Commit e43f8b60fbcebee3c4fd8497ac2e52d6c31c029b
Committed by
Ye Li
Ye Li
1 parent
bc0c0c9a7f
Exists in
smarc_8mq-imx_v2020.04_5.4.24_2.1.0
and in
3 other branches
MLK-20935-2 doc: imx: ahab: Include ahab_close command
Since commit 771b824728ca ("MLK-20919 imx8: ahab: Add command to
close the chip") the U-Boot is able to move the lifecycle from
NXP closed to OEM closed.
Update AHAB guides to use U-Boot ahab_close command instead of SCFW CLI.
As the procedure is now independent of SCFW terminal we can remove
this condition from documentation.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
(cherry picked from commit 6f93d877e1454024f666a4810d24148cf595429e)
(cherry picked from commit 4f6bc59ff94de150611d82b45365d24d356f30ef)
Showing 2 changed files with 17 additions and 27 deletions Side-by-side Diff
doc/imx/ahab/guides/mx8_mx8x_secure_boot.txt
| ... | ... | @@ -27,8 +27,7 @@ |
| 27 | 27 | - SECO firmware downloaded. |
| 28 | 28 | - U-Boot downloaded and built. Please check section 1.2. |
| 29 | 29 | - ARM Trusted Firmware (ATF) downloaded and built for your target. |
| 30 | -- System Controller Firmware (SCFW) downloaded and built for your board | |
| 31 | - with debug monitor enabled. | |
| 30 | +- System Controller Firmware (SCFW). | |
| 32 | 31 | - Kernel image. |
| 33 | 32 | |
| 34 | 33 | You should also have downloaded the Code Signing Tool, available on NXP |
| 35 | 34 | |
| ... | ... | @@ -198,12 +197,8 @@ |
| 198 | 197 | $ sudo dd if=flash.signed.bin of=/dev/sdX bs=1k seek=32 ; sync |
| 199 | 198 | |
| 200 | 199 | Then insert the SD Card into the board and plug your device to your computer |
| 201 | -with an USB serial cable. When you power on the board, you should have two | |
| 202 | -serial consoles: one for U-Boot, another one for SCFW. | |
| 200 | +with an USB serial cable. | |
| 203 | 201 | |
| 204 | -Please note that SCU console may be replaced by the M4 console. In case the M4 | |
| 205 | -image is needed, a base board will be required to access the SCU console. | |
| 206 | - | |
| 207 | 202 | 1.5.4 Programming SRK Hash |
| 208 | 203 | --------------------------- |
| 209 | 204 | |
| 210 | 205 | |
| 211 | 206 | |
| 212 | 207 | |
| 213 | 208 | |
| ... | ... | @@ -297,17 +292,17 @@ |
| 297 | 292 | |
| 298 | 293 | After the device successfully boots a signed image without generating any |
| 299 | 294 | SECO security events, it is safe to close the device. The SECO lifecycle |
| 300 | -should be changed from 32 (0x20) NXP open to 128 (0x80) OEM closed. Be | |
| 301 | -aware this step can damage your board if a previous step failed. It is | |
| 302 | -also irreversible. Run on the SCFW terminal: | |
| 295 | +should be changed from 0x20 NXP closed to 0x80 OEM closed. Be aware this | |
| 296 | +step can damage your board if a previous step failed. It is also | |
| 297 | +irreversible. Run on the U-Boot terminal: | |
| 303 | 298 | |
| 304 | - >$ seco lifecycle 16 | |
| 299 | + => ahab_close | |
| 305 | 300 | |
| 306 | -Now reboot the target, and on the same terminal, run: | |
| 301 | +Now reboot the target, and run: | |
| 307 | 302 | |
| 308 | - >$ seco info | |
| 303 | + => ahab_status | |
| 309 | 304 | |
| 310 | -The lifecycle value should now be 128 (0x80) OEM closed. | |
| 305 | +The lifecycle value should now be 0x80 OEM closed. | |
| 311 | 306 | |
| 312 | 307 | 2. Authenticating the OS container |
| 313 | 308 | ----------------------------------- |
doc/imx/ahab/guides/mx8_mx8x_spl_secure_boot.txt
| ... | ... | @@ -23,7 +23,7 @@ |
| 23 | 23 | - SECO Firmware. |
| 24 | 24 | - U-Boot proper and SPL. (Please refer to section 1.2) |
| 25 | 25 | - ARM Trusted Firmware (ATF). |
| 26 | -- System Controller Firmware (SCFW) with debug monitor enabled. | |
| 26 | +- System Controller Firmware (SCFW). | |
| 27 | 27 | - Cortex M binary. (Optional) |
| 28 | 28 | - Kernel image. (Optional) |
| 29 | 29 | - Code signing tools (CST). |
| ... | ... | @@ -240,11 +240,6 @@ |
| 240 | 240 | |
| 241 | 241 | $ sudo dd if=signed-flash.bin of=/dev/sd<X> bs=1k seek=32 && sync |
| 242 | 242 | |
| 243 | -For the next steps you should be able to see U-Boot and SCFW consoles in your | |
| 244 | -host PC. Please note that SCU console may be replaced by the M4 console, in | |
| 245 | -case the M4 image is needed a base board will be required to access the SCU | |
| 246 | -console. | |
| 247 | - | |
| 248 | 243 | 1.6 Programming SRK Hash |
| 249 | 244 | ------------------------- |
| 250 | 245 | |
| 251 | 246 | |
| 252 | 247 | |
| 253 | 248 | |
| 254 | 249 | |
| ... | ... | @@ -339,17 +334,17 @@ |
| 339 | 334 | |
| 340 | 335 | After the device successfully boots a signed image without generating any |
| 341 | 336 | SECO security events, it is safe to close the device. The SECO lifecycle |
| 342 | -should be changed from 32 (0x20) NXP open to 128 (0x80) OEM closed. Be | |
| 343 | -aware this step can damage your board if a previous step failed. It is | |
| 344 | -also irreversible. Run on the SCFW terminal: | |
| 337 | +should be changed from 0x20 NXP closed to 0x80 OEM closed. Be aware this | |
| 338 | +step can damage your board if a previous step failed. It is also | |
| 339 | +irreversible. Run on the U-Boot terminal: | |
| 345 | 340 | |
| 346 | - >$ seco lifecycle 16 | |
| 341 | + => ahab_close | |
| 347 | 342 | |
| 348 | -Now reboot the target, and on the same terminal, run: | |
| 343 | +Now reboot the target, and run: | |
| 349 | 344 | |
| 350 | - >$ seco info | |
| 345 | + => ahab_status | |
| 351 | 346 | |
| 352 | -The lifecycle value should now be 128 (0x80) OEM closed. | |
| 347 | +The lifecycle value should now be 0x80 OEM closed. | |
| 353 | 348 | |
| 354 | 349 | 2. Authenticating the OS container |
| 355 | 350 | ----------------------------------- |