Skip to content

feat(security): add Security Overview page #533

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cshilwant merged 2 commits into from
Dec 3, 2025
Merged

feat(security): add Security Overview page #533

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f23d0bf
feat(security): add Security Overview page
shiva-ti Nov 24, 2025
81ce8fe
fix: add security overview to J7 SOCs
shiva-ti Dec 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions configs/AM62AX/AM62AX_linux_toc.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ linux/Foundational_Components/Power_Management/pm_wakeup_sources
linux/Foundational_Components/Power_Management/pm_sw_arch
linux/Foundational_Components/Power_Management/pm_debug

linux/Foundational_Components/System_Security/Security_overview
linux/Foundational_Components/System_Security/SELinux
linux/Foundational_Components/System_Security/Auth_boot

Expand Down
1 change: 1 addition & 0 deletions configs/AM62LX/AM62LX_linux_toc.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ linux/Foundational_Components/Power_Management/pm_cpuidle
linux/Foundational_Components/Power_Management/pm_am62lx_low_power_modes
linux/Foundational_Components/Power_Management/pm_wakeup_sources

linux/Foundational_Components/System_Security/Security_overview
#linux/Foundational_Components/System_Security/SELinux
linux/Foundational_Components/System_Security/Auth_boot

Expand Down
1 change: 1 addition & 0 deletions configs/AM62PX/AM62PX_linux_toc.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,7 @@ linux/Foundational_Components/Power_Management/pm_wakeup_sources
linux/Foundational_Components/Power_Management/pm_sw_arch
linux/Foundational_Components/Power_Management/pm_debug

linux/Foundational_Components/System_Security/Security_overview
linux/Foundational_Components/System_Security/SELinux
linux/Foundational_Components/System_Security/Auth_boot

Expand Down
1 change: 1 addition & 0 deletions configs/AM62X/AM62X_linux_toc.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ linux/Foundational_Components/Power_Management/pm_wakeup_sources
linux/Foundational_Components/Power_Management/pm_sw_arch
linux/Foundational_Components/Power_Management/pm_debug

linux/Foundational_Components/System_Security/Security_overview
linux/Foundational_Components/System_Security/SELinux
linux/Foundational_Components/System_Security/Auth_boot

