diff options
author | Balint Matyi <Balint.Matyi@arm.com> | 2020-07-27 10:06:44 +0100 |
---|---|---|
committer | Máté Tóth-Pál <Mate.Toth-Pal@arm.com> | 2020-08-11 13:29:54 +0000 |
commit | fb7e60f6dad06d59b825e0f39b239ec39663c71b (patch) | |
tree | 041aa963b7e492d0eb0a6438f4dbbc1f2003b122 /docs | |
parent | 116275ebc40f146610ed1e2e94ae469a536d917d (diff) | |
download | trusted-firmware-m-fb7e60f6dad06d59b825e0f39b239ec39663c71b.tar.gz |
Docs: Add explanation about the encrypted upgrade process
Change-Id: Ifdd57b2671699931aebb617c9b721ee31f1eac3e
Signed-off-by: Balint Matyi <Balint.Matyi@arm.com>
Diffstat (limited to 'docs')
-rw-r--r-- | docs/getting_started/tfm_secure_boot.rst | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/docs/getting_started/tfm_secure_boot.rst b/docs/getting_started/tfm_secure_boot.rst index b59035208d..7798f53ebb 100644 --- a/docs/getting_started/tfm_secure_boot.rst +++ b/docs/getting_started/tfm_secure_boot.rst @@ -422,8 +422,21 @@ Compile time switches: - **False:** Doesn't add encrypted image support and doesn't encrypt the image. + .. Note:: + The decryption takes place during the upgrade process, when the images + are being moved between the slots. This means that boards that don't + already have an image on them with MCUBoot that has been compiled with + ``MCUBOOT_ENCRYPT_RSA`` enabled need special treatment. In order to load + an encrypted image to such boards, an upgrade needs to be executed. This + can be done by using MCUBoot, putting an image in the secondary image + area, and setting ``MCUBOOT_ENCRYPT_RSA`` to ``ON``. When using the + ``OVERWRITE_ONLY`` upgrade strategy, this is enough. When using + ``SWAP``, an image is needed in the primary image area as well, to + trigger the update. + .. Warning:: - DO NOT use this key in production code, it is exclusively for testing! + DO NOT use the ``enc-rsa2048-pub.pem`` key in production code, it is + exclusively for testing! Image versioning ================ |