1 files changed, 74 insertions, 28 deletions
diff --git a/doc/imx/habv4/guides/mx8m_encrypted_boot.txt b/doc/imx/habv4/guides/mx8m_encrypted_boot.txt
index bb9b6b80f0..5a5f2bd835 100644
--- a/doc/imx/habv4/guides/mx8m_encrypted_boot.txt
+++ b/doc/imx/habv4/guides/mx8m_encrypted_boot.txt
@@ -41,19 +41,25 @@ The diagram below illustrates an encrypted flash.bin image layout:
  Signed |    ------- +-----------------------------+   |
   Data  |    Enc  ^  |        u-boot-spl.bin       |   |
         |    Data |  |              +              |   |  SPL
-        v         v  |           DDR FW            |   | Image
+        |         |  |           DDR FW            |   | Image
+        |         |  |              +              |   |
+        v         v  |       Hash of FIT FDT       |   |
   ------------------ +-----------------------------+   |
                      |      CSF - SPL + DDR FW     |   v
                      +-----------------------------+ --------
                      |           DEK Blob          |
                      +-----------------------------+
                      |           Padding           |
-             ------- +-----------------------------+ --------
-          Signed ^   |          FDT - FIT          |   ^
-           Data  |   +-----------------------------+   |
-                 v   |          IVT - FIT          |   |
-             ------- +-----------------------------+   |
-                     |          CSF - FIT          |   |
+  ------------------ +-----------------------------+ --------
+        ^ Signed ^   |          FDT - FIT          |   ^
+        |   Data |   +-----------------------------+   |
+ Signed |        v   |          IVT - FIT          |   |
+  Data  |    ------- +-----------------------------+   |
+(optional)           |          CSF - FIT          |   |
+        |            +-----------------------------+   |
+        v            |  IVT - FIT FDT (optional)   |   |
+  ------------------ +-----------------------------+   |
+                     |  CSF - FIT FDT (optional)   |   |
   ------------------ +-----------------------------+   |
                 ^    |       u-boot-nodtb.bin      |   | FIT
                 |    +-----------------------------+   | Image
@@ -81,6 +87,7 @@ by following one of the methods below:
   CONFIG_CMD_DEKBLOB=y
   CONFIG_IMX_OPTEE_DEK_ENCAP=y
   CONFIG_CMD_PRIBLOB=y
+  CONFIG_IMX_SPL_FIT_FDT_SIGNATURE=y (Optional, for FIT FDT signature only)
 
 - Kconfig
 
@@ -166,7 +173,9 @@ Command Sequence File (CSF):
   Second Loader IMAGE:
    sld_header_off 	0x57c00
    sld_csf_off 		0x58c20
-   sld hab block: 	0x401fcdc0 0x57c00 0x1020
+   sld hab block:   0x401fadc0 0x57c00 0x1020
+   fit-fdt csf_off     0x5ac20
+   fit-fdt hab block:  0x401fadc0 0x57c00 0x3020
 
 - Additional HAB information is provided by running the following command:
 
@@ -176,10 +185,10 @@ Command Sequence File (CSF):
   ./../scripts/pad_image.sh u-boot-nodtb.bin fsl-imx8mm-evk.dtb
   TEE_LOAD_ADDR=0xbe000000 ATF_LOAD_ADDR=0x00920000 VERSION=v1 \
   ./print_fit_hab.sh 0x60000 fsl-imx8mm-evk.dtb
-  0x40200000 0x5AC00 0xB0318
-  0x402B0318 0x10AF18 0x8628
-  0x920000 0x113540 0xA160
-  0xBE000000 0x11D6A0 0x48520
+  0x40200000 0x5CC00 0xB0318
+  0x402B0318 0x10CF18 0x8628
+  0x920000 0x115540 0xA160
+  0xBE000000 0x11F6A0 0x48520
 
 1.6 Creating the CSF description file for SPL + DDR FW image
 -------------------------------------------------------------
@@ -332,7 +341,7 @@ file.
 
   [Authenticate Data]
     ...
-    Blocks = 0x401FCDC0 0x57C00 0x1020 "flash-spl-enc.bin"
+    Blocks = 0x401FADC0 0x57C00 0x1020 "flash-spl-enc.bin"
 
 - Add the Install Secret Key command to generate the dek_fit.bin file and
   install the blob. The Blob Address is a fixed address defined in imx-mkimage
@@ -356,10 +365,10 @@ file.
 
   imx-mkimage output:
 
-    0x40200000 0x5AC00 0xB0318 ──┬── Total length = 0xB0318 + 0x8628 = 0xB8940
-    0x402B0318 0x10AF18 0x8628 ──┘
-    0x920000 0x113540 0xA160
-    0xBE000000 0x11D6A0 0x48520
+    0x40200000 0x5CC00 0xB0318 ──┬── Total length = 0xB0318 + 0x8628 = 0xB8940
+    0x402B0318 0x10CF18 0x8628 ──┘
+    0x920000 0x115540 0xA160
+    0xBE000000 0x11F6A0 0x48520
 
   Decrypt data in csf_fit_enc.txt:
 
@@ -367,9 +376,9 @@ file.
 
