Currently I am reading documentations regarding how to add security into my ls1021a architecture. After some investigations, specially when comes to
(1) Secure Boot: Monolithic vs Chain of Trust
Using Monolithic as an example,
does this mean add a key to
ESBC:
Bootloader
Bootscript
Kernel Image
Root File System
Device Tree
how does this work? if I want to push some updates to change the device tree, or kernel image or root file system will that be considered as a violation too? how the system distinguish a normal user and a attacker?
(2) Security Monitor
what Zeroizable Master and One Time Programmable Master Key (OTPMK) do in this case?
Generally speaking, only deeply embedded systems with a single, small, and stable software domain might be suitable for monolithic secure boot. For typically more complex software used with QorIQ Layerscape class SoCs, a staged secure boot is more appropriate.
Please consider that NXP LSDK is evolving and it is reasonable to use the latest LSDK Documentation.
Please refer to the Security section:
where can I find the "For more details on the CoT refer trusted-board-boot.rst in the TF-A repository"
TF-A repository
TF-A:
Trusted Firmware-A - Wiki - Open Source Software and Platforms - Arm Community
link to the "trusted-board-boot.rst":
arm-trusted-firmware/trusted-board-boot.rst at master · ARM-software/arm-trusted-firmware · GitHub
Hi Fedor,
In order to implement all these trust architecture mechanism one needs to make the system boot as secure system boot every time right? If so how to set the system to secure boot mode all the time. Is that through RCW? Also, in order to achieve alternative boot image, i found in the document you give me
Alternative image:
"To enable this feature, create PBI with pointers for both primary and alternate images (HW PBL uses SCRATCHRW1 & SCRATCHRW3)."
how to do this?
As I am going to migrate every thing to a ls1021a stand alone PCB board with external eMMC. Currently I am using TWR-LS1021a for testing purpose I know if I change the boot parameters "devpart_root = 3" it will boot from my third partition which has a second roofts there.
Trust Architecture and Secure Boot implementation technical details are confidential and can't be discussed in the public Community.
To obtain the documentation it is required to create a Technical Case using corporate email:
https://nxpcommunity.force.com/community/CommunityContextPage
what do you mean by corporate email. I do not have corporate email. Can I just use this email to request ?
The Trust Architecture documentation can be provided only under NDA.