Ventana: IMX6 HABv4 initial boot code is U-Boot SPLįor a secure U-Boot you want to disable the ability to stop autoboot and get to a U-Boot console.Newport: CN803x Trusted Boot initial boot code is Marvell BDK see newport/secure_boot.Venice: IMX8M HABv4: initial boot code is U-Boot SPL see venice/secure_boot.The initial boot code and how the various SoC manages secure boot varies per processor: Securing your product boot involves using SoC specific methods to verify the initial boot code that is fetched from the storage device and executed.
Filesystem encryption (if needed) unlocked by the kernel+initramfs.Kernel / FDT / initramfs images validated by U-Boot.U-Boot validated by the Boot firmware (ie SPL).Boot firmware (ie SPL) validated by embedded SoC BOOT ROM against signature hashes fused into one-time-programmable memory.
This can be accomplished on modern embedded System on Chip devices by creating a Chain of Trust.Ī Chain of Trust is established by validating each component of software to ensure that only trusted software can be used.įor a typical embedded Linux board the chain of trust may look like: Secure Boot refers to hardware and software that does not allow an attacker to obtain sensitive data or boot altered firmware. Securing the Kernel, FDT, ramdisk via FIT images.