1*98350f7fSDaniel AllredREADME on how boot images are created for secure TI devices 2*98350f7fSDaniel Allred 3*98350f7fSDaniel AllredCONFIG_TI_SECURE_DEVICE: 4*98350f7fSDaniel AllredSecure TI devices require a boot image that is authenticated by ROM 5*98350f7fSDaniel Allredcode to function. Without this, even JTAG remains locked and the 6*98350f7fSDaniel Allreddevice is essentially useless. In order to create a valid boot image for 7*98350f7fSDaniel Allreda secure device from TI, the initial public software image must be signed 8*98350f7fSDaniel Allredand combined with various headers, certificates, and other binary images. 9*98350f7fSDaniel Allred 10*98350f7fSDaniel AllredInformation on the details on the complete boot image format can be obtained 11*98350f7fSDaniel Allredfrom Texas Instruments. The tools used to generate boot images for secure 12*98350f7fSDaniel Allreddevices are part of a secure development package (SECDEV) that can be 13*98350f7fSDaniel Allreddownloaded from: 14*98350f7fSDaniel Allred 15*98350f7fSDaniel Allred http://www.ti.com/mysecuresoftware (login required) 16*98350f7fSDaniel Allred 17*98350f7fSDaniel AllredThe secure development package is access controlled due to NDA and export 18*98350f7fSDaniel Allredcontrol restrictions. Access must be requested and granted by TI before the 19*98350f7fSDaniel Allredpackage is viewable and downloadable. Contact TI, either online or by way 20*98350f7fSDaniel Allredof a local TI representative, to request access. 21*98350f7fSDaniel Allred 22*98350f7fSDaniel AllredWhen CONFIG_TI_SECURE_DEVICE is set, the U-Boot SPL build process requires 23*98350f7fSDaniel Allredthe presence and use of these tools in order to create a viable boot image. 24*98350f7fSDaniel AllredThe build process will look for the environment variable TI_SECURE_DEV_PKG, 25*98350f7fSDaniel Allredwhich should be the path of the installed SECDEV package. If the 26*98350f7fSDaniel AllredTI_SECURE_DEV_PKG variable is not defined or if it is defined but doesn't 27*98350f7fSDaniel Allredpoint to a valid SECDEV package, a warning is issued during the build to 28*98350f7fSDaniel Allredindicate that a final secure bootable image was not created. 29*98350f7fSDaniel Allred 30*98350f7fSDaniel AllredWithin the SECDEV package exists an image creation script: 31*98350f7fSDaniel Allred 32*98350f7fSDaniel Allred${TI_SECURE_DEV_PKG}/scripts/create-boot-image.sh 33*98350f7fSDaniel Allred 34*98350f7fSDaniel AllredThis is called as part of the SPL/u-boot build process. As the secure boot 35*98350f7fSDaniel Allredimage formats and requirements differ between secure SOC from TI, the 36*98350f7fSDaniel Allredpurpose of this script is to abstract these details as much as possible. 37*98350f7fSDaniel Allred 38*98350f7fSDaniel AllredThe script is basically the only required interface to the TI SECDEV package 39*98350f7fSDaniel Allredfor secure TI devices. 40*98350f7fSDaniel Allred 41*98350f7fSDaniel AllredInvoking the script for AM43xx Secure Devices 42*98350f7fSDaniel Allred============================================= 43*98350f7fSDaniel Allred 44*98350f7fSDaniel Allredcreate-boot-image.sh <IMAGE_FLAG> <INPUT_FILE> <OUTPUT_FILE> <SPL_LOAD_ADDR> 45*98350f7fSDaniel Allred 46*98350f7fSDaniel Allred<IMAGE_FLAG> is a value that specifies the type of the image to generate OR 47*98350f7fSDaniel Allredthe action the image generation tool will take. Valid values are: 48*98350f7fSDaniel Allred SPI_X-LOADER - Generates an image for SPI flash (byte swapped) 49*98350f7fSDaniel Allred XIP_X-LOADER - Generates a single stage u-boot for NOR/QSPI XiP 50*98350f7fSDaniel Allred ISSW - Generates an image for all other boot modes 51*98350f7fSDaniel Allred 52*98350f7fSDaniel Allred<INPUT_FILE> is the full path and filename of the public world boot loader 53*98350f7fSDaniel Allredbinary file (depending on the boot media, this is usually either 54*98350f7fSDaniel Allredu-boot-spl.bin or u-boot.bin). 55*98350f7fSDaniel Allred 56*98350f7fSDaniel Allred<OUTPUT_FILE> is the full path and filename of the final secure image. The 57*98350f7fSDaniel Allredoutput binary images should be used in place of the standard non-secure 58*98350f7fSDaniel Allredbinary images (see the platform-specific user's guides and releases notes 59*98350f7fSDaniel Allredfor how the non-secure images are typically used) 60*98350f7fSDaniel Allred u-boot-spl_HS_SPI_X-LOADER - byte swapped boot image for SPI flash 61*98350f7fSDaniel Allred u-boot_HS_XIP_X-LOADER - boot image for NOR or QSPI flash 62*98350f7fSDaniel Allred u-boot-spl_HS_ISSW - boot image for all other boot media 63*98350f7fSDaniel Allred 64*98350f7fSDaniel Allred<SPL_LOAD_ADDR> is the address at which SOC ROM should load the <INPUT_FILE> 65*98350f7fSDaniel Allred 66*98350f7fSDaniel AllredInvoking the script for DRA7xx/AM57xx Secure Devices 67*98350f7fSDaniel Allred==================================================== 68*98350f7fSDaniel Allred 69*98350f7fSDaniel Allredcreate-boot-image.sh <IMAGE_TYPE> <INPUT_FILE> <OUTPUT_FILE> 70*98350f7fSDaniel Allred 71*98350f7fSDaniel Allred<IMAGE_TYPE> is a value that specifies the type of the image to generate OR 72*98350f7fSDaniel Allredthe action the image generation tool will take. Valid values are: 73*98350f7fSDaniel Allred X-LOADER - Generates an image for NOR or QSPI boot modes 74*98350f7fSDaniel Allred MLO - Generates an image for SD/MMC/eMMC boot modes 75*98350f7fSDaniel Allred ULO - Generates an image for USB/UART peripheral boot modes 76*98350f7fSDaniel Allred Note: ULO is not yet used by the u-boot build process 77*98350f7fSDaniel Allred 78*98350f7fSDaniel Allred<INPUT_FILE> is the full path and filename of the public world boot loader 79*98350f7fSDaniel Allredbinary file (for this platform, this is always u-boot-spl.bin). 80*98350f7fSDaniel Allred 81*98350f7fSDaniel Allred<OUTPUT_FILE> is the full path and filename of the final secure image. The 82*98350f7fSDaniel Allredoutput binary images should be used in place of the standard non-secure 83*98350f7fSDaniel Allredbinary images (see the platform-specific user's guides and releases notes 84*98350f7fSDaniel Allredfor how the non-secure images are typically used) 85*98350f7fSDaniel Allred u-boot-spl_HS_MLO - boot image for SD/MMC/eMMC. This image is 86*98350f7fSDaniel Allred copied to a file named MLO, which is the name that 87*98350f7fSDaniel Allred the device ROM bootloader requires for loading from 88*98350f7fSDaniel Allred the FAT partition of an SD card (same as on 89*98350f7fSDaniel Allred non-secure devices) 90*98350f7fSDaniel Allred u-boot-spl_HS_X-LOADER - boot image for all other flash memories 91*98350f7fSDaniel Allred including QSPI and NOR flash 92