Expand Down
1 change: 1 addition & 0 deletions configs/AM64X/AM64X_linux_toc.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ linux/Foundational_Components_Kernel_Users_Guide
linux/Foundational_Components_Kernel_LTP-DDT_Validation
linux/Foundational_Components_Kernel_FAQs
linux/Foundational_Components_Security
linux/Foundational_Components/System_Security/Security_overview
linux/Foundational_Components_Machine_Learning
linux/Foundational_Components/Machine_Learning/arm_compute_library
linux/Foundational_Components/Machine_Learning/armnn
Expand Down
2 changes: 2 additions & 0 deletions configs/J7200/J7200_linux_toc.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,8 @@ linux/Foundational_Components/Kernel/Kernel_Drivers/VTM
linux/Foundational_Components_Kernel_Users_Guide
linux/Foundational_Components_Kernel_LTP-DDT_Validation
linux/Foundational_Components_Kernel_FAQs
linux/Foundational_Components_Security
linux/Foundational_Components/System_Security/Security_overview
linux/Foundational_Components_Filesystem
linux/Foundational_Components_Tools
linux/Foundational_Components/Tools/Development_Tools
Expand Down
2 changes: 2 additions & 0 deletions configs/J721E/J721E_linux_toc.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,8 @@ linux/Foundational_Components/Kernel/Kernel_Drivers/VTM
linux/Foundational_Components_Kernel_Users_Guide
linux/Foundational_Components_Kernel_LTP-DDT_Validation
linux/Foundational_Components_Kernel_FAQs
linux/Foundational_Components_Security
linux/Foundational_Components/System_Security/Security_overview
linux/Foundational_Components_Filesystem
linux/Foundational_Components_Tools
linux/Foundational_Components/Tools/Development_Tools
Expand Down
2 changes: 2 additions & 0 deletions configs/J721S2/J721S2_linux_toc.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,8 @@ linux/Foundational_Components/Kernel/Kernel_Drivers/VTM
linux/Foundational_Components_Kernel_Users_Guide
linux/Foundational_Components_Kernel_LTP-DDT_Validation
linux/Foundational_Components_Kernel_FAQs
linux/Foundational_Components_Security
linux/Foundational_Components/System_Security/Security_overview
linux/Foundational_Components_Filesystem
linux/Foundational_Components_Tools
linux/Foundational_Components/Tools/Development_Tools
Expand Down
2 changes: 2 additions & 0 deletions configs/J722S/J722S_linux_toc.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,8 @@ linux/Foundational_Components/Kernel/Kernel_Drivers/VTM
linux/Foundational_Components_Kernel_Users_Guide
linux/Foundational_Components_Kernel_LTP-DDT_Validation
linux/Foundational_Components_Kernel_FAQs
linux/Foundational_Components_Security
linux/Foundational_Components/System_Security/Security_overview
linux/Foundational_Components_Filesystem
linux/Foundational_Components_Tools
linux/Foundational_Components/Tools/Development_Tools
Expand Down
2 changes: 2 additions & 0 deletions configs/J742S2/J742S2_linux_toc.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,8 @@ linux/Foundational_Components/Kernel/Kernel_Drivers/VTM
linux/Foundational_Components_Kernel_Users_Guide
linux/Foundational_Components_Kernel_LTP-DDT_Validation
linux/Foundational_Components_Kernel_FAQs
linux/Foundational_Components_Security
linux/Foundational_Components/System_Security/Security_overview
linux/Foundational_Components_Filesystem
linux/Foundational_Components_Tools
linux/Foundational_Components/Tools/Development_Tools
Expand Down
2 changes: 2 additions & 0 deletions configs/J784S4/J784S4_linux_toc.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,8 @@ linux/Foundational_Components/Kernel/Kernel_Drivers/VTM
linux/Foundational_Components_Kernel_Users_Guide
linux/Foundational_Components_Kernel_LTP-DDT_Validation
linux/Foundational_Components_Kernel_FAQs
linux/Foundational_Components_Security
linux/Foundational_Components/System_Security/Security_overview
linux/Foundational_Components_Filesystem
linux/Foundational_Components_Tools
linux/Foundational_Components/Tools/Development_Tools
Expand Down
1 change: 1 addition & 0 deletions source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
.. _DTHEv2-Crypto-Accelerator:
.. _crypto-accelerator:

Check warning on line 2 in source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Spelling] Verify the word 'crypto'. It is not in the American English spelling dictionary used by Vale.

Raw Output:
{"message": "[RedHat.Spelling] Verify the word 'crypto'. It is not in the American English spelling dictionary used by Vale.", "location": {"path": "source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst", "range": {"start": {"line": 2, "column": 5}}}, "severity": "WARNING"}

######
Crypto
Expand Down
3 changes: 3 additions & 0 deletions source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
.. _SAUL-Crypto-Accelerator:

Check warning on line 1 in source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.ReadabilityGrade] Simplify your language. The calculated Flesch–Kincaid grade level of 11.22 is above the recommended reading grade level of 9.

Raw Output:
{"message": "[RedHat.ReadabilityGrade] Simplify your language. The calculated Flesch–Kincaid grade level of 11.22 is above the recommended reading grade level of 9.", "location": {"path": "source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst", "range": {"start": {"line": 1, "column": 1}}}, "severity": "INFO"}
.. _crypto-accelerator:

######
Crypto
######
Expand Down
102 changes: 102 additions & 0 deletions source/linux/Foundational_Components/System_Security/Security_overview.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
.. _Security_overview:

Check warning on line 1 in source/linux/Foundational_Components/System_Security/Security_overview.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.ReadabilityGrade] Simplify your language. The calculated Flesch–Kincaid grade level of 14.21 is above the recommended reading grade level of 9.

Raw Output:
{"message": "[RedHat.ReadabilityGrade] Simplify your language. The calculated Flesch–Kincaid grade level of 14.21 is above the recommended reading grade level of 9.", "location": {"path": "source/linux/Foundational_Components/System_Security/Security_overview.rst", "range": {"start": {"line": 1, "column": 1}}}, "severity": "INFO"}

###############
Device Security

Check warning on line 4 in source/linux/Foundational_Components/System_Security/Security_overview.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Headings] Use sentence-style capitalization in 'Device Security'.

