Authentication and Validation of Binaries

All firmware binaries and calibration data (i.e., BCTs, DTBs) loaded by BootROM, MB1, MB2, and Partition Loader are validated, authenticated, and optionally decrypted. The following category of binaries go through this process:
  • BPMP related firmware binaries including MB1, BPMP_FW, and associated calibration data
  • PSC related firmwares including PSC-BL1 and PSC-FW
  • CCPLEX related firmware binaries including MB2, MCE, ARM Trusted Firmware, Secure OS, partition table, and associated calibration data
  • CCPLEX virtualization binaries including Hypervisor, servers, Partition Loader, and associated calibration data
  • Auxiliary firmwares including FSI, DCE, RCE, PVA, APE
  • Key IST firmware binaries and calibration data
  • Runtime IST firmware binaries and calibration data
  • SC7 support binaries
  • Guest OS binaries including kernel, Primary IFS, and associated calibration data

In T234, BCH group can hold up to eight (8) OEM signed binaries signature or up to two (2) NV signed binaries signature.

NV signed grouping is not implemented in software. For OEM signed binaries grouping, there is a condition that all binaries in the group must be loaded by same boot component.

A BCH has an array of eight (8) OEM signed components and has the following details about the binary:
  1. Destination load address.
  2. Location of binary on storage.
  3. Size
  4. Version and Ratchet level
  5. Encryption parameters
  6. Hash Value.
Note: Provision for destination load address and location on storage are not supported by all boot components. The ones that are supported by all boot components are:
  1. Size
  2. Version and ratchet level
  3. Encryption parameters
  4. Hash values

For more information about BCH refer to Grouping of Boot Images.

Dual Authentication of Firmware

MB1 firmware, BPMP firmware, and CPU firmware are delivered in binary form and are signed with the NVIDIA and OEM RSA keys. As a result, two validation steps are required:

  1. Authentication and validation with the OEM key
  2. Authentication and validation with the NVIDIA key

Recovery Support

For authentication and validation information consult Understanding Security.

SecureOS

The SecureOS (TOS) runs in EL3 mode and provides SecureMode support.

Hypervisor-based Flow

The hypervisor-based flow is as follows:

media/image6.png

Virtual Machine

The Virtual Machine (VM) is an emulation of a native system. It is a software container that functions as an independent system with its own dedicated hardware and operating system, called guest OS in the context of Hypervisor.

Partition Loader

The PartitionLoader (PL) is a special purpose boot loader image embedded into the Hypervisor. It acts as Virtual boot ROM for the virtual machine.