[v6,8/8] docs: k3: Add secure booting documentation

Message ID	20231206-binman-firewalling-v6-8-e7fce13a6dc1@ti.com
State	Changes Requested
Delegated to:	Tom Rini
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: Manorit Chawdhry <m-chawdhry@ti.com> Date: Wed, 6 Dec 2023 15:21:30 +0530 Subject: [PATCH v6 8/8] docs: k3: Add secure booting documentation MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-ID: <20231206-binman-firewalling-v6-8-e7fce13a6dc1@ti.com> References: <20231206-binman-firewalling-v6-0-e7fce13a6dc1@ti.com> In-Reply-To: <20231206-binman-firewalling-v6-0-e7fce13a6dc1@ti.com> To: Simon Glass <sjg@chromium.org>, Alper Nebi Yasak <alpernebiyasak@gmail.com>, Neha Malcom Francis <n-francis@ti.com>, Andrew Davis <afd@ti.com>, Vignesh Raghavendra <vigneshr@ti.com> CC: <u-boot@lists.denx.de>, Udit Kumar <u-kumar1@ti.com>, Praneeth Bajjuri <praneeth@ti.com>, Kamlesh Gurudasani <kamlesh@ti.com>, Nishanth Menon <nm@ti.com>, Thomas Richard <thomas.richard@bootlin.com>, Gregory CLEMENT <gregory.clement@bootlin.com>, Manorit Chawdhry <m-chawdhry@ti.com> Precedence: list Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	ATF and OP-TEE Firewalling for K3 devices. \| expand [v6,0/8] ATF and OP-TEE Firewalling for K3 devices. [v6,1/8] binman: ti-secure: Add support for firewalling entities [v6,2/8] binman: ftest: Add test for ti-secure firewall node [v6,3/8] binman: k3: Add k3-security.h and include it in k3-binman.dtsi [v6,4/8] binman: j721e: Add firewall configurations [v6,5/8] binman: j721s2: Add firewall configurations [v6,6/8] binman: j7200: Add firewall configurations [v6,7/8] docs: k3: Cleanup FIT signature documentation [v6,8/8] docs: k3: Add secure booting documentation

Message ID

20231206-binman-firewalling-v6-8-e7fce13a6dc1@ti.com

State

Changes Requested

Delegated to:

Tom Rini

Headers

From: Manorit Chawdhry <m-chawdhry@ti.com>
Date: Wed, 6 Dec 2023 15:21:30 +0530
Subject: [PATCH v6 8/8] docs: k3: Add secure booting documentation
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-ID: <20231206-binman-firewalling-v6-8-e7fce13a6dc1@ti.com>
References: <20231206-binman-firewalling-v6-0-e7fce13a6dc1@ti.com>
In-Reply-To: <20231206-binman-firewalling-v6-0-e7fce13a6dc1@ti.com>
To: Simon Glass <sjg@chromium.org>, Alper Nebi Yasak
 <alpernebiyasak@gmail.com>, Neha Malcom Francis <n-francis@ti.com>, Andrew
 Davis <afd@ti.com>, Vignesh Raghavendra <vigneshr@ti.com>
CC: <u-boot@lists.denx.de>, Udit Kumar <u-kumar1@ti.com>, Praneeth Bajjuri
 <praneeth@ti.com>, Kamlesh Gurudasani <kamlesh@ti.com>, Nishanth Menon
 <nm@ti.com>, Thomas Richard <thomas.richard@bootlin.com>, Gregory CLEMENT
 <gregory.clement@bootlin.com>, Manorit Chawdhry <m-chawdhry@ti.com>
Precedence: list
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Series

ATF and OP-TEE Firewalling for K3 devices. | expand

Commit Message

Manorit Chawdhry Dec. 6, 2023, 9:51 a.m. UTC

This commit adds a general flow to explain the usage of firewalls and
the chain of trust in K3 devices.

Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
---
 doc/board/ti/k3.rst | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

Comments

Andrew Davis Dec. 6, 2023, 4:41 p.m. UTC | #1

On 12/6/23 3:51 AM, Manorit Chawdhry wrote:
> This commit adds a general flow to explain the usage of firewalls and
> the chain of trust in K3 devices.
> 
> Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> ---
>   doc/board/ti/k3.rst | 45 +++++++++++++++++++++++++++++++++++++++++++++
>   1 file changed, 45 insertions(+)
> 
> diff --git a/doc/board/ti/k3.rst b/doc/board/ti/k3.rst
> index 947b86ba8292..60d04c5708be 100644
> --- a/doc/board/ti/k3.rst
> +++ b/doc/board/ti/k3.rst
> @@ -104,6 +104,51 @@ firmware can be loaded on the now free core in the wakeup domain.
>   For more information on the bootup process of your SoC, consult the
>   device specific boot flow documentation.
>   
> +Secure Boot
> +^^^^^^^^^^^
> +
> +K3 HS-SE devices are used for authenticated boot flow with secure boot.

How about:

K3 HS-SE devices enforce an authenticated boot flow for secure boot.

> +HS-FS devices have optional authentication in the flow and doesn't "require"
> +authentication unless converted to HS-SE devices.

HS-FS is the state of a K3 device before it has been eFused with
customer security keys. In the HS-FS state the authentication still
can function as in HS-SE but as there are no customer keys to verify
the signatures against the authentication will pass for certificates
signed with any key.

> +
> +Chain of trust
> +""""""""""""""
> +
> +1) SMS starts up and loads the authenticated ROM code in Wakeup Domain
> +2) ROM code starts up and loads the authenticated tiboot3.bin in Wakeup
> +   Domain
> +3) Wakeup SPL (tiboot3.bin) would authenticate the next set of binaries
> +   (ATF,OP-TEE,DM,SPL,etc.)
> +4) After ATF and OP-TEE load, ARMV8 U-boot authenticates the next set of
> +   binaries (Linux and DTBs) if using FIT Image authentication and having a
> +   signature node in U-boot.


This might be better said like this:

1) Public ROM loads the tiboot3.bin (R5 SPL, TIFS)
2) R5 SPL loads tispl.bin (ATF, OP-TEE, DM, SPL)
3) SPL loads u-boot.img (U-Boot)
4) U-Boot loads fitImage (Linux and DTBs)

Each stage authenticating (and optionally decrypting) while loading is
implied by the following sentences below, no need to repeat each time.

Plus the use of "ROM" is confusing, we have two ROMs in K3 (Secure ROM
and Public ROM), you should always be specific.

> +
> +Steps 1-3 are all authenticated by either the ROM code or TIFS as the

s/ROM code/Secure ROM

> +authenticating entity and step 4 uses U-boot standard mechanism for
> +authenticating.
> +
> +All the authentication that are done for ROM/TIFS are done through x509
> +certificates that are signed.
> +
> +Firewalls
> +"""""""""
> +
> +1) ROM comes up and sets up firewalls that are needed by itself

Secure ROM

> +2) TIFS (in multicertificate will setup it's own firewalls)

TIFS sets up it's own firewalls in either case.

> +3) R5 SPL comes along and opens up other firewalls ( that are not owned by
> +   anyone - essentially firewalls that were setup by ROM but are not needed
> +   anymore)

How about:

3) R5 SPL will remove any firewalls that are leftover from the Secure ROM stage
that are no longer required.

> +4) Each stage beyond this: such as tispl.bin containing TFA/OPTEE uses OIDs to
> +   set up firewalls to protect themselves (enforced by TIFS)
> +5) TFA/OP-TEE can configure other firewalls at runtime if required as they
> +   are already authenticated and firewalled off from illegal access.
> +6) A53 SPL and U-boot itself startups but has no ability to change the
> +   protection firewalls enforced by x509 OIDs or any other firewalls
> +   configured by ROM/TIFS in the beginning.

