8.7. Developing with High Security Devices¶
8.7.1. Introduction¶
The K3 security architecture supports different “Device Types” controlled by eFuse settings programmed during device manufacturing. Each Device Type offers different capabilities for Debug and Emulation as well as different behavior in functional operating modes. Depending on the Device Type, some security mechanisms are relaxed or enforced.
J721E supports General Purpose (GP) devices and High Secure (HS) device types. The high level difference between these devices are:
GENERAL PURPOSE (GP): The device is not capable of secure operation. Security features are transparent and do not affect operation either functionally and for Debug. However, secrets such as the secure ROM code, secure keys and other secure peripherals are not accessible.
HIGH SECURITY (HS): In an HS-SE device, all security features are enabled, all secrets within the device are fully protected, all of the security goals are fully enforced, debug override sequence is supported and the device forces secure booting.
The scope of this developer note is to point to build bootloaders/applications and run on HS devices.
8.7.2. Documentation References¶
8.7.2.1. Linux Guides to work with HS devices¶
SDK Component |
Documentation |
Description |
Section |
---|---|---|---|
uboot |
Overview of boot flow and steps to build u-boot and boot on GP devices |
Boot Flow |
|
uboot |
https://github.com/u-boot/u-boot/blob/master/doc/README.ti-secure |
Steps to build u-boot and boot on HS devices |
Invoking the script for K3 Secure Devices |
k3-image-gen |
https://git.ti.com/cgit/k3-image-gen/k3-image-gen/tree/README.md |
Steps to create an image tree blob (a.k.a. FIT image) on GP Devices |
Building SYSFW Image and Configuration Data |
k3-image-gen |
https://git.ti.com/cgit/k3-image-gen/k3-image-gen/tree/README.md |
Steps to create an image tree blob (a.k.a. FIT image) on HS Devices |
Building SYSFW Image for High-Security(HS) devices |
8.7.2.2. RTOS Guides to work with HS devices¶
SDK Component |
Documentation |
Description |
Section |
---|---|---|---|
SBL |
Bootloader Execution Sequence (Sequnce of steps from ROM to SBL to Application |
|
|
SBL |
Build steps to create an SBL Image for GP devices |
|
|
SBL |
Steps to enable and disable JTAG for HS devices |
|
|
SBL |
Steps to prepare boot media for GP and HS devices |
|
8.7.3. PDK steps for HS Devices¶
The steps to build HS SBL and HS Uniflash Programmer are as below:
Building HS SBL
cd <pdk_install_dir>/packages/ti/build
make -s sbl_<bootmode>_img_hs BOARD=$BOARD
where boot mode is mmcsd, ospi, hyperflash, uart
This generates HS SBL images under <pdk_install_dir>/packages/ti/boot/sbl/binary/<$BOARD>_hs folder
Building HS Uniflash programmer Similar to SBL. Instead provide the make target as “board_utils_uart_flash_programmer_hs” This generates HS uniflash programmer image under <pdk_install_dir>/packages/ti/board/utils/uniflash/target/bin/<$BOARD>_hs folder
8.7.4. Linux SPL steps for HS Devices¶
Reference the developer note Using Processor SDK Linux with Processor SDK RTOS