This guide provides a step-by-step walkthrough for using the secure boot function on SP7350 platforms. Secure boot ensures that an SP7350 device boots using only dedicated software, protecting the boot process from malicious software by verifying the digital signature of x-boot (the first stage boot-loader) and verifying the hash value of the images for OP-TEE, TF-A, U-Boot, and the Linux kernel. Additionally, the SP7350 decrypts the x-boot image if it is encrypted, preventing it from being hacked.
...
At power-on, i-boot loads the x-boot image from an external boot device into SRAM.
It then verifies the digital signature of the image.
If the signature is correct, i-boot decrypts the x-boot image.
Upon successful decryption, it executes the x-boot image.
x-boot:
Initiates the DDR controller and conducts training for the DDR PHY.
Upon successful DDR PHY training, DDR DRAM becomes operational.
It then loads TF-A, OP-TEE, and U-Boot images from an external boot device into DRAM.
The x-boot verifies the hash value of these images.
If verification is successful, it executes TF-A, which initiates OP-TEE and then executes U-Boot.
U-Boot:
Loads the Linux kernel image from an external boot device into DRAM.
Verifies the hash value of the Linux kernel image.
If the verification is successful, it executes the Linux kernel image.
Compiling Code for Secure Boot
...
Once you have completed the configuration selections, the system will start configuring the building environment. This process may take a few seconds to a few minutes, depending on your computer's performance. Please wait patiently for the configuration to complete.
Please note that the system takes additional time to complete its initial run during the configuration process, as it requires the download of the toolchain.
Build Code
After completing all configurations, you are ready to initiate the code build. Execute the following command to commence the build process:
...
After make command completes, it will display information similar to the following screenshot:
...
Save Your Secure Keys
After compilation completes, secure keys will be built. The make command creates new secure keys automatically when there are no secure keys in the default directories. Refer to the contents of the directory 'build/tools/secure_sp7350/secure' under the project top directory:
...
Remember to securely save the entire ‘otp_Device_keys’ and 'otp_Sb_keys' directories.
WARNING: If the keys are lost, you will never be able to create the same secure keys again. Your SP7350 chips with the old keys will become unusable.
Burn Secure Keys into OTP of SP7350 Chips
...
The status window of the OTPTool indicates "WRITE Start..…” and then “WRITE Success!" as shown above.
Press 'Read' to read back content of OTP.
...
The status window of the OTPTool indicates "READ Start..…” and then “READ Success!" as shown above.
Burn Device Private Key (for decryption) into OTP Bit 768 ~ 1023
...
The status window of the OTPTool indicates "WRITE Start..…” and then “WRITE Success!" as shown above.
Press 'Read' to confirm the content of OTP.
...
The status window of the OTPTool indicates "READ Start..…” and then “READ Success!" as shown above.
Enable Secure Mode of SP7350 (Write 1 into OTP bit 0)
...
The status window of the OTPTool indicates "READ Start..…” and then “READ Success!" as shown above.
Enable MP Bit of SP7350 (Write 1 into OTP bit 2)
To safeguard keys from being accessed by end-users, enabling the MP bit prevents the CPU from reading keys.
Note that the MP bit can only be enabled on version B or later chips; otherwise, it will render the chips unusable.
Modify bit 2 to 1 and then press "Write."
...
Important Notes:
Do not enable the MP bit for version A chips.
Burning OTP bits is irreversible, and incorrect burns may render the chips unusable.
Remember to save the keys in directories: otp_Sb_keys, and otp_Device_keys
Secure Boot
After burning the keys and enabling secure mode, the SP7350 is ready to boot in secure mode. Copy your secure image to an SD card, insert it into your SP7350 platform, and turn on the power to boot the platform.
...
Line 1: Displays the i-boot version.
Line 4: Indicates that the SP7350 is in secure mode.
Line 5: Shows that the SP7350 is booting from an SD card.
Line 55: Confirms that the digital signature of the x-boot image is successfully verified.
Line 63: Indicates successful decryption of the x-boot image.
Line 67: Displays the x-boot version.
Line 146: Indicates successful completion of DDR training.
Line 158: Confirms successful verification of the U-Boot image's hash value.
Line 159: Confirms successful verification of the fip image's hash value, which includes TF-A and OP-TEE images.
Line 166: Displays the TF-A (BL31) version.
...
Line 183: Displays the U-Boot version.
Line 231: Confirms successful verification of the Linux kernel image's hash value.
Line 239: Indicates that Linux is starting.
...