TA)
+.. ifconfig:: CONFIG_part_variant in ('AM62LX')
+
+   - A53 Public Boot ROM loading TF-A/OP-TEE
+   - A53 Public Boot ROM loading TIFS
+   - Linux loading Trusted applications (TA)
+
+.. ifconfig:: CONFIG_part_variant not in ('AM62LX')
+
+   - R5 U-Boot loading TF-A/OP-TEE
+   - R5 Public Boot ROM loading TIFS
+   - Linux loading Trusted applications (TA)
 
 These are called out in the sequence as shown in the following image and their method of ensuring trust is explained.
 
 Secure Boot Flow
 --------------------
 
-.. Image:: /images/K3_BF.jpg
-        :scale: 70%
+.. ifconfig:: CONFIG_part_variant in ('AM62LX')
+
+   .. Image:: /images/AM62L_BF.png
+      :scale: 70%
+
+.. ifconfig:: CONFIG_part_variant not in ('AM62LX')
+
+   .. Image:: /images/K3_BF.jpg
+      :scale: 70%
 
 .. rubric:: ROM
 
-On device startup, execution begins with the ROM bootloader (Secure ROM) running on the DSMC/TIFS core. After initial device security
-setup the Secure ROM starts the Public ROM running on the R5 core. The Public Boot ROM handles loading the first stage image `tiboot3.bin` from a
-peripheral as selected by the BOOTMODE pins. This image is placed into on chip SRAM as external memory interfaces such as DDR are not yet enabled.
-The exact location is device dependent. More details can be found in the device "Technical Reference Manual".
+.. ifconfig:: CONFIG_part_variant not in ('AM62LX')
+
+   On device startup, execution begins with the ROM bootloader (Secure ROM)
+   running on the DSMC/TIFS core. After initial device security setup the
+   Secure ROM starts the Public ROM running on the R5 core. The Public Boot ROM
+   handles loading the first stage image :file:`tiboot3.bin` from a peripheral
+   as selected by the BOOTMODE pins. This image is placed into on chip SRAM as
+   external memory interfaces such as DDR are not yet enabled. The exact
+   location is device dependent. More details can be found in the device
+   "Technical Reference Manual".
+
+   .. ifconfig:: CONFIG_part_variant in ('AM64X')
 
-.. ifconfig:: CONFIG_part_variant in ('AM64x')
+      The contents of this first stage image are authenticated and decrypted by
+      the Secure ROM. Contents include:
 
-    The contents of this first stage image are authenticated and decrypted by the Secure ROM. Contents include:
+      * DMSC firmware: `Texas Instruments Foundational Security (TIFS)` + Device/Power Manager: After authentication/decryption, DMSC firmware replaces the Secure ROM as the authenticator entity executing on the DMSC core.
+      * R5 SPL: The R5 SPL bootloader is executed on the R5 core.
 
-    * DMSC firmware: `Texas Instruments Foundational Security (TIFS)` + Device/Power Manager: After authentication/decryption, DMSC firmware replaces the Secure ROM as the authenticator entity executing on the DMSC core.
-    * R5 SPL: The R5 SPL bootloader is executed on the R5 core.
+   .. ifconfig:: CONFIG_part_variant not in ('AM64X')
 
-.. ifconfig:: CONFIG_part_variant not in ('AM64X')
+      The contents of this first stage image are authenticated and decrypted by
+      the Secure ROM. Contents include:
+
+      * `Texas Instruments Foundational Security (TIFS)` firmware: After authentication/decryption, TIFS firmware replaces the Secure ROM as the authenticator entity executing on the TIFS core.
+      * R5 SPL: The R5 SPL bootloader is executed on the R5 core.
+
+.. ifconfig:: CONFIG_part_variant in ('AM62LX')
+
+   On device startup, execution begins with the ROM bootloader (Secure ROM)
+   running on SMS M4 core. After initial device security setup, the Secure ROM
+   starts the Public ROM running on the A53 core. The Public ROM handles
+   loading the first stage image :file:`tiboot3.bin` from a peripheral as
+   selected by the BOOTMODE pins. This image is placed into on-chip SRAM as
+   external memory interfaces such as DDR are not yet enabled. The exact
+   location is device dependent. More details can be found in the device
+   "Technical Reference Manual".
 
    The contents of this first stage image are authenticated and decrypted by the Secure ROM. Contents include:
 
-   * `Texas Instruments Foundational Security (TIFS)` firmware: After authentication/decryption, TIFS firmware replaces the Secure ROM as the authenticator entity executing on the TIFS core.
-   * R5 SPL`: The R5 SPL bootloader is executed on the R5 core.
+   * `Texas Instruments Foundational Security (TIFS)` firmware: After authentication/decryption, TIFS firmware replaces the Secure ROM as the authenticator entity executing on the M4 core in the 2nd phase of the boot.
+   * BL-1: The pre-bootloader executed on the A53 core, initializes the console and DDR for the 2nd phase of the boot.
 
