[U-Boot] [PATCH] Add bootscript support to esbc_validate.

Ruchika Gupta ruchika.gupta at freescale.com
Wed Mar 11 11:39:31 CET 2015 

Hi York,

> -----Original Message-----
> From: Sun York-R58495
> Sent: Tuesday, March 10, 2015 10:03 PM
> To: Gupta Ruchika-R66431; Rana Gaurav-B46163; u-boot at lists.denx.de
> Cc: Wood Scott-B07421; Bansal Aneesh-B39320
> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
> 
> On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote:
> > Hi York,
> >
> >> -----Original Message-----
> >> From: Sun York-R58495
> >> Sent: Tuesday, March 10, 2015 9:45 PM
> >> To: Rana Gaurav-B46163; u-boot at lists.denx.de
> >> Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320
> >> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
> >>
> >>
> >>
> >> On 03/10/2015 01:38 AM, Gaurav Rana wrote:
> >>> 1. Default environment will be used for secure boot flow  which
> >>> can't be edited or saved.
> >>> 2. Command for secure boot is predefined in the default  environment
> >>> which will run on autoboot (and autoboot is  the only option allowed
> >>> in case of secure boot) and it  looks like this:
> >>>  #define CONFIG_SECBOOT \
> >>>  "setenv bs_hdraddr 0xe8e00000;"                 \
> >>>  "esbc_validate $bs_hdraddr;"                    \
> >>>  "source $img_addr;"                             \
> >>>  "esbc_halt;"
> >>>  #endif
> >>> 3. Boot Script can contain esbc_validate commands and bootm command.
> >>>  Uboot source command used in default secure boot command will  run
> >>> the bootscript.
> >>> 4. Command esbc_halt added to ensure either bootm executes  after
> >>> validation of images or core should just spin.
> >>>
> >> What's the purpose of "esbc_halt"? Once it enters the spin, how to
> >> get it out?
> > The purpose of bootscript is to validate the next level images and then
> pass control to it, so bootscript must contain a bootm command. We don't
> expect control to return back to u-boot. Hence a command esbc_halt is
> introduced which would make the core spin and not provide uboot prompt in
> case bootscript doesn't pass control to next level image.
> > For secure chain of trust, only validated bootscript should be allowed to
> execute and be responsible for passing control to next level image.
> >
> 
> Ruchika,
> 
> Do you expect secure boot to run automatically once u-boot reaches the prompt
> and the "source $img_addr" to actually boot the OS? You put "esbc_halt" as a
> fall-back to catch failure above? It doesn't sounds very secure to me.

The bootscript is first validated. Only an authenticated user, who has the private key can sign the bootscript. Thus validating bootscript is important in secure boot chain of trust. 

You are right regarding fallback as esbc_halt. In the esbc_halt implementation, we will add code to clear security secrets on the chip, and issue a reset. We will send a separate patch for that.

Ruchika

> 
> I am hoping other reviewers can chime in and give comments.
> 
> York

More information about the U-Boot mailing list