Raw Output:
{"message": "[RedHat.Headings] Use sentence-style capitalization in 'Device Security'.", "location": {"path": "source/linux/Foundational_Components/System_Security/Security_overview.rst", "range": {"start": {"line": 4, "column": 1}}}, "severity": "INFO"}
###############

=================
Security Overview

Check warning on line 8 in source/linux/Foundational_Components/System_Security/Security_overview.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Headings] Use sentence-style capitalization in 'Security Overview'.

Raw Output:
{"message": "[RedHat.Headings] Use sentence-style capitalization in 'Security Overview'.", "location": {"path": "source/linux/Foundational_Components/System_Security/Security_overview.rst", "range": {"start": {"line": 8, "column": 1}}}, "severity": "INFO"}
=================

The |__PART_FAMILY_DEVICE_NAMES__| SoC offers a comprehensive set of
security features that protect embedded Linux applications. This guide
offers a starting point to understand and implement these capabilities
as part of product development, with the following advantages:

* **Hardware-backed security** - Leverages built-in security hardware
for robust protection
* **Defense in-depth** - Implements security at many levels including
hardware, firmware, software to protect against wide range of attacks
* **Industry standards compliance** - Incorporates security measures such
as secure boot, TrustZone, and crypto acceleration that can help meet

Check warning on line 21 in source/linux/Foundational_Components/System_Security/Security_overview.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Spelling] Verify the word 'crypto'. It is not in the American English spelling dictionary used by Vale.

Raw Output:
{"message": "[RedHat.Spelling] Verify the word 'crypto'. It is not in the American English spelling dictionary used by Vale.", "location": {"path": "source/linux/Foundational_Components/System_Security/Security_overview.rst", "range": {"start": {"line": 21, "column": 34}}}, "severity": "WARNING"}
requirements in standards such as IEC 62443 and NIST guidelines

Check warning on line 22 in source/linux/Foundational_Components/System_Security/Security_overview.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Definitions] Define acronyms and abbreviations (such as 'NIST') on first occurrence if they're likely to be unfamiliar.

Raw Output:
{"message": "[RedHat.Definitions] Define acronyms and abbreviations (such as 'NIST') on first occurrence if they're likely to be unfamiliar.", "location": {"path": "source/linux/Foundational_Components/System_Security/Security_overview.rst", "range": {"start": {"line": 22, "column": 51}}}, "severity": "INFO"}

Check warning on line 22 in source/linux/Foundational_Components/System_Security/Security_overview.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Definitions] Define acronyms and abbreviations (such as 'IEC') on first occurrence if they're likely to be unfamiliar.

Raw Output:
{"message": "[RedHat.Definitions] Define acronyms and abbreviations (such as 'IEC') on first occurrence if they're likely to be unfamiliar.", "location": {"path": "source/linux/Foundational_Components/System_Security/Security_overview.rst", "range": {"start": {"line": 22, "column": 37}}}, "severity": "INFO"}
* **Flexible implementation** - Allows security features that can be
tailored to specific application needs

================
Security Domains

Check warning on line 27 in source/linux/Foundational_Components/System_Security/Security_overview.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Headings] Use sentence-style capitalization in 'Security Domains'.

Raw Output:
{"message": "[RedHat.Headings] Use sentence-style capitalization in 'Security Domains'.", "location": {"path": "source/linux/Foundational_Components/System_Security/Security_overview.rst", "range": {"start": {"line": 27, "column": 1}}}, "severity": "INFO"}
================

Below is an overview of the security framework's main domains:

.. figure:: ./images/security_framework.png

These security domains create a chain of trust protecting the
|__PART_FAMILY_DEVICE_NAMES__| SoC from boot through runtime and storage,
ensuring system integrity and data confidentiality.

=============================
Security Features at a Glance

Check warning on line 39 in source/linux/Foundational_Components/System_Security/Security_overview.rst

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[RedHat.Headings] Use sentence-style capitalization in 'Security Features at a Glance'.

