Currently I am reading documentations regarding how to add security into my ls1021a architecture. After some investigations, specially when comes to
(1) Secure Boot: Monolithic vs Chain of Trust
Using Monolithic as an example,
does this mean add a key to
Root File System
how does this work? if I want to push some updates to change the device tree, or kernel image or root file system will that be considered as a violation too? how the system distinguish a normal user and a attacker?
(2) Security Monitor
what Zeroizable Master and One Time Programmable Master Key (OTPMK) do in this case?
Generally speaking, only deeply embedded systems with a single, small, and stable software domain might be suitable for monolithic secure boot. For typically more complex software used with QorIQ Layerscape class SoCs, a staged secure boot is more appropriate.
Please consider that NXP LSDK is evolving and it is reasonable to use the latest LSDK Documentation.
Please refer to the Security section:
link to the "trusted-board-boot.rst":
In order to implement all these trust architecture mechanism one needs to make the system boot as secure system boot every time right? If so how to set the system to secure boot mode all the time. Is that through RCW? Also, in order to achieve alternative boot image, i found in the document you give me
"To enable this feature, create PBI with pointers for both primary and alternate images (HW PBL uses SCRATCHRW1 & SCRATCHRW3)."
how to do this?
As I am going to migrate every thing to a ls1021a stand alone PCB board with external eMMC. Currently I am using TWR-LS1021a for testing purpose I know if I change the boot parameters "devpart_root = 3" it will boot from my third partition which has a second roofts there.
Trust Architecture and Secure Boot implementation technical details are confidential and can't be discussed in the public Community.
To obtain the documentation it is required to create a Technical Case using corporate email: