Changes between Version 18 and Version 19 of venice/secure_boot
- Timestamp:
- 03/25/2024 05:35:38 PM (8 months ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
venice/secure_boot
v18 v19 5 5 Secure boot, particularly in the context of our Venice family of Single Board Computers (SBCs), involves several key considerations and procedures. Here are some general notes to keep in mind: 6 6 - U-Boot Versions: It's crucial to note that this guide was written for U-Boot version v2024.03-venice (or a compatible version), as different U-Boot branches may necessitate distinct configurations. 7 - SoC specifics: The Gateworks Venice family of Single Board Computers supports IMX8MM, IMX8MN, and IMX8MP SoC's which vary quite a bit and create different binary builds and images for boot firmware. Most of the examples here are for the IMX8MM SoC; if you are using the IMX8MN or IMX8MP it is assumed that you will understand to edit those device-tree files and use those defconfigs for example: arch/arm/dts/imx8m{m,n,p}* configs/imx8m{m,n,p}_venice_defconfig8 7 - Board Versions: Many of the steps here must be customized for your particular board, specifically the device-tree of the board. You will see many instructions here assuming 'imx8mm-venice-gw73xx-0x.dtb' - adjust as necessary. 9 - SoC Versions: The Venice family supports the IMX8MM, IMX8MN, and IMX8MP SoC's which have different boot firmware, different config files and different flash layouts. Please adjust as neccesary.10 8 - Support for Additional Security Measures: Unlike some other systems that support features like Trusted Platform Module (TPM), OP-TEE (Open Portable Trusted Execution Environment), or CAAM (Cryptographic Acceleration and Assurance Module) keys, Venice SBCs primarily rely on the signature node for secure boot operations. 11 9 - Building boot firmware stand-alone vs modifying the Venice BSP directory: In the examples here we feel it adds clarity to build the 'secure' boot firmware components ouside of the Venice BSP yet we use the toolchain, environment, and some artifacts of the Venice BSP and thus refer to '$VENICE_BSP' as the directory where you have the Venice BSP built on your development host. 10 - Memory Addresses: There are many memory addresses used here which correspond to where various objects get loaded into memory. See [wiki:venice/bootloader/#memmap] for some recomendations 11 - SoC specifics: The Gateworks Venice family of Single Board Computers supports IMX8MM, IMX8MN, and IMX8MP SoC's which vary quite a bit and create different binary builds and images for boot firmware. Most of the examples here are for the IMX8MM SoC; if you are using the IMX8MN or IMX8MP it is assumed that you will understand to edit those device-tree files and use those defconfigs for example: arch/arm/dts/imx8m{m,n,p}* configs/imx8m{m,n,p}_venice_defconfig. Also note that the different SoC's use different FLASH layouts: 12 ||= soc =||= boot device =||= SPL offset =||= defconfig =||= binman =|| 13 || imx8mm || emmc user || 33K || imx8mm_venice_defconfig || imx8mm-u-boot.dtsi || 14 || || emmc boot0/boot1 || 33K || 15 || imx8mn || emmc user || 32K || imx8mn_venice_defconfig || imx8mn-u-boot.dtsi || 16 || || emmc boot0/boot1 || 0K || 17 || imx8mp || emmc user || 32K || imx8mp_venice_defconfig || imx8mp-u-boot.dtsi || 18 || || emmc boot0/boot1 || 0K || 12 19 13 20 == Chain of Trust