This is a series of notes designed to be a walkthrough on how to configure the HiKey Kirin 620 to boot securely with ARM Trusted Firmware's Trusted Board Boot. This does not use any proprietary settings or vendor-specific details about the SoC. Instead, the secure boot path relies on the SoC's BOOT_SEL configured to boot solely from the eMMC. With this configuration there should be no way to interrupt or bypass the root of trust via runtime changes.
Pay special attention to the should as this is not speaking from authority but rather from suspicion and research.
The Root of Trust (ROT) begins in the BL2 programmed to the eMMC's boot0 partition. The bootrom must execute the HiKey's l-loader.bin and ARM-Trusted-Firmware's (ATF) bl2.bin written to this alternate boot partition. The eMMC's extended CSD register 173 (BOOT_WP) is written to permanent write-protect this content. This is a 1-time program operation that has the potential to brick the device.Read More