upstream u-boot with additional patches for our devices/boards:
https://lists.denx.de/pipermail/u-boot/2017-March/282789.html (AXP crashes) ;
Gbit ethernet patch for some LIME2 revisions ;
with SPI flash support
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
92 lines
4.3 KiB
92 lines
4.3 KiB
9 years ago
|
README on how boot images are created for secure TI devices
|
||
|
|
||
|
CONFIG_TI_SECURE_DEVICE:
|
||
|
Secure TI devices require a boot image that is authenticated by ROM
|
||
|
code to function. Without this, even JTAG remains locked and the
|
||
|
device is essentially useless. In order to create a valid boot image for
|
||
|
a secure device from TI, the initial public software image must be signed
|
||
|
and combined with various headers, certificates, and other binary images.
|
||
|
|
||
|
Information on the details on the complete boot image format can be obtained
|
||
|
from Texas Instruments. The tools used to generate boot images for secure
|
||
|
devices are part of a secure development package (SECDEV) that can be
|
||
|
downloaded from:
|
||
|
|
||
|
http://www.ti.com/mysecuresoftware (login required)
|
||
|
|
||
|
The secure development package is access controlled due to NDA and export
|
||
|
control restrictions. Access must be requested and granted by TI before the
|
||
|
package is viewable and downloadable. Contact TI, either online or by way
|
||
|
of a local TI representative, to request access.
|
||
|
|
||
|
When CONFIG_TI_SECURE_DEVICE is set, the U-Boot SPL build process requires
|
||
|
the presence and use of these tools in order to create a viable boot image.
|
||
|
The build process will look for the environment variable TI_SECURE_DEV_PKG,
|
||
|
which should be the path of the installed SECDEV package. If the
|
||
|
TI_SECURE_DEV_PKG variable is not defined or if it is defined but doesn't
|
||
|
point to a valid SECDEV package, a warning is issued during the build to
|
||
|
indicate that a final secure bootable image was not created.
|
||
|
|
||
|
Within the SECDEV package exists an image creation script:
|
||
|
|
||
|
${TI_SECURE_DEV_PKG}/scripts/create-boot-image.sh
|
||
|
|
||
|
This is called as part of the SPL/u-boot build process. As the secure boot
|
||
|
image formats and requirements differ between secure SOC from TI, the
|
||
|
purpose of this script is to abstract these details as much as possible.
|
||
|
|
||
|
The script is basically the only required interface to the TI SECDEV package
|
||
|
for secure TI devices.
|
||
|
|
||
|
Invoking the script for AM43xx Secure Devices
|
||
|
=============================================
|
||
|
|
||
|
create-boot-image.sh <IMAGE_FLAG> <INPUT_FILE> <OUTPUT_FILE> <SPL_LOAD_ADDR>
|
||
|
|
||
|
<IMAGE_FLAG> is a value that specifies the type of the image to generate OR
|
||
|
the action the image generation tool will take. Valid values are:
|
||
|
SPI_X-LOADER - Generates an image for SPI flash (byte swapped)
|
||
|
XIP_X-LOADER - Generates a single stage u-boot for NOR/QSPI XiP
|
||
|
ISSW - Generates an image for all other boot modes
|
||
|
|
||
|
<INPUT_FILE> is the full path and filename of the public world boot loader
|
||
|
binary file (depending on the boot media, this is usually either
|
||
|
u-boot-spl.bin or u-boot.bin).
|
||
|
|
||
|
<OUTPUT_FILE> is the full path and filename of the final secure image. The
|
||
|
output binary images should be used in place of the standard non-secure
|
||
|
binary images (see the platform-specific user's guides and releases notes
|
||
|
for how the non-secure images are typically used)
|
||
|
u-boot-spl_HS_SPI_X-LOADER - byte swapped boot image for SPI flash
|
||
|
u-boot_HS_XIP_X-LOADER - boot image for NOR or QSPI flash
|
||
|
u-boot-spl_HS_ISSW - boot image for all other boot media
|
||
|
|
||
|
<SPL_LOAD_ADDR> is the address at which SOC ROM should load the <INPUT_FILE>
|
||
|
|
||
|
Invoking the script for DRA7xx/AM57xx Secure Devices
|
||
|
====================================================
|
||
|
|
||
|
create-boot-image.sh <IMAGE_TYPE> <INPUT_FILE> <OUTPUT_FILE>
|
||
|
|
||
|
<IMAGE_TYPE> is a value that specifies the type of the image to generate OR
|
||
|
the action the image generation tool will take. Valid values are:
|
||
|
X-LOADER - Generates an image for NOR or QSPI boot modes
|
||
|
MLO - Generates an image for SD/MMC/eMMC boot modes
|
||
|
ULO - Generates an image for USB/UART peripheral boot modes
|
||
|
Note: ULO is not yet used by the u-boot build process
|
||
|
|
||
|
<INPUT_FILE> is the full path and filename of the public world boot loader
|
||
|
binary file (for this platform, this is always u-boot-spl.bin).
|
||
|
|
||
|
<OUTPUT_FILE> is the full path and filename of the final secure image. The
|
||
|
output binary images should be used in place of the standard non-secure
|
||
|
binary images (see the platform-specific user's guides and releases notes
|
||
|
for how the non-secure images are typically used)
|
||
|
u-boot-spl_HS_MLO - boot image for SD/MMC/eMMC. This image is
|
||
|
copied to a file named MLO, which is the name that
|
||
|
the device ROM bootloader requires for loading from
|
||
|
the FAT partition of an SD card (same as on
|
||
|
non-secure devices)
|
||
|
u-boot-spl_HS_X-LOADER - boot image for all other flash memories
|
||
|
including QSPI and NOR flash
|