[U-Boot] [PATCH 1/1] Enable IE (Key extention) Feature in LS2080A

york sun york.sun at nxp.com
Wed Feb 8 16:54:51 UTC 2017 

On 02/07/2017 10:48 PM, Udit Agarwal wrote:
> For validating images from uboot (Such as Kernel Image), either keys
> from SoC fuses can be used or keys from a verified table of public keys
> can be used. The latter feature is called IE Key Extension Feature.
>
> On ls-ch3 platforms,IE table is validated by Bootrom and address of this
> table is written in scratch registers 13 and 14 via PBI commands.
>
> The procedure is to first verify IE table using Keys stored in fuses,
> and then use the keys in this table to verify further images. So the steps
> are:
>
> 1) Verify IE Table (If "IE Table Flag" set in any image
> i.e. Verify IE Table only when any image needs IE Table's Key to be verified)
> 2) Install IE table. (To be used across verification of multiple images.
> Stored in a static global structure.)
> 3) If IE flag enabled in header of any image, Use keys from IE table,
> otherwise use keys tied up with SoC's fuses (SRK).
>
> Signed-off-by: Aneesh Bansal <aneesh.bansal at nxp.com>
> Signed-off-by: Saksham Jain <saksham.jain at nxp.com>
> Signed-off-by: Udit Agarwal <udit.agarwal at nxp.com>
> ---
>  arch/arm/include/asm/fsl_secure_boot.h |  6 +--
>  board/freescale/common/fsl_validate.c  | 88 +++++++++++++++++++++++++++-------
>  include/fsl_validate.h                 | 24 +++++++++-
>  3 files changed, 97 insertions(+), 21 deletions(-)
>
> diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h
> index 27cf096..a612b7d 100644
> --- a/arch/arm/include/asm/fsl_secure_boot.h
> +++ b/arch/arm/include/asm/fsl_secure_boot.h
> @@ -51,11 +51,11 @@
>   * in boot ROM of the SoC.
>   * The feature is only applicable in case of NOR boot and is
>   * not applicable in case of RAMBOOT (NAND, SD, SPI).
> + * For LS, this feature is available for all device if IE Table
> + * is copied to XIP memory
> + * Also, for LS, ISBC doesn't verify this table.
>   */

Udit,

Your comment says this feature if available for all devices if IE table 
is copied to XIP memory, but ISBC doesn't verify this table. Your commit 
message says the first step is to verify IE table. How is the result of 
verification passed to U-Boot?

Your subject says LS2080A, but this feature is not only for LS2080A, is 
it? Can you verify more platforms and revise the subject?

York

More information about the U-Boot mailing list