Versions Compared

Old Version 9

changes.mady.by.user Wells Lu

Saved on

compared with

New Version 10

changes.mady.by.user Wells Lu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This guide provides offers a step-by-step walkthrough for using enabling the secure boot function on SP7350 platforms. Secure boot ensures that an SP7350 device boots using only dedicated exclusively with authorized software, protecting the boot process from malicious software by verifying the digital signature of x-boot (the first stage boot-loader) and verifying the hash value of the images for OP-TEE, TF-A, U-Boot, and the Linux kernelthreats. Additionally, the SP7350 decrypts the x-boot image if it is encrypted, preventing it from being hackedguarantees that only encrypted images are executed, preventing unauthorized access and potential security breaches.

Table of Contents

Table of Contents
minLevel1
maxLevel6
outlinefalse
styledefault
typelist
printabletrue

...

  1. At power-on, i-boot loads the x-boot image from an external boot device into SRAM.

  2. It then verifies the digital signature of the image.

  3. If the signature is correct, i-boot decrypts the x-boot image.

  4. Upon successful decryption, it executes the it.

x-boot

...

:

  1. x-

...

  1. Initiates boot begins by loading the DDR training firmware from an external boot device.

  2. It then initializes the DDR controller and conducts training for the DDR PHY.

  3. Upon successful Once the DDR PHY training is successful, DDR DRAM becomes operational.

  4. It then loads Next, x-boot loads the TF-A, OP-TEE, and U-Boot images from an external boot device into DRAM.

  5. The x-boot It verifies the secure hash value of these images.

  6. If verification is successful, it the verification succeeds, x-boot decrypts the images.

  7. Upon successful decryption, executes TF-A, which then initiates OP-TEE and then subsequently executes U-Boot.

U-Boot:

  1. Loads U-Boot loads the Linux kernel image from an external boot device into DRAM.Verifies the

  2. it then verifies its secure hash value of the Linux kernel image.

  3. If the verification is successful, it U-Boot executes the Linux kernel image.

...

  1. Choose the board you want to build the image for. For instance, press '1' to select "SP7350 Ev Board."

  2. Choose the boot device. For example, press '5' to specify booting from the SD card.

  3. Choose root file-system of Linux. For example, press '35' to opt for “Ubuntu MATE MATE 2022.04” as root file-system.

  4. Choose image securityboot modes. Press ‘3‘2' to select building images with digital signature and encryption. Alternatively, you can press '2’ to build images with only a digital signaturefor secure boot.

Once you have completed the configuration selections, the system will start configuring the building environment. This process may take a few seconds to a few minutes, depending on your computer's performance. Please wait patiently for the configuration to complete.

Please note that the system takes additional time to complete its initial run during the configuration process, as it requires the download of the toolchain.

Build Code

After completing all configurations, you are ready to initiate the code build. Execute the following command to commence the build process:

...

After make command completes, it will display information similar to the following screenshot:

...

Save Your Secure Keys

After compilation completes, secure keys will be built. The make command creates new secure keys automatically when there are no secure keys in the default directories. Refer to the contents of the directory 'build/tools/secure_sp7350/secure' under the project top directory:

...

The device key is stored in the ‘otp_Device_keys/’ directory, and the secure-boot key is stored in the ‘otp_Sb_keys/’ directory. Remember to securely save the entire ‘otp_Device_keys’ and 'otp_Sb_keys' directories.

WARNING: If the keys are lost, you will never be able to create the same secure keys again. Your SP7350 chips with the old keys will become unusable.

Burn Secure Keys into OTP memory of SP7350 Chips

...

The status window of the OTPTool indicates "WRITE Start..…” and then “WRITE Success!" as shown above.

Press 'Read' to read back content of OTP.

...

The status window of the OTPTool indicates "READ Start..…” and then “READ Success!" as shown above.

Burn Device Private Key (for decryption) into OTP Bit 768 ~ 1023

...

The status window of the OTPTool indicates "WRITE Start..…” and then “WRITE Success!" as shown above.

Press 'Read' to confirm the content of OTP.

...

The status window of the OTPTool indicates "READ Start..…” and then “READ Success!" as shown above.

Enable Secure Mode of SP7350 (Write 1 into OTP bit 0)

...

The status window of the OTPTool indicates "READ Start..…” and then “READ Success!" as shown above.

Enable MP Bit of SP7350 (Write 1 into OTP bit 2)

To safeguard keys from being accessed by end-users, enabling the MP bit prevents the CPU from reading keys.

Note that the MP bit can only be enabled on version B or later chips; otherwise, it will render the chips unusable.

Modify bit 2 to 1 and then press "Write."

...

Important Notes:

  • Do not enable the MP bit for version A chips.

  • Burning OTP bits is irreversible, and incorrect burns may render the chips unusable.

  • Remember to save the keys in directories: otp_Sb_keys, and otp_Device_keys

Secure Boot

After burning the keys and enabling secure mode, the SP7350 is ready to boot in secure mode. Copy your secure image to an SD card, insert it into your SP7350 platform, and turn on the power to boot the platform.

...

Line 1: Displays the i-boot version.

Line 4: Indicates that the SP7350 is in secure mode.

Line 5: Shows that the SP7350 is booting from an SD card.

...

Line 46: Checksum of the x-boot image is successfully verified.

Line 55: Confirms that the digital signature of the x-boot image is successfully verified.

Line 63: Indicates successful decryption of the x-boot image.

Line 67: Displays the x-boot version.

Line 146: Indicates successful completion of DDR training.

Line 158: Confirms successful verification of the U-Boot image's hash value.

Line 159: Confirms successful verification of the fip image's hash value, which includes TF-A and OP-TEE images.

Line 166: Displays the TF-A (BL31) version.

...

Line 183: Displays the U-Boot version.

Line 231: Confirms successful verification of the Linux kernel image's hash value.

Line 239: Indicates that Linux is starting.

...