6) All later stages can setup or remove firewalls that have not been already
configured by previous stages, such as those created by TIFS, TFA, and OP-TEE.

> +
> +Futhur, firewalls have a lockdown bit in hardware that enforces the setting
> +(and cannot be over-ridden) till the full system is resetted.

s/till/until
s/resetted/reset

Andrew

> +
>   Software Sources
>   ----------------
>   
>

Manorit Chawdhry Dec. 29, 2023, 10:49 a.m. UTC | #2

Hi Andrew,

On 10:41-20231206, Andrew Davis wrote:
> On 12/6/23 3:51 AM, Manorit Chawdhry wrote:
> > This commit adds a general flow to explain the usage of firewalls and
> > the chain of trust in K3 devices.
> > 
> > Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
> > ---
> >   doc/board/ti/k3.rst | 45 +++++++++++++++++++++++++++++++++++++++++++++
> >   1 file changed, 45 insertions(+)
> > 
> > diff --git a/doc/board/ti/k3.rst b/doc/board/ti/k3.rst
> > index 947b86ba8292..60d04c5708be 100644
> > --- a/doc/board/ti/k3.rst
> > +++ b/doc/board/ti/k3.rst
> > @@ -104,6 +104,51 @@ firmware can be loaded on the now free core in the wakeup domain.
> >   For more information on the bootup process of your SoC, consult the
> >   device specific boot flow documentation.
> > +Secure Boot
> > +^^^^^^^^^^^
> > +
> > +K3 HS-SE devices are used for authenticated boot flow with secure boot.
> 
> How about:
> 
> K3 HS-SE devices enforce an authenticated boot flow for secure boot.
> 
> > +HS-FS devices have optional authentication in the flow and doesn't "require"
> > +authentication unless converted to HS-SE devices.
> 
> HS-FS is the state of a K3 device before it has been eFused with
> customer security keys. In the HS-FS state the authentication still
> can function as in HS-SE but as there are no customer keys to verify
> the signatures against the authentication will pass for certificates
> signed with any key.
> 
> > +
> > +Chain of trust
> > +""""""""""""""
> > +
> > +1) SMS starts up and loads the authenticated ROM code in Wakeup Domain
> > +2) ROM code starts up and loads the authenticated tiboot3.bin in Wakeup
> > +   Domain
> > +3) Wakeup SPL (tiboot3.bin) would authenticate the next set of binaries
> > +   (ATF,OP-TEE,DM,SPL,etc.)
> > +4) After ATF and OP-TEE load, ARMV8 U-boot authenticates the next set of
> > +   binaries (Linux and DTBs) if using FIT Image authentication and having a
> > +   signature node in U-boot.
> 
> 
> This might be better said like this:
> 
> 1) Public ROM loads the tiboot3.bin (R5 SPL, TIFS)
> 2) R5 SPL loads tispl.bin (ATF, OP-TEE, DM, SPL)
> 3) SPL loads u-boot.img (U-Boot)
> 4) U-Boot loads fitImage (Linux and DTBs)
> 
> Each stage authenticating (and optionally decrypting) while loading is
> implied by the following sentences below, no need to repeat each time.
> 
> Plus the use of "ROM" is confusing, we have two ROMs in K3 (Secure ROM
> and Public ROM), you should always be specific.
> 
> > +
> > +Steps 1-3 are all authenticated by either the ROM code or TIFS as the
> 
> s/ROM code/Secure ROM
> 
> > +authenticating entity and step 4 uses U-boot standard mechanism for
> > +authenticating.
> > +
> > +All the authentication that are done for ROM/TIFS are done through x509
> > +certificates that are signed.
> > +
> > +Firewalls
> > +"""""""""
> > +
> > +1) ROM comes up and sets up firewalls that are needed by itself
> 
> Secure ROM
> 
> > +2) TIFS (in multicertificate will setup it's own firewalls)
> 
> TIFS sets up it's own firewalls in either case.
> 
> > +3) R5 SPL comes along and opens up other firewalls ( that are not owned by
> > +   anyone - essentially firewalls that were setup by ROM but are not needed
> > +   anymore)
> 
> How about:
> 
> 3) R5 SPL will remove any firewalls that are leftover from the Secure ROM stage
> that are no longer required.
> 
> > +4) Each stage beyond this: such as tispl.bin containing TFA/OPTEE uses OIDs to
> > +   set up firewalls to protect themselves (enforced by TIFS)
> > +5) TFA/OP-TEE can configure other firewalls at runtime if required as they
> > +   are already authenticated and firewalled off from illegal access.
> > +6) A53 SPL and U-boot itself startups but has no ability to change the
> > +   protection firewalls enforced by x509 OIDs or any other firewalls
> > +   configured by ROM/TIFS in the beginning.
> 
> 6) All later stages can setup or remove firewalls that have not been already
> configured by previous stages, such as those created by TIFS, TFA, and OP-TEE.
> 
> > +
> > +Futhur, firewalls have a lockdown bit in hardware that enforces the setting
> > +(and cannot be over-ridden) till the full system is resetted.
> 
> s/till/until
> s/resetted/reset
> 

