enable secure boot in ATF

hello,

yes, I'm talking about the feature refer to (link: 5.8. Trusted Board Boot — Trusted Firmware-A documentation)

And I'm working on custom board based on s32g2 evp and using BSP32.(anyway, I checked BSP34 is the same situation)

hmm, previously, for LS and imx series it's OK to use Trusted board boot feature.

if s32g platform don't support this feature for certain, I must turn to another way for secure boot verify.

or if s32g may suport it later ?

please help to confirm

Hi,

Given S32G is a different platform, could be the reason why this is different from both LS and IMX.

As said before, the S32G integrates the "secure boot" with the HSE Firmware [Page 67, Linux BSP 33.0 User Manual for S32G2 platform, 07/2022]:

"Secure boot refers to a two-stage process of successive authentication of the U-Boot and Linux kernel images. This process requires a "root of trust", which is known to be secure.

Each image is authenticated by the preceding step. Thus, the secure boot flow is the following:
1. BootROM passes control over to HSE FW;
2. HSE FW authenticates the U-Boot image;
3. U-Boot authenticates the Kernel image. "

Which is the recommended implementation of a secure boot using S32G platform.

Please, let us know.

hello，

In the recommended implementation of a secure boot process there is no atf/optee ?

but we should support the entire boot process verification, including bootRom-》 BL2-》BL31(secure monitor)-》BL32(optee)-》BL33(uboot)-》kernel-》...

is there any recommended implementation ?

Hi,

ATF is also supported on the S32G platform. It is shown on chapter 23 from the Linux User Manual.

The same for OP-TEE, it is supported.

Please, let us know.

hello

as mentioned before：

Each image is authenticated by the preceding step. Thus, the secure boot flow is the following:
1. BootROM passes control over to HSE FW;
2. HSE FW authenticates the U-Boot image;
3. U-Boot authenticates the Kernel image. "

in the secure boot process above，there is no atf/optee image authentication.

so I need to add atf/optee images authentication by myself ? or is there any recommened solution provided by NXP ?

thanks.

Hi,

We may not be understanding the specifics of your requirements. The BSP that is provided by NXP includes ATF+u-boot, with this same image you are able to implement the HSE FW (also provided by NXP).

HSE-FW will run over the HSE_M7 core (or M7_0), meaning that (if enabled) once BootROM finishes, it will pass the control over to the HSE_M7 running HSE-FW which then will proceed to fetch the application image after authentication.

The Linux image can be described as an application image, for which it will be executed once HSE-FW authenticates it, then ATF+u-boot+kernel sequence should be run. Might be that the description is not so descriptive as to the HSE sequence itself but given this is described on the HSE manuals (which are confidential) might be the reason.

Please, let us know if this information was helpful or not.

Hello,

I've also been digging the secure boot. I seems to me that the secure boot suggested by the BSP (39) is not secure.

The provided hse_secboot binary loads the whole fip including BL2, BL31, (BL32 ,) BL33 in a single SMR. I see that the HSE will verify the whole FIP, load it into RAM and then jump into BL2. However vanilla BL2 go back to the persistent storage to look for the FIP and then load the rest of the bootloaders.

Thus without the TRUSTED_BOARD_BOOT enable (which doesn't seems to be supported), BL2 will not verify what it loads, and BL2 will not natively look for the verified FIP loaded by the HSE.