This guide provides a step-by-step walkthrough for using the secure boot function on SP7350 platforms. Secure boot ensures that an SP7350 device boots using only dedicated software, protecting the boot process from malicious software by verifying the digital signature of x-boot (the first stage boot-loader) and verifying the hash value of the images for OP-TEE, TF-A, U-Boot, and the Linux kernel. Additionally, the SP7350 decrypts the x-boot image if it is encrypted, preventing it from being hacked.
...
Once you have completed the configuration selections, the system will start configuring the building environment. This process may take a few seconds to a few minutes, depending on your computer's performance. Please wait patiently for the configuration to complete.
Please note that the system takes additional time to complete its initial run during the configuration process, as it requires the download of the toolchain.
Build Code
After completing all configurations, you are ready to initiate the code build. Execute the following command to commence the build process:
...
After make command completes, it will display information similar to the following screenshot:
...
Save Your Secure Keys
After compilation completes, secure keys will be built. The make command creates new secure keys automatically when there are no secure keys in the default directories. Refer to the contents of the directory 'build/tools/secure_sp7350/secure' under the project top directory:
...
The device key is stored in the ‘otp_Device_keys/’ directory, and the secure-boot key is stored in the ‘otp_Sb_keys/’ directory. Remember to securely save the entire ‘otp_Device_keys’ and 'otp_Sb_keys' directories.
WARNING: If the keys are lost, you will never be able to create the same secure keys again. Your SP7350 chips with the old keys will become unusable.
Burn Secure Keys into OTP memory of SP7350 Chips
...
The status window of the OTPTool indicates "WRITE Start..…” and then “WRITE Success!" as shown above.
Press 'Read' to read back content of OTP.
...
The status window of the OTPTool indicates "READ Start..…” and then “READ Success!" as shown above.
Burn Device Private Key (for decryption) into OTP Bit 768 ~ 1023
...
The status window of the OTPTool indicates "WRITE Start..…” and then “WRITE Success!" as shown above.
Press 'Read' to confirm the content of OTP.
...
The status window of the OTPTool indicates "READ Start..…” and then “READ Success!" as shown above.
Enable Secure Mode of SP7350 (Write 1 into OTP bit 0)
...
The status window of the OTPTool indicates "READ Start..…” and then “READ Success!" as shown above.
Enable MP Bit of SP7350 (Write 1 into OTP bit 2)
To safeguard keys from being accessed by end-users, enabling the MP bit prevents the CPU from reading keys.
Note that the MP bit can only be enabled on version B or later chips; otherwise, it will render the chips unusable.
Modify bit 2 to 1 and then press "Write."
...
Important Notes:
Do not enable the MP bit for version A chips.
Burning OTP bits is irreversible, and incorrect burns may render the chips unusable.
Remember to save the keys in directories: otp_Sb_keys, and otp_Device_keys
Secure Boot
After burning the keys and enabling secure mode, the SP7350 is ready to boot in secure mode. Copy your secure image to an SD card, insert it into your SP7350 platform, and turn on the power to boot the platform.
...
Line 1: Displays the i-boot version.
Line 4: Indicates that the SP7350 is in secure mode.
Line 5: Shows that the SP7350 is booting from an SD card.
...
Line 46: Checksum of the x-boot image is successfully verified.
Line 55: Confirms that the digital signature of the x-boot image is successfully verified.
Line 63: Indicates successful decryption of the x-boot image.
Line 67: Displays the x-boot version.
Line 146: Indicates successful completion of DDR training.
Line 158: Confirms successful verification of the U-Boot image's hash value.
Line 159: Confirms successful verification of the fip image's hash value, which includes TF-A and OP-TEE images.
Line 166: Displays the TF-A (BL31) version.
...
Line 183: Displays the U-Boot version.
Line 231: Confirms successful verification of the Linux kernel image's hash value.
Line 239: Indicates that Linux is starting.
...