Security does not stop once the boot process finishes. TA 2.1 provides continuous run-time isolation. Central Security Unit (CSU)
Once validated, execution hands off to the validated bootloader (typically U-Boot). U-Boot then uses identical Trust Architecture API routines to validate the Linux kernel image, device tree, and root filesystem before boot. 4. Key Management and Code Signing qoriq trust architecture 2.1 user guide
This article is based on publicly available documentation and community resources. For complete technical details, developers should consult the official QorIQ Trust Architecture 2.1 User Guide under NDA with NXP. Security does not stop once the boot process finishes
Hardware-based entropy generation compliant with NIST SP800-90A. Internal Secure Memory (SFP and SNVS) U-Boot then uses identical Trust Architecture API routines
Create an input configuration file ( input_config ) defining your image layouts, memory entry points, and source files. Run the CST tool to append the validation metadata and signature block to your binary:
Generate the RSA public/private key pairs using NXP Code Signing Tool (CST) or OpenSSL.
Version 2.1 of this architecture introduces advanced cryptographic capabilities, enhanced state validation, and more robust hardware-enforced protection mechanisms. This guide explains how Trust Architecture 2.1 works and details how to configure it to secure your embedded deployment. 1. Core Pillars of Trust Architecture 2.1