-.. rubric:: R5 SPL
+.. ifconfig:: CONFIG_part_variant not in ('AM62LX')
 
-R5 SPL loads the second boot stage FIT image `tispl.bin` from the peripheral as selected by the BOOTMODE pins. From this FIT image, TF-A, OPTEE, A53 SPL,
-and SPL DTB are extracted and authenticated and/or decrypted by TIFS. If authentication passed, the R5 SPL starts the ARM64 core. TF-A, OPTEE, and A53 SPL
-will begin execution on the ARM64 core. R5 SPL also configures DDR and the console so the user can see the first prints as seen below:
+   .. rubric:: R5 SPL
 
-R5 SPL's output will be similar to this:
-Notice the "Authentication passed" lines as TF-A, OPTEE, A53 SPL, and SPL DTB are authenticated.
+   R5 SPL loads the second boot stage FIT image `tispl.bin` from the
+   peripheral as selected by the BOOTMODE pins. From this FIT image, TF-A,
+   OPTEE, A53 SPL, and SPL DTB are extracted and authenticated and/or decrypted
+   by TIFS. If authentication passed, the R5 SPL starts the ARM64 core. TF-A,
+   OPTEE, and A53 SPL will begin execution on the ARM64 core. R5 SPL also
+   configures DDR and the console so the user can see the first prints as seen
+   below:
 
-.. code-block:: console
+   R5 SPL's output will be similar to this:
+   Notice the "Authentication passed" lines as TF-A, OPTEE, A53 SPL, and SPL DTB are authenticated.
 
-    U-Boot SPL 2021.01-dirty (May 13 2022 - 15:05:11 -0500)
-    SYSFW ABI: 3.1 (firmware rev 0x0008 '8.4.0-3-gd5cb1+ (Jolly Jellyfis')
-    SPL initial stack usage: 13392 bytes
-    Trying to boot from MMC2
-    Authentication passed
-    Authentication passed
-    Authentication passed
-    Authentication passed
-    Starting ATF on ARM64 core...
+   .. code-block:: console
 
-.. ifconfig:: CONFIG_part_variant in ('AM62x')
+      U-Boot SPL 2021.01-dirty (May 13 2022 - 15:05:11 -0500)
+      SYSFW ABI: 3.1 (firmware rev 0x0008 '8.4.0-3-gd5cb1+ (Jolly Jellyfis')
+      SPL initial stack usage: 13392 bytes
+      Trying to boot from MMC2
+      Authentication passed
+      Authentication passed
+      Authentication passed
+      Authentication passed
+      Starting ATF on ARM64 core...
 
-    After R5 SPL, the device/power manager firmware continues running on the R5 core.
+   .. ifconfig:: CONFIG_part_variant in ('AM62x')
+
+      After R5 SPL, the device/power manager firmware continues running on the R5 core.
 
 .. rubric:: A53 SPL
 
-A53 SPL then loads the U-Boot proper FIT image `U-boot.img` from the peripheral as selected by the BOOTMODE pins. From this FIT image, the U-boot bootloader
-and DTB are extracted before passing execution to u-boot proper.
+.. ifconfig:: CONFIG_part_variant not in ('AM62LX')
 
-A53 SPL's output will be similar to this: (notice the "Authentication passed" lines as U-Boot and the DTB are authenticated).
+   A53 SPL then loads the U-Boot proper FIT image :file:`u-boot.img` from the
+   peripheral as selected by the BOOTMODE pins. From this FIT image, the U-Boot
+   bootloader and DTB are extracted before passing execution to U-Boot proper.
 
-.. code-block:: console
+   A53 SPL's output will be similar to this: (notice the "Authentication passed" lines as U-Boot and the DTB are authenticated).
+
+   .. code-block:: console
+
+      U-Boot SPL 2021.01-g2de57d278b (May 16 2022 - 14:28:40 +0000)
+      SYSFW ABI: 3.1 (firmware rev 0x0008 '8.4.0-3-gd5cb1+ (Jolly Jellyfis')
+      Trying to boot from MMC2
+      Authentication passed
+      Authentication passed
+
+.. ifconfig:: CONFIG_part_variant in ('AM62LX')
+
+   Public ROM loads the second boot stage image :file:`tispl.bin` from the
+   peripheral as selected by the BOOTMODE pins. From this image, TF-A, OP-TEE,
+   A53 SPL (U-Boot SPL) and SPL DTB are extracted and authenticated and/or
+   decrypted by the Secure ROM. If authenticated, the Secure ROM resets the A53
+   core. TF-A, OP-TEE and U-Boot SPL begin execution on the A53 core.
+
+   U-Boot SPL then loads the U-Boot proper FIT image :file:`u-boot.img` from
+   the peripheral as selected by the BOOTMODE pins. The U-Boot SPL verifies the
+   signed FIT image independently, without using TIFS. From this FIT image, the
+   U-Boot bootloader and DTB are extracted before passing execution to U-Boot
+   proper.
+
+   U-Boot SPL's output will be similar to this: (notice the "Checking hash(es)"
+   lines as U-Boot and DTB are authenticated).
+
+   .. code-block:: console
 
