diff --git a/configs/AM62AX/AM62AX_linux_toc.txt b/configs/AM62AX/AM62AX_linux_toc.txt index 3f046d774..1711340bc 100644 --- a/configs/AM62AX/AM62AX_linux_toc.txt +++ b/configs/AM62AX/AM62AX_linux_toc.txt @@ -93,6 +93,7 @@ linux/Foundational_Components/Power_Management/pm_wakeup_sources linux/Foundational_Components/Power_Management/pm_sw_arch linux/Foundational_Components/Power_Management/pm_debug +linux/Foundational_Components/System_Security/Security_overview linux/Foundational_Components/System_Security/SELinux linux/Foundational_Components/System_Security/Auth_boot diff --git a/configs/AM62LX/AM62LX_linux_toc.txt b/configs/AM62LX/AM62LX_linux_toc.txt index a1e6775c2..f0462587b 100644 --- a/configs/AM62LX/AM62LX_linux_toc.txt +++ b/configs/AM62LX/AM62LX_linux_toc.txt @@ -78,6 +78,7 @@ linux/Foundational_Components/Power_Management/pm_cpuidle linux/Foundational_Components/Power_Management/pm_am62lx_low_power_modes linux/Foundational_Components/Power_Management/pm_wakeup_sources +linux/Foundational_Components/System_Security/Security_overview #linux/Foundational_Components/System_Security/SELinux linux/Foundational_Components/System_Security/Auth_boot diff --git a/configs/AM62PX/AM62PX_linux_toc.txt b/configs/AM62PX/AM62PX_linux_toc.txt index 9a2523cb4..e875759b6 100644 --- a/configs/AM62PX/AM62PX_linux_toc.txt +++ b/configs/AM62PX/AM62PX_linux_toc.txt @@ -98,6 +98,7 @@ linux/Foundational_Components/Power_Management/pm_wakeup_sources linux/Foundational_Components/Power_Management/pm_sw_arch linux/Foundational_Components/Power_Management/pm_debug +linux/Foundational_Components/System_Security/Security_overview linux/Foundational_Components/System_Security/SELinux linux/Foundational_Components/System_Security/Auth_boot diff --git a/configs/AM62X/AM62X_linux_toc.txt b/configs/AM62X/AM62X_linux_toc.txt index 5bc0860c9..251919bbf 100644 --- a/configs/AM62X/AM62X_linux_toc.txt +++ b/configs/AM62X/AM62X_linux_toc.txt @@ -95,6 +95,7 @@ linux/Foundational_Components/Power_Management/pm_wakeup_sources linux/Foundational_Components/Power_Management/pm_sw_arch linux/Foundational_Components/Power_Management/pm_debug +linux/Foundational_Components/System_Security/Security_overview linux/Foundational_Components/System_Security/SELinux linux/Foundational_Components/System_Security/Auth_boot diff --git a/configs/AM64X/AM64X_linux_toc.txt b/configs/AM64X/AM64X_linux_toc.txt index 767fecc94..664a75fa3 100644 --- a/configs/AM64X/AM64X_linux_toc.txt +++ b/configs/AM64X/AM64X_linux_toc.txt @@ -82,6 +82,7 @@ linux/Foundational_Components_Kernel_Users_Guide linux/Foundational_Components_Kernel_LTP-DDT_Validation linux/Foundational_Components_Kernel_FAQs linux/Foundational_Components_Security +linux/Foundational_Components/System_Security/Security_overview linux/Foundational_Components_Machine_Learning linux/Foundational_Components/Machine_Learning/arm_compute_library linux/Foundational_Components/Machine_Learning/armnn diff --git a/configs/J7200/J7200_linux_toc.txt b/configs/J7200/J7200_linux_toc.txt index 5ea85d6e3..696a4252c 100644 --- a/configs/J7200/J7200_linux_toc.txt +++ b/configs/J7200/J7200_linux_toc.txt @@ -81,6 +81,8 @@ linux/Foundational_Components/Kernel/Kernel_Drivers/VTM linux/Foundational_Components_Kernel_Users_Guide linux/Foundational_Components_Kernel_LTP-DDT_Validation linux/Foundational_Components_Kernel_FAQs +linux/Foundational_Components_Security +linux/Foundational_Components/System_Security/Security_overview linux/Foundational_Components_Filesystem linux/Foundational_Components_Tools linux/Foundational_Components/Tools/Development_Tools diff --git a/configs/J721E/J721E_linux_toc.txt b/configs/J721E/J721E_linux_toc.txt index 3db378164..d2659ce33 100644 --- a/configs/J721E/J721E_linux_toc.txt +++ b/configs/J721E/J721E_linux_toc.txt @@ -87,6 +87,8 @@ linux/Foundational_Components/Kernel/Kernel_Drivers/VTM linux/Foundational_Components_Kernel_Users_Guide linux/Foundational_Components_Kernel_LTP-DDT_Validation linux/Foundational_Components_Kernel_FAQs +linux/Foundational_Components_Security +linux/Foundational_Components/System_Security/Security_overview linux/Foundational_Components_Filesystem linux/Foundational_Components_Tools linux/Foundational_Components/Tools/Development_Tools diff --git a/configs/J721S2/J721S2_linux_toc.txt b/configs/J721S2/J721S2_linux_toc.txt index 2486b18dd..dd30cf820 100644 --- a/configs/J721S2/J721S2_linux_toc.txt +++ b/configs/J721S2/J721S2_linux_toc.txt @@ -87,6 +87,8 @@ linux/Foundational_Components/Kernel/Kernel_Drivers/VTM linux/Foundational_Components_Kernel_Users_Guide linux/Foundational_Components_Kernel_LTP-DDT_Validation linux/Foundational_Components_Kernel_FAQs +linux/Foundational_Components_Security +linux/Foundational_Components/System_Security/Security_overview linux/Foundational_Components_Filesystem linux/Foundational_Components_Tools linux/Foundational_Components/Tools/Development_Tools diff --git a/configs/J722S/J722S_linux_toc.txt b/configs/J722S/J722S_linux_toc.txt index c2873e605..45115a6aa 100644 --- a/configs/J722S/J722S_linux_toc.txt +++ b/configs/J722S/J722S_linux_toc.txt @@ -83,6 +83,8 @@ linux/Foundational_Components/Kernel/Kernel_Drivers/VTM linux/Foundational_Components_Kernel_Users_Guide linux/Foundational_Components_Kernel_LTP-DDT_Validation linux/Foundational_Components_Kernel_FAQs +linux/Foundational_Components_Security +linux/Foundational_Components/System_Security/Security_overview linux/Foundational_Components_Filesystem linux/Foundational_Components_Tools linux/Foundational_Components/Tools/Development_Tools diff --git a/configs/J742S2/J742S2_linux_toc.txt b/configs/J742S2/J742S2_linux_toc.txt index 942269e6d..992d1e91b 100644 --- a/configs/J742S2/J742S2_linux_toc.txt +++ b/configs/J742S2/J742S2_linux_toc.txt @@ -86,6 +86,8 @@ linux/Foundational_Components/Kernel/Kernel_Drivers/VTM linux/Foundational_Components_Kernel_Users_Guide linux/Foundational_Components_Kernel_LTP-DDT_Validation linux/Foundational_Components_Kernel_FAQs +linux/Foundational_Components_Security +linux/Foundational_Components/System_Security/Security_overview linux/Foundational_Components_Filesystem linux/Foundational_Components_Tools linux/Foundational_Components/Tools/Development_Tools diff --git a/configs/J784S4/J784S4_linux_toc.txt b/configs/J784S4/J784S4_linux_toc.txt index dfa0996f6..a90e55d01 100644 --- a/configs/J784S4/J784S4_linux_toc.txt +++ b/configs/J784S4/J784S4_linux_toc.txt @@ -87,6 +87,8 @@ linux/Foundational_Components/Kernel/Kernel_Drivers/VTM linux/Foundational_Components_Kernel_Users_Guide linux/Foundational_Components_Kernel_LTP-DDT_Validation linux/Foundational_Components_Kernel_FAQs +linux/Foundational_Components_Security +linux/Foundational_Components/System_Security/Security_overview linux/Foundational_Components_Filesystem linux/Foundational_Components_Tools linux/Foundational_Components/Tools/Development_Tools diff --git a/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst b/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst index d3df0f0f1..ea19aaa37 100644 --- a/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst +++ b/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst @@ -1,4 +1,5 @@ .. _DTHEv2-Crypto-Accelerator: +.. _crypto-accelerator: ###### Crypto diff --git a/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst b/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst index 0f67d8998..2817e6307 100644 --- a/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst +++ b/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst @@ -1,3 +1,6 @@ +.. _SAUL-Crypto-Accelerator: +.. _crypto-accelerator: + ###### Crypto ###### diff --git a/source/linux/Foundational_Components/System_Security/Security_overview.rst b/source/linux/Foundational_Components/System_Security/Security_overview.rst new file mode 100644 index 000000000..578505d03 --- /dev/null +++ b/source/linux/Foundational_Components/System_Security/Security_overview.rst @@ -0,0 +1,102 @@ +.. _Security_overview: + +############### +Device Security +############### + +================= +Security Overview +================= + +The |__PART_FAMILY_DEVICE_NAMES__| SoC offers a comprehensive set of +security features that protect embedded Linux applications. This guide +offers a starting point to understand and implement these capabilities +as part of product development, with the following advantages: + +* **Hardware-backed security** - Leverages built-in security hardware + for robust protection +* **Defense in-depth** - Implements security at many levels including + hardware, firmware, software to protect against wide range of attacks +* **Industry standards compliance** - Incorporates security measures such + as secure boot, TrustZone, and crypto acceleration that can help meet + requirements in standards such as IEC 62443 and NIST guidelines +* **Flexible implementation** - Allows security features that can be + tailored to specific application needs + +================ +Security Domains +================ + +Below is an overview of the security framework's main domains: + +.. figure:: ./images/security_framework.png + +These security domains create a chain of trust protecting the +|__PART_FAMILY_DEVICE_NAMES__| SoC from boot through runtime and storage, +ensuring system integrity and data confidentiality. + +============================= +Security Features at a Glance +============================= + +The following table lists some of the key Security Features: + +.. ifconfig:: CONFIG_part_variant in ('AM62LX') + + +-------------------------+-----------------------------------------------------------+--------------------------------------+ + | **Security Feature** | **Description** | **Links** | + +=========================+===========================================================+======================================+ + | **Authenticated Boot** | Verifies each boot component to ensure only authorized | :ref:`auth_boot_guide` | + | | code executes on the device | | + +-------------------------+-----------------------------------------------------------+--------------------------------------+ + | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms | :ref:`crypto-accelerator` | + +-------------------------+-----------------------------------------------------------+--------------------------------------+ + | **Key Management** | Tools for secure key provisioning | :ref:`key-writer-lite-label` | + +-------------------------+-----------------------------------------------------------+--------------------------------------+ + | **Secure Storage** | Protection mechanisms for sensitive data | :ref:`secure-storage-with-rpmb` | + +-------------------------+-----------------------------------------------------------+--------------------------------------+ + | **Trusted Execution** | Implementation of secure monitor (EL3) firmware that | :ref:`foundational-components-atf` | + | | manages the secure boot process and TrustZone transitions | | + + +-----------------------------------------------------------+--------------------------------------+ + | | Trusted Execution Environment that enables isolated | :ref:`foundational-components-optee` | + | | execution of security-sensitive applications and services | | + +-------------------------+-----------------------------------------------------------+--------------------------------------+ + +.. ifconfig:: CONFIG_part_variant in ('AM62X', 'AM62PX', 'AM62AX') + + +-------------------------+-----------------------------------------------------------+--------------------------------------+ + | Security Feature | Description | Links | + +=========================+===========================================================+======================================+ + | **Authenticated Boot** | Verifies each boot component to ensure only authorized | :ref:`auth_boot_guide` | + | | code executes on the device | | + +-------------------------+-----------------------------------------------------------+--------------------------------------+ + | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms | :ref:`crypto-accelerator` | + +-------------------------+-----------------------------------------------------------+--------------------------------------+ + | **Secure Storage** | Protection mechanisms for sensitive data | :ref:`secure-storage-with-rpmb` | + +-------------------------+-----------------------------------------------------------+--------------------------------------+ + | **SELinux** | Kernel security module providing policy-based access | :ref:`selinux_guide` | + | | control for processes, files, and system objects | | + +-------------------------+-----------------------------------------------------------+--------------------------------------+ + | **Trusted Execution** | Implementation of secure monitor (EL3) firmware that | :ref:`foundational-components-atf` | + | | manages the secure boot process and TrustZone transitions | | + + +-----------------------------------------------------------+--------------------------------------+ + | | Trusted Execution Environment that enables isolated | :ref:`foundational-components-optee` | + | | execution of security-sensitive applications and services | | + +-------------------------+-----------------------------------------------------------+--------------------------------------+ + +.. ifconfig:: CONFIG_part_variant not in ('AM62X', 'AM62PX', 'AM62AX', 'AM62LX') + + +-------------------------+-----------------------------------------------------------+--------------------------------------+ + | Security Feature | Description | Links | + +=========================+===========================================================+======================================+ + | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms | :ref:`crypto-accelerator` | + +-------------------------+-----------------------------------------------------------+--------------------------------------+ + | **Secure Storage** | Protection mechanisms for sensitive data | :ref:`secure-storage-with-rpmb` | + +-------------------------+-----------------------------------------------------------+--------------------------------------+ + | **Trusted Execution** | Implementation of secure monitor (EL3) firmware that | :ref:`foundational-components-atf` | + | | manages the secure boot process and TrustZone transitions | | + + +-----------------------------------------------------------+--------------------------------------+ + | | Trusted Execution Environment that enables isolated | :ref:`foundational-components-optee` | + | | execution of security-sensitive applications and services | | + +-------------------------+-----------------------------------------------------------+--------------------------------------+ + diff --git a/source/linux/Foundational_Components/System_Security/images/security_framework.png b/source/linux/Foundational_Components/System_Security/images/security_framework.png new file mode 100644 index 000000000..e2192bffb Binary files /dev/null and b/source/linux/Foundational_Components/System_Security/images/security_framework.png differ diff --git a/source/linux/Foundational_Components_OPTEE.rst b/source/linux/Foundational_Components_OPTEE.rst index 3a0a155a9..38d87538f 100644 --- a/source/linux/Foundational_Components_OPTEE.rst +++ b/source/linux/Foundational_Components_OPTEE.rst @@ -75,6 +75,7 @@ of entropy can work around these issues. $ make CROSS_COMPILE="$CROSS_COMPILE_32" CROSS_COMPILE64="$CROSS_COMPILE_64" PLATFORM=k3-|__OPTEE_PLATFORM_FLAVOR__| CFG_ARM64_core=y CFG_WITH_SOFTWARE_PRNG=y +.. _secure-storage-with-rpmb: Secure Storage with RPMB (For HS) ********************************* diff --git a/source/linux/Foundational_Components_Security.rst b/source/linux/Foundational_Components_Security.rst index aa8511a02..15a267e1e 100644 --- a/source/linux/Foundational_Components_Security.rst +++ b/source/linux/Foundational_Components_Security.rst @@ -7,6 +7,7 @@ Security .. toctree:: :maxdepth: 5 + Foundational_Components/System_Security/Security_overview Foundational_Components_Migration_Guide Foundational_Components_Secure_Boot Foundational_Components/System_Security/SELinux