On Friday 02 September 2016 10:18 PM, Srinivas, Madan wrote:
On 9/2/2016 12:25 AM, Lokesh Vutla wrote:
On Thursday 01 September 2016 10:34 AM, Madan Srinivas wrote:
This series adds support for secure keystone family of devices, more specifically for K2E (Edison).This work is similar to what has already been done for the AM43xx and AM57xx SoCs and leverages much of the infrastructure from them.
The big difference here is the ROM on keystone2 devices does not provide any APIs for image authentication. Rather, the image authentication and decryption routines and other security functions are provided by software and can run on the ARM in Trustzone as well as on secure DSPs.
A component known as the boot monitor acts as they gateway to this secure processing, and abstracts out the details from the public world. Unlike OMAP class devices, where u-boot calls ROM APIs, u-boot calls into the boot- monitor on keystone devices.
Other than this difference, most of the secure framework for AMxx and DRAxx devices have been re-used.
Couple of other points to note :-
-Support for SPL on secure keystone devices is still TBD, so boot from SPI flash, which needs SPL, is not supported currently on K2 devices. -A single image will work across all other boot media for secure K2 devices.Overall looks good to me. What happened to the early abort seen on H2 HS devices. How are you handling it?
Thanks and regards, Lokesh
The early abort is being handled in the boot monitor code. When the abort handler is implemented in u-boot, we can remove it from the boot monitor.
What is the expectation when you meant abort handler in u-boot? Do you want to clear the abort or something else?
Thanks and regards, Lokesh
Regards, Madan
Changes in v2:
- Corrects typo in commit message for PATCH 1/7 in this series
- The following changes are made to mon.c based on review comments Adds NULL pointer check before calling authentication interface Removes an unnecessary printf Updates size of signed FIT blob after post processing removes header
- Adds a new name for the signed output image in config_secure.mk to keep it in line with the image name used by non-secure keystone devices.
- Changes the target for secure keystone devices in config.mk to u-boot_HS_MLO to keep it in line with the MLO target that is built for non-secure keystone devices.
- Updates k2e_hs_evm_defconfig to reduce the delta seen if one regenerates it using savedefconfig or similar tools.
Madan Srinivas (4): include: image.h: Fixes build warning with CONFIG_FIT_IMAGE_POST_PROCESS arm: omap-common: adds secure image name common to OMAP and keystone arm: mach-keystone: config.mk: Adds support for secure images on K2 doc: Updates info on using keystone secure devices from TI
Vitaly Andrianov (3): arm: mach-keystone: Implements FIT post-processing call for keystone SoCs arm: omap-common: Enable support for K2 HS devices in u-boot configs: Adds a defconfig for K2E High Security EVM
arch/arm/cpu/armv7/omap-common/Kconfig | 2 +- arch/arm/cpu/armv7/omap-common/config_secure.mk | 6 +++ arch/arm/mach-keystone/config.mk | 6 +++ arch/arm/mach-keystone/mon.c | 55 +++++++++++++++++++++++++ configs/k2e_hs_evm_defconfig | 43 +++++++++++++++++++ doc/README.ti-secure | 20 +++++++++ include/image.h | 3 +- 7 files changed, 133 insertions(+), 2 deletions(-) create mode 100644 configs/k2e_hs_evm_defconfig