This guide provides offers a step-by-step walkthrough for using enabling the secure boot function on SP7350 platforms. Secure boot ensures that an SP7350 device boots using only dedicated exclusively with authorized software, protecting the boot process from malicious software by verifying the digital signature of x-boot (the first stage boot-loader) and verifying the hash value of the images for OP-TEE, TF-A, U-Boot, and the Linux kernelthreats. Additionally, the SP7350 decrypts the x-boot image if it is encrypted, preventing it from being hackedguarantees that only encrypted images are executed, preventing unauthorized access and potential security breaches.
Table of Contents
Table of Contents | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Flow of Secure Boot
The flow of secure boot is as follows:
...
At power-on, i-boot loads the x-boot image from an external boot device into SRAM.
It then verifies the digital signature of the image.
If the signature is correct, i-boot decrypts the x-boot image.
Upon successful decryption, it executes the it.
x-boot
...
:
x-boot
...
Initiates begins by loading the DDR training firmware from an external boot device.
It then initializes the DDR controller and conducts training for the DDR PHY.
Upon successful Once the DDR PHY training is successful, DDR DRAM becomes operational.
It then loads Next, x-boot loads the TF-A, OP-TEE, and U-Boot images from an external boot device into DRAM.
The x-boot It verifies the secure hash value of these images.
If verification is successful, it the verification succeeds, x-boot decrypts the images.
Upon successful decryption, executes TF-A, which then initiates OP-TEE and then subsequently executes U-Boot.
U-Boot:
Loads U-Boot loads the Linux kernel image from an external boot device into DRAM.Verifies the
it then verifies its secure hash value of the Linux kernel image.
If the verification is successful, it U-Boot executes the Linux kernel image.
Compiling Code for Secure Boot
Download Sources of SP7350
Please refer to: A Guide to Downloading and Compiling SP7350 Code
for downloading the sources, setting up the compilation environment for SP7350 platforms.
Configure the Building Environment
Navigate to the top folder of your Q654 (SP7350) project. Run the following command to initiate the configuration menu:
...
Choose the board you want to build the image for. For instance, press '12' to select "SP7350 Ev IO Board."
Choose the boot device. For example, press '52' to specify booting from the SD card.
Choose root file-system of Linux. For example, press '37' to opt for “Ubuntu MATE MATE 2024.04.04” 1” as root file-system.
Choose image securityboot modes. Press ‘3‘2' to select building images with digital signature and encryption. Alternatively, you can press '2’ to build images with only a digital signature“Secure boot” images.
Once you have completed the configuration selections, the system will start configuring the building environment. This process may take a few seconds to a few minutes, depending on your computer's performance. Please wait patiently for the configuration to complete.
Please note that the system takes additional time to complete its initial run during the configuration process, as it requires the download of the toolchain.
Build Code
After completing all configurations, you are ready to initiate the code build. Execute the following command to commence the build process:
...
After make command completes, it will display information similar to the following screenshot:
...
Save Your Secure Keys
After compilation completes, secure keys will be built. The make command creates new secure keys automatically when there are no secure keys in the default directories. Refer to the contents of the directory 'build/tools/secure_sp7350/secure' under the project top directory:
...
The device key is stored in the ‘otp_Device_keys/’ directory, and the secure-boot key is stored in the ‘otp_Sb_keys/’ directory. Remember to securely save the entire ‘otp_Device_keys’ and 'otp_Sb_keys' directories.
WARNING: If the keys are lost, you will never be able to create the same secure keys again. Your SP7350 chips with the old keys will become unusable.
Burn Secure Keys into OTP memory of SP7350 Chips
First, refer to https://sunplus.atlassian.net/wiki/x/Z4GAdg for burning bits in OTP.
...
Each key is 32 bytes long.
Burn Secure-boot Public Key (for digital signature) into OTP Bit 512 ~ 765
The secure-boot key is stored in the file 'build/tools/secure_sp7350/secure/otp_Sb_keys/ed_pub_0.hex', For example, the contents of ed_pub_0.hex is:
...
The status window of the OTPTool indicates "WRITE Start..…” and then “WRITE Success!" as shown above.
Press 'Read' to read back content of OTP.
...
The status window of the OTPTool indicates "READ Start..…” and then “READ Success!" as shown above.
Burn Device Private Key (for decryption) into OTP Bit 768 ~ 1023
The device private key is stored in hex file ‘build/tools/secure_sp7350/secure/otp_Device_keys/x_priv_0.hex’. For example, the contents of x_priv_0.hex is:
...
The status window of the OTPTool indicates "WRITE Start..…” and then “WRITE Success!" as shown above.
Press 'Read' to confirm the content of OTP.
...
The status window of the OTPTool indicates "READ Start..…” and then “READ Success!" as shown above.
Enable Secure Mode of SP7350 (Write 1 into OTP bit 0)
Modify bit 0 to 1 and then press "Write."
...
The status window of the OTPTool indicates "READ Start..…” and then “READ Success!" as shown above.
Enable MP Bit of SP7350 (Write 1 into OTP bit 2)
To safeguard keys from being accessed by end-users, enabling the MP bit prevents the CPU from reading keys.
Note that the MP bit can only be enabled on version B or later chips; otherwise, it will render the chips unusable.
Modify bit 2 to 1 and then press "Write."
...
Important Notes:
Do not enable the MP bit for version A chips.
Burning OTP bits is irreversible, and incorrect burns may render the chips unusable.
Remember to save the keys in directories: otp_Sb_keys, and otp_Device_keys
Secure Boot
After burning the keys and enabling secure mode, the SP7350 is ready to boot in secure mode. Copy your secure image to an SD card, insert it into your SP7350 platform, and turn on the power to boot the platform.
Note that once the SP7350 is in secure mode, it will not boot a non-secure image or an image with an incorrect digital signature.
Log of Secure Boot from SD Card
Line 1: Displays the i-boot version.
Line 4: Indicates that the SP7350 is in secure mode.
Line 5: Shows that the SP7350 is booting from an SD card.
...
Line 46: Checksum of the x-boot image is successfully verified.
Line 55: Confirms that the digital signature of the x-boot image is successfully verified.
Line 63: Indicates successful decryption of the x-boot image.
Line 67: Displays the x-boot version.
Line 146: Indicates successful completion of DDR training.
Line 158: Confirms successful verification of the U-Boot image's hash value.
Line 159: Confirms successful verification of the fip image's hash value, which includes TF-A and OP-TEE images.
Line 166: Displays the TF-A (BL31) version.
...
Line 183: Displays the U-Boot version.
Line 231: Confirms successful verification of the Linux kernel image's hash value.
Line 239: Indicates that Linux is starting.
...