[Jennifer Hellar]

The OSD3358-SM-RED development board includes a hardware secure boot setup using an Atmel AT97SC3205T TPM and Secure NOR Flash.

We currently do not have an application note for secure boot. But, please see below for resources that are available to execute secure boot:

Secure U-Boot for the BeagleBone Black using CryptoCape:

U-Boot with Atmel's I2C TPM, libTLCL, and libsboot (Secure Boot)
https://github.com/theopolis/u-boot-sboot
12 forks.
18 stars.
0 open issues.

Recent commits:

• Cryptocape (+Beaglebone Black) supportOriginal debugging: http://goo.gl/muEx2ZPatches from: Scott C.M. <Mark.Scott@soton.ac.uk>, Teddy Reed
• Moved sboot README, Teddy Reed
• Merge branch 'master' of git://git.denx.de/u-boot into tpm-i2c-atmel, Teddy Reed
• drivers/i2c/fsl_i2c: modify i2c_read to handle multi-byte writeMost of the I2C slaves support accesses in the typical stylethat is : read/write series of bytes at particular address offset.These transactions look like:"(1) START:Address:Tx:Offset:RESTART:Address[0..4]:Tx/Rx:data[0..n]:STOP"However there are certain devices which support accesses interms of the transactions as follows:(2) "START:Address:Tx:Txdata[0..n1]:Clock_stretching: RESTART:Address:Rx:data[0..n2]"Here Txdata is typically a command and some associated data,similarly Rxdata could be command status plus some data receivedas a response to the command sent.Type (1) transactions are currently supportd in thei2c driver using i2c_read and i2c_write APIs. I2C EEPROMs,RTC, etc fall in this category.To handle type (2) along with type (1) transactions,i2c_read() function has been modified.Signed-off-by: Shaveta Leekha <shaveta@freescale.com>Signed-off-by: Poonam Aggrwal <poonam.aggrwal@freescale.com>, Heiko Schocher
• driver/mxc_i2c: Move static data structure to global_dataThis driver needs a data structure in SRAM before SDRAM is available.This is not alway the case using .data section. Moving this datastructure to global_data guarantees it is writable.Signed-off-by: York Sun <yorksun@freescale.com>CC: Troy Kisky <troy.kisky@boundarydevices.com>, Heiko Schocher

We would recommend purchasing a development kit from Microchip for the TPM to get a better understanding of its capabilities
and of the software libraries that have been developed around it.

TPM datasheet and capabilities:
https://www.microchip.com/wwwproducts/en/at97sc3205t)
https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2014.pdf

TPM development kit:
https://www.digikey.com/product-detail/en/microchip-technology/AT97SC3205T-SDK2/AT97SC3205T-SDK2-ND/4494595

TPM crypto functions
The BeagleBone CryptoCape incorporates the same TPM and open-source device tree overlays and documentation exist that provide excellent references:
https://cryptotronix.com/cryptocape-tpm/
https://www.sparkfun.com/products/retired/12773 (see Documents section)
https://cryptotronix.com/products/cryptocape/

In order to access the TPM in the Linux kernel, you need to make sure it is declared in the device tree. If you look at the CryptoCape device tree overlay:
https://github.com/beagleboard/bb.org-overlays/blob/master/src/arm/BB-BONE-CRYPTO-00A0.dts

you can see that the TPM is declared under I2C2:

fragment@2 {
target = <&i2c2>; <– I2C peripheral
overlay {

status = “okay”; <– Make sure peripheral is enabled

/ this is the configuration part /
clock-frequency = <100000>;
address-cells = <1>;
size-cells = <0>;

tpm@29 {
compatible = “atmel,at97sc3204t”; <– Declaring the appropriate Linux driver for the TPM
reg = <0x29>; <– Declaring the I2C address of the TPM
};
};
};

You can use

Device Tree Overlays for bb.org boards
https://github.com/beagleboard/bb.org-overlays
177 forks.
205 stars.
67 open issues.

Recent commits:

• feat: feature to return all pins, with gpio number, current state and all modes" – added #define PLATFORMBASE "/sys/devices/platform/ocp/" – GetGpio() has extra argument to handle returning gpio to the terminal – QueryMode() has extra argument for removing new line for ListAllPins() – extract_pin_name() uses PLATFORMBASE to return all Physical pin names – main() has additional check for -g and -a`", Robert Nelson
• Cleaned up choosen, Mark A. Yoder
• Switching back to previous version, Mark A. Yoder
• Switched to &P9_12_gpio_pu, Mark A. Yoder
• BB-LCD-ADAFRUIT-24-SPI: cleanup / nodeSigned-off-by: Robert Nelson <robertcnelson@gmail.com>, Robert Nelson

and

https://github.com/RobertCNelson/dtb-rebuilder/tree/4.9-ti

in order to modify the device tree overlay for your design. This will allow you to configure the TPM for your system.

[Author]

Posts