Raw Output:
{"message": "[RedHat.Headings] Use sentence-style capitalization in 'Security Features at a Glance'.", "location": {"path": "source/linux/Foundational_Components/System_Security/Security_overview.rst", "range": {"start": {"line": 39, "column": 1}}}, "severity": "INFO"}
=============================

The following table lists some of the key Security Features:

.. ifconfig:: CONFIG_part_variant in ('AM62LX')

+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Security Feature** | **Description** | **Links** |
+=========================+===========================================================+======================================+
| **Authenticated Boot** | Verifies each boot component to ensure only authorized | :ref:`auth_boot_guide` |
| | code executes on the device | |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Crypto Acceleration** | Hardware driver support for cryptographic algorithms | :ref:`crypto-accelerator` |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Key Management** | Tools for secure key provisioning | :ref:`key-writer-lite-label` |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Secure Storage** | Protection mechanisms for sensitive data | :ref:`secure-storage-with-rpmb` |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Trusted Execution** | Implementation of secure monitor (EL3) firmware that | :ref:`foundational-components-atf` |
| | manages the secure boot process and TrustZone transitions | |
+ +-----------------------------------------------------------+--------------------------------------+
| | Trusted Execution Environment that enables isolated | :ref:`foundational-components-optee` |
| | execution of security-sensitive applications and services | |
+-------------------------+-----------------------------------------------------------+--------------------------------------+

.. ifconfig:: CONFIG_part_variant in ('AM62X', 'AM62PX', 'AM62AX')

+-------------------------+-----------------------------------------------------------+--------------------------------------+
| Security Feature | Description | Links |
+=========================+===========================================================+======================================+
| **Authenticated Boot** | Verifies each boot component to ensure only authorized | :ref:`auth_boot_guide` |
| | code executes on the device | |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Crypto Acceleration** | Hardware driver support for cryptographic algorithms | :ref:`crypto-accelerator` |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Secure Storage** | Protection mechanisms for sensitive data | :ref:`secure-storage-with-rpmb` |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **SELinux** | Kernel security module providing policy-based access | :ref:`selinux_guide` |
| | control for processes, files, and system objects | |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Trusted Execution** | Implementation of secure monitor (EL3) firmware that | :ref:`foundational-components-atf` |
| | manages the secure boot process and TrustZone transitions | |
+ +-----------------------------------------------------------+--------------------------------------+
| | Trusted Execution Environment that enables isolated | :ref:`foundational-components-optee` |
| | execution of security-sensitive applications and services | |
+-------------------------+-----------------------------------------------------------+--------------------------------------+

.. ifconfig:: CONFIG_part_variant not in ('AM62X', 'AM62PX', 'AM62AX', 'AM62LX')

+-------------------------+-----------------------------------------------------------+--------------------------------------+
| Security Feature | Description | Links |
+=========================+===========================================================+======================================+
| **Crypto Acceleration** | Hardware driver support for cryptographic algorithms | :ref:`crypto-accelerator` |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Secure Storage** | Protection mechanisms for sensitive data | :ref:`secure-storage-with-rpmb` |
+-------------------------+-----------------------------------------------------------+--------------------------------------+
| **Trusted Execution** | Implementation of secure monitor (EL3) firmware that | :ref:`foundational-components-atf` |
| | manages the secure boot process and TrustZone transitions | |
+ +-----------------------------------------------------------+--------------------------------------+
| | Trusted Execution Environment that enables isolated | :ref:`foundational-components-optee` |
| | execution of security-sensitive applications and services | |
+-------------------------+-----------------------------------------------------------+--------------------------------------+

Binary file added source/linux/Foundational_Components/System_Security/images/security_framework.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1 change: 1 addition & 0 deletions source/linux/Foundational_Components_OPTEE.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ of entropy can work around these issues.

$ make CROSS_COMPILE="$CROSS_COMPILE_32" CROSS_COMPILE64="$CROSS_COMPILE_64" PLATFORM=k3-|__OPTEE_PLATFORM_FLAVOR__| CFG_ARM64_core=y CFG_WITH_SOFTWARE_PRNG=y

.. _secure-storage-with-rpmb:

Secure Storage with RPMB (For HS)
*********************************
Expand Down
1 change: 1 addition & 0 deletions source/linux/Foundational_Components_Security.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ Security
.. toctree::
:maxdepth: 5

Foundational_Components/System_Security/Security_overview
Foundational_Components_Migration_Guide
Foundational_Components_Secure_Boot
Foundational_Components/System_Security/SELinux
Expand Down
Loading