   [Decrypt Data]
     ...
-    Blocks = 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc.bin", \
-             0x920000 0x113540 0xA160 "flash-spl-fit-enc.bin", \
-             0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc.bin"
+    Blocks = 0x40200000 0x5CC00 0xB8940 "flash-spl-fit-enc.bin", \
+             0x920000 0x115540 0xA160 "flash-spl-fit-enc.bin", \
+             0xBE000000 0x11F6A0 0x48520 "flash-spl-fit-enc.bin"
 
 1.8.2 csf_fit_sign_enc.txt
 ---------------------------
@@ -384,10 +393,10 @@ The second CSF is used to sign the encrypted FIT image previously generated
 
   [Authenticate Data]
     ...
-    Blocks = 0x401fcdc0 0x57c00 0x1020 "flash-spl-fit-enc.bin"
-	     0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc.bin", \
-             0x920000 0x113540 0xA160 "flash-spl-fit-enc.bin", \
-             0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc.bin"
+    Blocks = 0x401fadc0 0x57c00 0x1020 "flash-spl-fit-enc.bin"
+	     0x40200000 0x5CC00 0xB8940 "flash-spl-fit-enc.bin", \
+             0x920000 0x115540 0xA160 "flash-spl-fit-enc.bin", \
+             0xBE000000 0x11F6A0 0x48520 "flash-spl-fit-enc.bin"
 
 
 - Add the Install Secret Key command to generate a dummy DEK blob file,
@@ -408,9 +417,28 @@ The second CSF is used to sign the encrypted FIT image previously generated
 
   [Decrypt Data]
     ...
-    Blocks = 0x40200000 0x5AC00 0xB8940 "flash-spl-fit-enc-dummy.bin", \
-             0x920000 0x113540 0xA160"flash-spl-fit-enc-dummy.bin", \
-             0xBE000000 0x11D6A0 0x48520 "flash-spl-fit-enc-dummy.bin"
+    Blocks = 0x40200000 0x5CC00 0xB8940 "flash-spl-fit-enc-dummy.bin", \
+             0x920000 0x115540 0xA160"flash-spl-fit-enc-dummy.bin", \
+             0xBE000000 0x11F6A0 0x48520 "flash-spl-fit-enc-dummy.bin"
+
+1.8.3 (Optional) csf_fit_fdt.txt
+---------------------------
+
+When optional FIT FDT signature is used, user needs third CSF to sign encrypted-flash.bin
+generated by 1.11.2. Because FIT FDT structure is not encrypted, so this step will not
+encrypt any data.
+
+- FIT FDT signature "Authenticate Data" addresses in flash.bin build log:
+
+  fit-fdt hab block:  0x401fadc0 0x57c00 0x3020
+
+- "Authenticate Data" command in csf_fit_fdt.txt file:
+
+  For example:
+
+  [Authenticate Data]
+    ...
+    Blocks = 0x401fadc0 0x57c00 0x3020 "encrypted-flash.bin"
 
 1.9 Encrypting and signing the FIT image
 -----------------------------------------
@@ -503,6 +531,10 @@ The CSF offsets can be obtained from the flash.bin build log:
 
   sld_csf_off 0x58c20
 
+- (Optional) FIT FDT CSF offset:
+
+  fit-fdt csf_off  0x5ac20
+
 The encrypted flash.bin image can be then assembled:
 
 - Create a flash-spl-fit-enc.bin copy:
@@ -539,7 +571,21 @@ The encrypted flash.bin image can be then assembled:
 
   $ dd if=dek_fit_blob.bin of=encrypted-flash.bin seek=$((0x165BC0)) bs=1 conv=notrunc
 
-1.11.3 Flash encrypted boot image
+1.11.3 (Optional) Create and Insert FIT FDT CSF
+-----------------------------------
+
+If FIT FDT signature is used, users need to continue sign the encrypted-flash.bin
+with csf_fit_fdt.txt CSF file
+
+- Create FIT FDT CSF binary file
+
+  $ ./cst -i csf_fit_fdt.txt -o csf_fit_fdt.bin
+
+- Insert csf_fit_fdt.bin in encrypted-flash.bin at 0x5ac20 offset:
+
+  $ dd if=csf_fit_fdt.bin of=encrypted-flash.bin seek=$((0x5ac20)) bs=1 conv=notrunc
+
+1.11.4 Flash encrypted boot image
 -----------------------------------
 
 - Flash encrypted image in SDCard: