diff --git a/source/devices/AM62LX/linux/Release_Specific_Yocto_layer_Configuration.rst b/source/devices/AM62LX/linux/Release_Specific_Yocto_layer_Configuration.rst index 9b7894df8..b3a3ef175 100644 --- a/source/devices/AM62LX/linux/Release_Specific_Yocto_layer_Configuration.rst +++ b/source/devices/AM62LX/linux/Release_Specific_Yocto_layer_Configuration.rst @@ -29,5 +29,8 @@ has the following configuration files in the :file:`configs/processor-sdk` direc * - :file:`processor-sdk-master-selinux-12.00.00.07.04-config.txt` - Used for building SELinux enabled Yocto based filesystem - |__SDK_BUILD_MACHINE__| + * - :file:`processor-sdk-master-luks-12.00.00.07.04-config.txt` + - Used for building SDK with the luks disk encryption using fTPM + - |__SDK_BUILD_MACHINE__| The oe-layersetup configuration, as defined in :file:`processor-sdk-master-nonui-12.00.00.07.04-config.txt`, is used for configuring the meta layers in the yocto SD card image available on |__SDK_DOWNLOAD_URL__|. diff --git a/source/devices/AM62PX/linux/Release_Specific_Yocto_layer_Configuration.rst b/source/devices/AM62PX/linux/Release_Specific_Yocto_layer_Configuration.rst index 528b37ca7..36383d8ed 100644 --- a/source/devices/AM62PX/linux/Release_Specific_Yocto_layer_Configuration.rst +++ b/source/devices/AM62PX/linux/Release_Specific_Yocto_layer_Configuration.rst @@ -32,5 +32,8 @@ has the following configuration files in the :file:`configs/processor-sdk` direc * - :file:`processor-sdk-master-selinux-12.00.00.07.04-config.txt` - Used for building SELinux enabled Yocto based filesystem - |__SDK_BUILD_MACHINE__| + * - :file:`processor-sdk-master-luks-12.00.00.07.04-config.txt` + - Used for building SDK with the luks disk encryption using fTPM + - |__SDK_BUILD_MACHINE__| The oe-layersetup configuration, as defined in :file:`processor-sdk-master-chromium-12.00.00.07.04-config.txt`, is used for configuring the meta layers in the yocto SD card image available on |__SDK_DOWNLOAD_URL__|. diff --git a/source/devices/AM62X/linux/Release_Specific_Yocto_layer_Configuration.rst b/source/devices/AM62X/linux/Release_Specific_Yocto_layer_Configuration.rst index 25163fc29..1f10e1fb9 100644 --- a/source/devices/AM62X/linux/Release_Specific_Yocto_layer_Configuration.rst +++ b/source/devices/AM62X/linux/Release_Specific_Yocto_layer_Configuration.rst @@ -32,5 +32,8 @@ has the following configuration files in the :file:`configs/processor-sdk` direc * - :file:`processor-sdk-master-selinux-12.00.00.07.04-config.txt` - Used for building SELinux enabled Yocto based filesystem - |__SDK_BUILD_MACHINE__|, am62xx-lp-evm, am62xxsip-evm, beagleplay-ti + * - :file:`processor-sdk-master-luks-12.00.00.07.04-config.txt` + - Used for building SDK with the luks disk encryption using fTPM + - |__SDK_BUILD_MACHINE__| The oe-layersetup configuration, as defined in :file:`processor-sdk-master-chromium-12.00.00.07.04-config.txt`, is used for configuring the meta layers in the yocto SD card image available on |__SDK_DOWNLOAD_URL__|. diff --git a/source/devices/AM64X/linux/Release_Specific_Yocto_layer_Configuration.rst b/source/devices/AM64X/linux/Release_Specific_Yocto_layer_Configuration.rst index 9b7894df8..b3a3ef175 100644 --- a/source/devices/AM64X/linux/Release_Specific_Yocto_layer_Configuration.rst +++ b/source/devices/AM64X/linux/Release_Specific_Yocto_layer_Configuration.rst @@ -29,5 +29,8 @@ has the following configuration files in the :file:`configs/processor-sdk` direc * - :file:`processor-sdk-master-selinux-12.00.00.07.04-config.txt` - Used for building SELinux enabled Yocto based filesystem - |__SDK_BUILD_MACHINE__| + * - :file:`processor-sdk-master-luks-12.00.00.07.04-config.txt` + - Used for building SDK with the luks disk encryption using fTPM + - |__SDK_BUILD_MACHINE__| The oe-layersetup configuration, as defined in :file:`processor-sdk-master-nonui-12.00.00.07.04-config.txt`, is used for configuring the meta layers in the yocto SD card image available on |__SDK_DOWNLOAD_URL__|. diff --git a/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst b/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst index b70ff3f9d..44c8ae259 100644 --- a/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst +++ b/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/DTHEv2.rst @@ -216,10 +216,12 @@ software only implementation can be compared to the previous test. Using the True Random Number Generator (TRNG) Hardware Accelerator ****************************************************************** -The pre-built kernel included within the SDK already has the OP-TEE TRNG -driver enabled. You do not need any further configuration. +In the default SDK, OP-TEE controls the TRNG engine and firewalls its +hardware registers, blocking outside access. To use TRNG from Linux instead, +disable the OP-TEE driver and enable the RNG node in the Linux device tree. -Verify that the optee-rng driver is loaded: +Using TRNG from OP-TEE requires no further configuration. Verify the optee-rng +driver loads: .. code-block:: console diff --git a/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst b/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst index d3cb4eac4..f8d5f717a 100644 --- a/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst +++ b/source/linux/Foundational_Components/Kernel/Kernel_Drivers/Crypto/SA2UL_OMAP.rst @@ -304,8 +304,12 @@ software only implementation can be compared to the previous test. Using the TRNG Hardware Accelerator *********************************** -The pre built kernel that come with the SDK already has the TRNG driver -built into the kernel. No further configuration is required. +In the default SDK, OP-TEE controls the TRNG engine and firewalls its +hardware registers, blocking outside access. To use TRNG from Linux instead, +disable the OP-TEE driver and enable the RNG node in the Linux device tree. + +Using TRNG from OP-TEE requires no further configuration. Verify the optee-rng +driver loads: .. ifconfig:: CONFIG_crypto in ('sa2ul') diff --git a/source/linux/Foundational_Components/System_Security/Security_overview.rst b/source/linux/Foundational_Components/System_Security/Security_overview.rst index 509852664..22ee4936b 100644 --- a/source/linux/Foundational_Components/System_Security/Security_overview.rst +++ b/source/linux/Foundational_Components/System_Security/Security_overview.rst @@ -49,7 +49,8 @@ The following table lists some of the key Security Features: | **Authenticated Boot** | Verifies each boot component to ensure only authorized | :ref:`auth_boot_guide` | | | code executes on the device | | +-------------------------+-----------------------------------------------------------+--------------------------------------+ - | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms | :ref:`crypto-accelerator` | + | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms and | :ref:`crypto-accelerator` | + | **and TRNG** | hardware entropy based secure random number generation | | +-------------------------+-----------------------------------------------------------+--------------------------------------+ | **Key Management** | Tools for secure key provisioning | :ref:`key-writer-lite-label` | +-------------------------+-----------------------------------------------------------+--------------------------------------+ @@ -81,7 +82,8 @@ The following table lists some of the key Security Features: | **Authenticated Boot** | Transparent disk encryption using the Linux kernel | :ref:`auth_boot_guide` | | | device mapper (dm-crypt) for data confidentiality | | +-------------------------+-----------------------------------------------------------+--------------------------------------+ - | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms | :ref:`crypto-accelerator` | + | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms and | :ref:`crypto-accelerator` | + | **and TRNG** | hardware entropy based secure random number generation | | +-------------------------+-----------------------------------------------------------+--------------------------------------+ | **Secure Storage** | Protection mechanisms for sensitive data | :ref:`secure-storage-with-rpmb` | +-------------------------+-----------------------------------------------------------+--------------------------------------+ @@ -106,7 +108,8 @@ The following table lists some of the key Security Features: +-------------------------+-----------------------------------------------------------+--------------------------------------+ | Security Feature | Description | Links | +=========================+===========================================================+======================================+ - | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms | :ref:`crypto-accelerator` | + | **Crypto Acceleration** | Hardware driver support for cryptographic algorithms and | :ref:`crypto-accelerator` | + | **and TRNG** | hardware entropy based secure random number generation | | +-------------------------+-----------------------------------------------------------+--------------------------------------+ | **Secure Storage** | Protection mechanisms for sensitive data | :ref:`secure-storage-with-rpmb` | +-------------------------+-----------------------------------------------------------+--------------------------------------+