LS1021a secure boot and SD card

vsiles · ‎04-21-2016

Hi,

I am working on a LS1021a board, using NXP SDK 1.9.

At the moment, I am using the ls1021atwr_sdcard_ifc_config for u-boot, and I successfully boot on the board without secure boot enabled, having Linux on the Normal World and a Secure OS on the Secure World.

My goal is to activate the secure boot to verify that u-boot and (at least) the Secure OS are correctly signed.

When I build u-boot, I see there is a ls1021atwr_nor_SECURE_BOOT_config target which is build. My question are (sorry if some are depending on NDA, I'm not sure):

1) can I build a sdcard_SECURE_BOOT_config version of u-boot ?

2) should I use the nor_SECURE_BOOT_config to validate the sdcard_ifc_config I already have build ?

3) Disregarding the OS in the secure world and my modification to u-boot, is there some documentation on how to correctly use nor_SECURE_BOOT_config to enable secure boot on this board (with just Linux on top of u-boot) ?

Best,

Vincent

bpe · ‎04-30-2016

>1) can I build a sdcard_SECURE_BOOT_config version of u-boot?

[Platon] You can build what is available under config/:

u-boot-qoriq/2015.01+fslgit-r0/git/configs$ ls -1 ls102*

ls1021aqds_ddr4_nor_defconfig

ls1021aqds_ddr4_nor_lpuart_defconfig

ls1021aqds_nand_defconfig

ls1021aqds_nor_defconfig

ls1021aqds_nor_lpuart_defconfig

ls1021aqds_nor_SECURE_BOOT_defconfig

ls1021aqds_qspi_defconfig

ls1021aqds_sdcard_defconfig

ls1021atwr_nor_defconfig

ls1021atwr_nor_lpuart_defconfig

ls1021atwr_nor_SECURE_BOOT_defconfig

ls1021atwr_qspi_defconfig

ls1021atwr_sdcard_ifc_defconfig

ls1021atwr_sdcard_qspi_defconfig

>2) should I use the nor_SECURE_BOOT_config to validate the

>sdcard_ifc_config I already have build ?

[Platon] No. Booting from SD card is two-stage, SPL is involved.

Read more in doc/README.SPL. If you wish to perform

a secure boot from SD card, you either need to eliminate SPL or

validate two images, SPL and the main u-Boot. While both approaches

are possible, none of them is currently implemented for your platform.

>3) Disregarding the OS in the secure world and my modification to u-boot,

>is there some documentation on how to correctly use nor_SECURE_BOOT_config

>to enable secure boot on this board (with just Linux on top of u-boot)

>

[Platon] Yes, study the document at the link below:

https://freescale.sdlproducts.com/LiveContent/content/en-US/QorIQ_SDK_1.9/GUID-038CFEAB-F051-46F9-94...

Have a great day,
Platon

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

在原帖中查看解决方案

bpe · ‎04-30-2016

>1) can I build a sdcard_SECURE_BOOT_config version of u-boot?

[Platon] You can build what is available under config/:

u-boot-qoriq/2015.01+fslgit-r0/git/configs$ ls -1 ls102*

ls1021aqds_ddr4_nor_defconfig

ls1021aqds_ddr4_nor_lpuart_defconfig

ls1021aqds_nand_defconfig

ls1021aqds_nor_defconfig

ls1021aqds_nor_lpuart_defconfig

ls1021aqds_nor_SECURE_BOOT_defconfig

ls1021aqds_qspi_defconfig

ls1021aqds_sdcard_defconfig

ls1021atwr_nor_defconfig

ls1021atwr_nor_lpuart_defconfig

ls1021atwr_nor_SECURE_BOOT_defconfig

ls1021atwr_qspi_defconfig

ls1021atwr_sdcard_ifc_defconfig

ls1021atwr_sdcard_qspi_defconfig

>2) should I use the nor_SECURE_BOOT_config to validate the

>sdcard_ifc_config I already have build ?

[Platon] No. Booting from SD card is two-stage, SPL is involved.

Read more in doc/README.SPL. If you wish to perform

a secure boot from SD card, you either need to eliminate SPL or

validate two images, SPL and the main u-Boot. While both approaches

are possible, none of them is currently implemented for your platform.

>3) Disregarding the OS in the secure world and my modification to u-boot,

>is there some documentation on how to correctly use nor_SECURE_BOOT_config

>to enable secure boot on this board (with just Linux on top of u-boot)

>

[Platon] Yes, study the document at the link below:

https://freescale.sdlproducts.com/LiveContent/content/en-US/QorIQ_SDK_1.9/GUID-038CFEAB-F051-46F9-94...

Have a great day,
Platon

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

LS1021a secure boot and SD card

LS1021a secure boot and SD card

QorIQ LS1 Devices