TFM_00_01 - Secure Bootloader
- Simon Harvey
Owned by Simon Harvey
About
The purpose of this activity is to provide a secure boot implementation for RISC-V microcontrollers and other embedded processors, typically running in M-mode or M+U-modes.
The scope is the "root initial boot code" (running in M-mode), responsible for a secure transition:
- First code executing on processor after release from reset
- Basic system initialisation (for example, memory)
- Load and hand over to root firmware (typically to U-Boot or similar to load rest of root firmware
Components
The implementation is an adaptation of the Trusted Firmware M secure bootloader, ported to RISC-V and extended to meet our immediate requirements.
The full TF-M runtime is not (yet) ported. This would provide services such as initial attestation, crypto primitives, protected or internal trusted storage, firmware upgrades, key management.
RISC-V specific changes
- Support for a RISC-V toolchain (initially assumed to be the Catapult SDK)
- RISC-V updates to common linker scripts, including symbols used by the Catapult SDK standard libraries
- RISC-V variants for all inline assembly and defines used by the bootloaders
- Minimal RISC-V platform support, including build files, start-up code, linker scripts, platform and HAL support
ISA-agnostic improvements and new features
- Support for encryption of BL1_2 stage
- Support for test run and revert of BL2 image upgrades
- Support for test run and revert of FW image upgrades (stage following bootloaders) (*)
- SW-only key derivation function for decryption keys
- Option to disable build of TF-M runtime (secure firmware)
- Provisioning and transition to secured state from BL2, if TF-M runtime is disabled
(*) Note: based on existing code for a different upgrade mechanism
Status
Updates
- This work was completed in December 2024 and will now be upstreamed
- Project reported as priority for 2H23