Have incorporated the suggested changes, Thanks!

Regards,
Manorit

> Andrew
> 
> > +
> >   Software Sources
> >   ----------------
> >

diff --git a/doc/board/ti/k3.rst b/doc/board/ti/k3.rst
index 947b86ba8292..60d04c5708be 100644
--- a/doc/board/ti/k3.rst
+++ b/doc/board/ti/k3.rst
@@ -104,6 +104,51 @@  firmware can be loaded on the now free core in the wakeup domain.
 For more information on the bootup process of your SoC, consult the
 device specific boot flow documentation.
 
+Secure Boot
+^^^^^^^^^^^
+
+K3 HS-SE devices are used for authenticated boot flow with secure boot.
+HS-FS devices have optional authentication in the flow and doesn't "require"
+authentication unless converted to HS-SE devices.
+
+Chain of trust
+""""""""""""""
+
+1) SMS starts up and loads the authenticated ROM code in Wakeup Domain
+2) ROM code starts up and loads the authenticated tiboot3.bin in Wakeup
+   Domain
+3) Wakeup SPL (tiboot3.bin) would authenticate the next set of binaries
+   (ATF,OP-TEE,DM,SPL,etc.)
+4) After ATF and OP-TEE load, ARMV8 U-boot authenticates the next set of
+   binaries (Linux and DTBs) if using FIT Image authentication and having a
+   signature node in U-boot.
+
+Steps 1-3 are all authenticated by either the ROM code or TIFS as the
+authenticating entity and step 4 uses U-boot standard mechanism for
+authenticating.
+
+All the authentication that are done for ROM/TIFS are done through x509
+certificates that are signed.
+
+Firewalls
+"""""""""
+
+1) ROM comes up and sets up firewalls that are needed by itself
+2) TIFS (in multicertificate will setup it's own firewalls)
+3) R5 SPL comes along and opens up other firewalls ( that are not owned by
+   anyone - essentially firewalls that were setup by ROM but are not needed
+   anymore)
+4) Each stage beyond this: such as tispl.bin containing TFA/OPTEE uses OIDs to
+   set up firewalls to protect themselves (enforced by TIFS)
+5) TFA/OP-TEE can configure other firewalls at runtime if required as they
+   are already authenticated and firewalled off from illegal access.
+6) A53 SPL and U-boot itself startups but has no ability to change the
+   protection firewalls enforced by x509 OIDs or any other firewalls
+   configured by ROM/TIFS in the beginning.
+
+Futhur, firewalls have a lockdown bit in hardware that enforces the setting
+(and cannot be over-ridden) till the full system is resetted.
+
 Software Sources
 ----------------

[v6,8/8] docs: k3: Add secure booting documentation

Commit Message

Comments

Patch