Trust Architectrue for LS1021a

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Trust Architectrue for LS1021a

773 Views
jiye
Contributor V

Currently I am reading documentations regarding how to add security into my ls1021a architecture. After some investigations, specially when comes to 

 

(1) Secure Boot: Monolithic vs Chain of Trust

Using Monolithic as an example, 

 

does this mean add a key to 

 

ESBC:
Bootloader
Bootscript
Kernel Image
Root File System
Device Tree

 

 

how does this work? if I want to push some updates to change the device tree, or kernel image or root file system will that be considered as a violation too? how the system distinguish a normal user and a attacker?

 

(2) Security Monitor

what Zeroizable Master and One Time Programmable Master Key (OTPMK) do in this case?

0 Kudos
7 Replies

641 Views
ufedor
NXP Employee
NXP Employee

Generally speaking, only deeply embedded systems with a single, small, and stable software domain might be suitable for monolithic secure boot. For typically more complex software used with QorIQ Layerscape class SoCs, a staged secure boot is more appropriate.

Please consider that NXP LSDK is evolving and it is reasonable to use the latest LSDK Documentation.

Please refer to the Security section:

Submit Form 

0 Kudos

641 Views
jiye
Contributor V

where can I find the "For more details on the CoT refer trusted-board-boot.rst in the TF-A repository"

TF-A repository 

0 Kudos

641 Views
jiye
Contributor V

Hi Fedor,

In order to implement all these trust architecture mechanism one needs to make the system boot as secure system boot every time right? If so how to set the system to secure boot mode all the time. Is that through RCW? Also, in order to achieve alternative boot image, i found in the document you give me 

Alternative image:

"To enable this feature, create PBI with pointers for both primary and alternate images (HW PBL uses SCRATCHRW1 & SCRATCHRW3)."

how to do this?

As I am going to migrate every thing to a ls1021a stand alone PCB board with external eMMC. Currently I am using TWR-LS1021a for testing purpose I know if I change the boot parameters "devpart_root = 3" it will boot from my third partition which has a second roofts there. 

0 Kudos

641 Views
ufedor
NXP Employee
NXP Employee

Trust Architecture and Secure Boot implementation technical details are confidential and can't be discussed in the public Community.

To obtain the documentation it is required to create a Technical Case using corporate email:

https://nxpcommunity.force.com/community/CommunityContextPage 

0 Kudos

641 Views
jiye
Contributor V

what do you mean by corporate email. I do not have corporate email. Can I just use this email to request ?

0 Kudos

641 Views
ufedor
NXP Employee
NXP Employee

The Trust Architecture documentation can be provided only under NDA.

0 Kudos