-    U-Boot SPL 2021.01-g2de57d278b (May 16 2022 - 14:28:40 +0000)
-    SYSFW ABI: 3.1 (firmware rev 0x0008 '8.4.0-3-gd5cb1+ (Jolly Jellyfis')
-    Trying to boot from MMC2
-    Authentication passed
-    Authentication passed
+      U-Boot SPL 2026.01-ti-gee3048ee0822 (Apr 09 2026 - 00:09:07 +0000)
+      SPL initial stack usage: 1936 bytes
+      Trying to boot from DFU
+      ######DOWNLOAD ... OK
+      Ctrl+C to exit ...
+      ## Checking hash(es) for config conf-0 ... sha512,rsa4096:custMpk+ OK
+      ## Checking hash(es) for Image uboot ... sha512+ OK
+      ## Checking hash(es) for Image fdt-0 ... sha512+ OK
 
 .. rubric:: U-Boot
 
@@ -194,17 +285,38 @@ HS Boot Flow Tools
 
 U-boot:
 
-    The ti-u-boot source is a project used to create tiboot3.bin, tispl.bin, and u-boot.img. To create  tiboot3.bin for K3 family devices, u-boot builds R5 SPL and
-    binman packages it in a `tiboot3.bin` image. To build A53 SPL, binman takes ATF (bl31.bin), OPTEE (bl32.bin), A53 SPL, and A53 DTBs and packages
-    them in a `tispl.bin` image. U-Boot can then use the openssl library to sign each component as specified in k3-<soc>-binman.dtsi.
+   .. ifconfig:: CONFIG_part_variant not in ('AM62LX')
 
-    .. code-block:: console
+      The ti-u-boot source is a project used to create tiboot3.bin, tispl.bin, and u-boot.img. To create  tiboot3.bin for K3 family devices, u-boot builds R5 SPL and
+      binman packages it in a `tiboot3.bin` image. To build A53 SPL, binman takes TF-A (bl31.bin), OPTEE (bl32.bin), A53 SPL, and A53 DTBs and packages
+      them in a `tispl.bin` image. U-Boot can then use the openssl library to sign each component as specified in k3-<soc>-binman.dtsi.
 
-        $ git clone https://git.ti.com/git/ti-u-boot/ti-u-boot.git
+      .. code-block:: console
 
-        Example use:
-        $ make ARCH=arm CROSS_COMPILE=aarch64-none-linux-gnu- am64x_evm_a53_defconfig
-        $ make CROSS_COMPILE=aarch64-none-linux-gnu- ATF=bl31.bin TEE=tee-pager_v2.bin BINMAN_INDIRS=<path-to-tisdk>/board-support/prebuilt-images
+         $ git clone https://git.ti.com/git/ti-u-boot/ti-u-boot.git
+
+         $ # Example use:
+         $ make ARCH=arm CROSS_COMPILE=aarch64-none-linux-gnu- am64x_evm_a53_defconfig
+         $ make CROSS_COMPILE=aarch64-none-linux-gnu- BL31=bl31.bin TEE=tee-pager_v2.bin BINMAN_INDIRS=<path-to-tisdk>/board-support/prebuilt-images
+
+   .. ifconfig:: CONFIG_part_variant in ('AM62LX')
+
+      The ti-u-boot source is a project used to create :file:`tiboot3.bin`,
+      :file:`tispl.bin`, and :file:`u-boot.img`. To create :file:`tiboot3.bin`
+      for K3 family devices, U-Boot builds BL-1 and binman packages it in a
+      :file:`tiboot3.bin` image. To build A53 SPL, binman takes TF-A
+      (:file:`bl31.bin`), OPTEE (:file:`bl32.bin`), A53 SPL, and A53 DTBs and
+      packages them in a :file:`tispl.bin` image. U-Boot can then use the
+      openssl library to sign each component as specified in
+      :file:`k3-am62l3-evm-binman.dtsi`.
+
+      .. code-block:: console
+
+         $ git clone https://git.ti.com/git/ti-u-boot/ti-u-boot.git
+
+         $ # Example use:
+         $ make ARCH=arm CROSS_COMPILE=aarch64-none-linux-gnu- am62lx_evm_defconfig
+         $ make CROSS_COMPILE=aarch64-none-linux-gnu- BL1=bl1.bin BL31=bl31.bin TEE=tee-pager_v2.bin BINMAN_INDIRS=<path-to-tisdk>/board-support/prebuilt-images
 
 Linux: