Skip to content

Commit deb5736

Browse files
Pratham-TPratham-T
committed
feat(security): Add Secure Boot documentation for AM62LX SoC
Secure boot page is missing AM62L specific documentation. Due to very large difference with other SoCs in the boot flow, this contains many differences in documentation as well. This commit adds any AM62L specific information in the Secure Boot section, and adds it to its TOC. Signed-off-by: T Pratham <t-pratham@ti.com>
1 parent 310c452 commit deb5736

5 files changed

Lines changed: 208 additions & 88 deletions

File tree

configs/AM62LX/AM62LX_linux_toc.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,7 @@ linux/Foundational_Components/System_Security/Security_overview
8585
linux/Foundational_Components/System_Security/Auth_boot
8686
linux/Foundational_Components/System_Security/Memory_Firewalls
8787
linux/Foundational_Components/System_Security/Filesystem_Encryption
88+
linux/Foundational_Components_Secure_Boot
8889

8990
linux/Foundational_Components_Kernel_Users_Guide
9091
linux/Foundational_Components_Kernel_LTP-DDT_Validation

source/images/AM62L_BF.png

162 KB
Loading

source/images/AM62L_KF.png

71.3 KB
Loading

source/linux/Foundational_Components/System_Security/Security_overview.rst

Lines changed: 38 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -8,19 +8,19 @@ Device Security
88
Security Overview
99
=================
1010

11-
The |__PART_FAMILY_DEVICE_NAMES__| SoC offers a comprehensive set of
12-
security features that protect embedded Linux applications. This guide
13-
offers a starting point to understand and implement these capabilities
11+
The |__PART_FAMILY_DEVICE_NAMES__| SoC offers a comprehensive set of
12+
security features that protect embedded Linux applications. This guide
13+
offers a starting point to understand and implement these capabilities
1414
as part of product development, with the following advantages:
1515

16-
* **Hardware-backed security** - Leverages built-in security hardware
16+
* **Hardware-backed security** - Leverages built-in security hardware
1717
for robust protection
1818
* **Defense in-depth** - Implements security at many levels including
1919
hardware, firmware, software to protect against wide range of attacks
2020
* **Industry standards compliance** - Incorporates security measures such
2121
as secure boot, TrustZone, and crypto acceleration that can help meet
2222
requirements in standards such as IEC 62443 and NIST guidelines
23-
* **Flexible implementation** - Allows security features that can be
23+
* **Flexible implementation** - Allows security features that can be
2424
tailored to specific application needs
2525

2626
================
@@ -31,7 +31,7 @@ Below is an overview of the security framework's main domains:
3131

3232
.. figure:: ./images/security_framework.png
3333

34-
These security domains create a chain of trust protecting the
34+
These security domains create a chain of trust protecting the
3535
|__PART_FAMILY_DEVICE_NAMES__| SoC from boot through runtime and storage,
3636
ensuring system integrity and data confidentiality.
3737

@@ -43,30 +43,37 @@ The following table lists some of the key Security Features:
4343

4444
.. ifconfig:: CONFIG_part_variant in ('AM62LX')
4545

46-
+-------------------------+-----------------------------------------------------------+--------------------------------------+
47-
| **Security Feature** | **Description** | **Links** |
48-
+=========================+===========================================================+======================================+
49-
| **Authenticated Boot** | Verifies each boot component to ensure only authorized | :ref:`auth_boot_guide` |
50-
| | code executes on the device | |
51-
+-------------------------+-----------------------------------------------------------+--------------------------------------+
52-
| **Crypto Acceleration** | Hardware driver support for cryptographic algorithms | :ref:`crypto-accelerator` |
53-
+-------------------------+-----------------------------------------------------------+--------------------------------------+
54-
| **Key Management** | Tools for secure key provisioning | :ref:`key-writer-lite-label` |
55-
+-------------------------+-----------------------------------------------------------+--------------------------------------+
56-
| **Secure Storage** | Protection mechanisms for sensitive data | :ref:`secure-storage-with-rpmb` |
57-
+-------------------------+-----------------------------------------------------------+--------------------------------------+
58-
| **Trusted Execution** | Implementation of secure monitor (EL3) firmware that | :ref:`foundational-components-atf` |
59-
| | manages the secure boot process and TrustZone transitions | |
60-
+ +-----------------------------------------------------------+--------------------------------------+
61-
| | Trusted Execution Environment that enables isolated | :ref:`foundational-components-optee` |
62-
| | execution of security-sensitive applications and services | |
63-
+-------------------------+-----------------------------------------------------------+--------------------------------------+
64-
| **Memory Firewalls** | Prevents unauthorized access through hardware-enforced | :ref:`memory-firewalls` |
65-
| | security boundaries | |
66-
+-------------------------+-----------------------------------------------------------+--------------------------------------+
67-
|**fTPM based** | Yocto reference implemenation of filesystem encryption | :ref:`filesystem-encryption` |
68-
|**Filesystem Encryption**| using LUKS2 with TPM-sealed keys | |
69-
+-------------------------+-----------------------------------------------------------+--------------------------------------+
46+
+-------------------------+-----------------------------------------------------------+-----------------------------------------+
47+
| **Security Feature** | **Description** | **Links** |
48+
+=========================+===========================================================+=========================================+
49+
| **Secure Boot** | Verifies and decrypts each boot stage, establishing a | :ref:`foundational-secure-boot` |
50+
| | hardware-backed chain of trust from ROM to Linux using | |
51+
| | customer-programmable keys | |
52+
+ +-----------------------------------------------------------+-----------------------------------------+
53+
| | Authenticates U-Boot using open-source Verified Boot | :ref:`u-boot-secure-boot-verified-boot` |
54+
| | framework | |
55+
+-------------------------+-----------------------------------------------------------+-----------------------------------------+
56+
| **Authenticated Boot** | Verifies each boot component to ensure only authorized | :ref:`auth_boot_guide` |
57+
| | code executes on the device | |
58+
+-------------------------+-----------------------------------------------------------+-----------------------------------------+
59+
| **Crypto Acceleration** | Hardware driver support for cryptographic algorithms | :ref:`crypto-accelerator` |
60+
+-------------------------+-----------------------------------------------------------+-----------------------------------------+
61+
| **Key Management** | Tools for secure key provisioning | :ref:`key-writer-lite-label` |
62+
+-------------------------+-----------------------------------------------------------+-----------------------------------------+
63+
| **Secure Storage** | Protection mechanisms for sensitive data | :ref:`secure-storage-with-rpmb` |
64+
+-------------------------+-----------------------------------------------------------+-----------------------------------------+
65+
| **Trusted Execution** | Implementation of secure monitor (EL3) firmware that | :ref:`foundational-components-atf` |
66+
| | manages the secure boot process and TrustZone transitions | |
67+
+ +-----------------------------------------------------------+-----------------------------------------+
68+
| | Trusted Execution Environment that enables isolated | :ref:`foundational-components-optee` |
69+
| | execution of security-sensitive applications and services | |
70+
+-------------------------+-----------------------------------------------------------+-----------------------------------------+
71+
| **Memory Firewalls** | Prevents unauthorized access through hardware-enforced | :ref:`memory-firewalls` |
72+
| | security boundaries | |
73+
+-------------------------+-----------------------------------------------------------+-----------------------------------------+
74+
|**fTPM based** | Yocto reference implemenation of filesystem encryption | :ref:`filesystem-encryption` |
75+
|**Filesystem Encryption**| using LUKS2 with TPM-sealed keys | |
76+
+-------------------------+-----------------------------------------------------------+-----------------------------------------+
7077

7178

7279
.. ifconfig:: CONFIG_part_variant in ('AM62X', 'AM62PX', 'AM62AX')
@@ -117,6 +124,6 @@ The following table lists some of the key Security Features:
117124
| | execution of security-sensitive applications and services | |
118125
+-------------------------+-----------------------------------------------------------+--------------------------------------+
119126
| **Memory Firewalls** | Prevents unauthorized access through hardware-enforced | :ref:`memory-firewalls` |
120-
| | security boundaries | |
127+
| | security boundaries | |
121128
+-------------------------+-----------------------------------------------------------+--------------------------------------+
122129

0 commit comments

Comments
 (0)