aboutsummaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorBalint Matyi <Balint.Matyi@arm.com>2020-07-27 10:06:44 +0100
committerMáté Tóth-Pál <Mate.Toth-Pal@arm.com>2020-08-11 13:29:54 +0000
commitfb7e60f6dad06d59b825e0f39b239ec39663c71b (patch)
tree041aa963b7e492d0eb0a6438f4dbbc1f2003b122 /docs
parent116275ebc40f146610ed1e2e94ae469a536d917d (diff)
downloadtrusted-firmware-m-fb7e60f6dad06d59b825e0f39b239ec39663c71b.tar.gz
Docs: Add explanation about the encrypted upgrade process
Change-Id: Ifdd57b2671699931aebb617c9b721ee31f1eac3e Signed-off-by: Balint Matyi <Balint.Matyi@arm.com>
Diffstat (limited to 'docs')
-rw-r--r--docs/getting_started/tfm_secure_boot.rst15
1 files changed, 14 insertions, 1 deletions
diff --git a/docs/getting_started/tfm_secure_boot.rst b/docs/getting_started/tfm_secure_boot.rst
index b59035208d..7798f53ebb 100644
--- a/docs/getting_started/tfm_secure_boot.rst
+++ b/docs/getting_started/tfm_secure_boot.rst
@@ -422,8 +422,21 @@ Compile time switches:
- **False:** Doesn't add encrypted image support and doesn't encrypt the
image.
+ .. Note::
+ The decryption takes place during the upgrade process, when the images
+ are being moved between the slots. This means that boards that don't
+ already have an image on them with MCUBoot that has been compiled with
+ ``MCUBOOT_ENCRYPT_RSA`` enabled need special treatment. In order to load
+ an encrypted image to such boards, an upgrade needs to be executed. This
+ can be done by using MCUBoot, putting an image in the secondary image
+ area, and setting ``MCUBOOT_ENCRYPT_RSA`` to ``ON``. When using the
+ ``OVERWRITE_ONLY`` upgrade strategy, this is enough. When using
+ ``SWAP``, an image is needed in the primary image area as well, to
+ trigger the update.
+
.. Warning::
- DO NOT use this key in production code, it is exclusively for testing!
+ DO NOT use the ``enc-rsa2048-pub.pem`` key in production code, it is
+ exclusively for testing!
Image versioning
================