[U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next level image validation

Gupta Ruchika-R66431 R66431 at freescale.com
Tue Apr 9 12:11:55 CEST 2013 


> -----Original Message-----
> From: Phillips Kim-R1AAHA
> Sent: Saturday, March 30, 2013 4:08 AM
> To: Gupta Ruchika-R66431
> Cc: Otavio Salvador; U-Boot Mailing List; Fleming Andy-AFLEMING
> Subject: Re: [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next
> level image validation
> 
> On Fri, 29 Mar 2013 04:43:23 +0000
> Gupta Ruchika-R66431 <R66431 at freescale.com> wrote:
> 
> > > From: otavio.salvador at gmail.com [mailto:otavio.salvador at gmail.com]
> > > On Behalf Of Otavio Salvador
> > > Sent: Thursday, March 28, 2013 8:23 PM
> > > To: Gupta Ruchika-R66431
> > > Cc: U-Boot Mailing List; Fleming Andy-AFLEMING
> > > Subject: Re: [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for
> > > next level image validation
> > >
> > > On Thu, Mar 28, 2013 at 7:46 AM, Ruchika Gupta
> > > <ruchika.gupta at freescale.com>
> > > wrote:
> > > > The patch set adds support for next level image validation (linux,
> > > > rootfs, dtb) in secure boot scenarios.
> > >
> > > It seems to focus in PowerPC, do you know if same code could be
> > > ported to ARM?
> > For the code to be ported to ARM platform, corresponding hardware blocks
> like cryptographic accelerator/SW support for crypto operations, IOMMU and a
> security monitor block will be required.
> 
> i.mx6 has, and other future ARM-based devices will have, a CAAM, so I see no
> reason why any of this code should be restricted to power arch at all.
> 
> How does this patchseries integrate with this SHA offload
> patchseries:
> 
> http://article.gmane.org/gmane.comp.boot-loaders.u-boot/156321

Once this patch series is applied on the main branch I will rebase my patch, align to this and re-send.

> 
> and this "verified boot" implementation:
> 
> http://article.gmane.org/gmane.comp.boot-loaders.u-boot/156422
> 
> ?
Thanks for pointing this link out. We have been using bootscript approach for validating next level images, which works on validation of each of the Linux, rootfs and dtb image separately. The location of this bootscript is hardcoded in the board bootcmd file. However the approach pointed by this link is more generic, since it validates a single FIT image. I will work towards integrating our SoC's approach into this framework.

Ruchika

More information about the U-Boot mailing list