8.7. Developing with High Security Devices

8.7.1. Introduction

The K3 security architecture supports different “Device Types” controlled by eFuse settings programmed during device manufacturing. Each Device Type offers different capabilities for Debug and Emulation as well as different behavior in functional operating modes. Depending on the Device Type, some security mechanisms are relaxed or enforced.

J721E supports General Purpose (GP) devices and High Secure (HS) device types. The high level difference between these devices are:

  • GENERAL PURPOSE (GP): The device is not capable of secure operation. Security features are transparent and do not affect operation either functionally and for Debug. However, secrets such as the secure ROM code, secure keys and other secure peripherals are not accessible.

  • HIGH SECURITY (HS): In an HS-SE device, all security features are enabled, all secrets within the device are fully protected, all of the security goals are fully enforced, debug override sequence is supported and the device forces secure booting.

The scope of this developer note is to point to build bootloaders/applications and run on HS devices.

8.7.2. Documentation References

8.7.2.1. Linux Guides to work with HS devices

SDK Component

Documentation

Description

Section

uboot

https://software-dl.ti.com/jacinto7/esd/processor-sdk-linux-jacinto7/latest/exports/docs/linux/Foundational_Components_U-Boot.html

Overview of boot flow and steps to build u-boot and boot on GP devices

Boot Flow

uboot

https://github.com/u-boot/u-boot/blob/master/doc/README.ti-secure

Steps to build u-boot and boot on HS devices

Invoking the script for K3 Secure Devices

k3-image-gen

https://git.ti.com/cgit/k3-image-gen/k3-image-gen/tree/README.md

Steps to create an image tree blob (a.k.a. FIT image) on GP Devices

Building SYSFW Image and Configuration Data

k3-image-gen

https://git.ti.com/cgit/k3-image-gen/k3-image-gen/tree/README.md

Steps to create an image tree blob (a.k.a. FIT image) on HS Devices

Building SYSFW Image for High-Security(HS) devices

8.7.2.2. RTOS Guides to work with HS devices

SDK Component

Documentation

Description

Section

SBL

LINK

Bootloader Execution Sequence (Sequnce of steps from ROM to SBL to Application

  1. Bootloader (SBL) » 5.2. Jacinto 7 SBL >> Bootloader Execution Sequence

SBL

LINK

Build steps to create an SBL Image for GP devices

  1. Bootloader (SBL) » 5.2. Jacinto 7 SBL >> Building the SBL and its components

SBL

LINK

Steps to enable and disable JTAG for HS devices

  1. Bootloader (SBL) » 5.2. Jacinto 7 SBL >> Enabling/Disabling JTAG on secure devices

SBL

LINK

Steps to prepare boot media for GP and HS devices

  1. Bootloader (SBL) » 5.2. Jacinto 7 SBL >> Compiling apps that can be loaded by SBL

8.7.3. PDK steps for HS Devices

The steps to build HS SBL and HS Uniflash Programmer are as below:

  • Building HS SBL

 cd <pdk_install_dir>/packages/ti/build
 make -s sbl_<bootmode>_img_hs BOARD=$BOARD

where boot mode is mmcsd, ospi, hyperflash, uart
This generates HS SBL images under <pdk_install_dir>/packages/ti/boot/sbl/binary/<$BOARD>_hs folder

  • Building HS Uniflash programmer Similar to SBL. Instead provide the make target as “board_utils_uart_flash_programmer_hs” This generates HS uniflash programmer image under <pdk_install_dir>/packages/ti/board/utils/uniflash/target/bin/<$BOARD>_hs folder

8.7.4. Linux SPL steps for HS Devices