[U-Boot] [PATCH v2 3/7] SECURE_BOOT: split the secure boot functionality in two parts
Aneesh Bansal
aneesh.bansal at nxp.com
Sun Jan 17 10:39:32 CET 2016
There are two phases in Secure Boot
1. ISBC: In BootROM, validate the BootLoader (U-Boot).
2. ESBC: In U-Boot, continuing the Chain of Trust by
validating and booting LINUX.
For ESBC phase, there is no difference in SoC's based on ARM or PowerPC
cores.
But the exit conditions after ISBC phase i.e. entry conditions for
U-Boot are different for ARM and PowerPC.
PowerPC:
========
If Secure Boot is executed, a separate U-Boot target is required which
must be compiled with a diffrent Text Base as compared to Non-Secure Boot.
There are some LAW and TLB settings which are required specifically for
Secure Boot scenario.
ARM:
====
ARM based SoC's have a fixed memory map and exit conditions from BootROM
are same irrespective of boot mode (Secure or Non-Secure).
Thus the current Secure Boot functionlity has been split into two parts:
CONFIG_CHAIN_OF_TRUST
========================
This will have the following functionality as part of U-Boot:
1. Enable commands like esbc_validate, esbc_halt
2. Change the environment settings based on bootmode (determined at run time):
- If bootmode is non-secure, no change
- If bootmode is secure, set the following:
- bootdelay = 0 (Don't give boot prompt)
- bootcmd = Validate and execute the bootscript.
CONFIG_SECURE_BOOT
=====================
This is defined only for creating a different compile time target for secure boot.
Traditionally, both these functionalities were defined under CONFIG_SECURE_BOOT
This patch is aimed at removing the requirement for a separate Secure Boot target
for ARM based SoC's. CONFIG_CHAIN_OF_TRUST will be defined and boot mode will be
determine at run time.
Another Security Requirement for running CHAIN_OF_TRUST is that U-Boot environemnt
must not be picked from flash/external memory. This cannot be done based on bootmode
at run time in current U-Boot architecture. Once this dependency is resolved, no separate
SECURE_BOOT target will be required for ARM based SoC's.
Currently, the only code under CONFIG_SECURE_BOOT for ARM SoC's is defining
CONFIG_ENV_IS_NOWHERE
Signed-off-by: Aneesh Bansal <aneesh.bansal at nxp.com>
---
Changes in v2:
CONFIG_ENV_IS_NOWHERE is defined for Secure Boot
arch/arm/include/asm/fsl_secure_boot.h | 16 ++--
arch/powerpc/include/asm/fsl_secure_boot.h | 41 +++++-----
include/config_fsl_chain_trust.h | 101 +++++++++++++++++++++++++
include/config_fsl_secboot.h | 116 -----------------------------
4 files changed, 135 insertions(+), 139 deletions(-)
create mode 100644 include/config_fsl_chain_trust.h
delete mode 100644 include/config_fsl_secboot.h
diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h
index 8491a72..0da0599 100644
--- a/arch/arm/include/asm/fsl_secure_boot.h
+++ b/arch/arm/include/asm/fsl_secure_boot.h
@@ -8,6 +8,14 @@
#define __FSL_SECURE_BOOT_H
#ifdef CONFIG_SECURE_BOOT
+
+#ifndef CONFIG_FIT_SIGNATURE
+#define CONFIG_CHAIN_OF_TRUST
+#endif
+
+#endif
+
+#ifdef CONFIG_CHAIN_OF_TRUST
#define CONFIG_CMD_ESBC_VALIDATE
#define CONFIG_CMD_BLOB
#define CONFIG_FSL_SEC_MON
@@ -40,8 +48,6 @@
#define CONFIG_ESBC_ADDR_64BIT
#endif
-#ifndef CONFIG_FIT_SIGNATURE
-
#define CONFIG_EXTRA_ENV \
"setenv fdt_high 0xcfffffff;" \
"setenv initrd_high 0xcfffffff;" \
@@ -50,8 +56,6 @@
/* The address needs to be modified according to NOR memory map */
#define CONFIG_BOOTSCRIPT_HDR_ADDR 0x600a0000
-#include <config_fsl_secboot.h>
-#endif
-#endif
-
+#include <config_fsl_chain_trust.h>
+#endif /* #ifdef CONFIG_CHAIN_OF_TRUST */
#endif
diff --git a/arch/powerpc/include/asm/fsl_secure_boot.h b/arch/powerpc/include/asm/fsl_secure_boot.h
index 7d217a6..41058d1 100644
--- a/arch/powerpc/include/asm/fsl_secure_boot.h
+++ b/arch/powerpc/include/asm/fsl_secure_boot.h
@@ -9,19 +9,11 @@
#include <asm/config_mpc85xx.h>
#ifdef CONFIG_SECURE_BOOT
-#define CONFIG_CMD_ESBC_VALIDATE
-#define CONFIG_CMD_BLOB
-#define CONFIG_FSL_SEC_MON
-#define CONFIG_SHA_PROG_HW_ACCEL
-#define CONFIG_DM
-#define CONFIG_RSA
-#define CONFIG_RSA_FREESCALE_EXP
-#ifndef CONFIG_FSL_CAAM
-#define CONFIG_FSL_CAAM
-#endif
+
+#ifndef CONFIG_FIT_SIGNATURE
+#define CONFIG_CHAIN_OF_TRUST
#endif
-#ifdef CONFIG_SECURE_BOOT
#if defined(CONFIG_FSL_CORENET)
#define CONFIG_SYS_PBI_FLASH_BASE 0xc0000000
#elif defined(CONFIG_BSC9132QDS)
@@ -76,8 +68,25 @@
*/
#define CONFIG_FSL_ISBC_KEY_EXT
#endif
+#endif /* #ifdef CONFIG_SECURE_BOOT */
+
+#ifdef CONFIG_CHAIN_OF_TRUST
+
+#define CONFIG_CMD_ESBC_VALIDATE
+#define CONFIG_CMD_BLOB
+#define CONFIG_FSL_SEC_MON
+#define CONFIG_SHA_PROG_HW_ACCEL
+#define CONFIG_RSA
+#define CONFIG_RSA_FREESCALE_EXP
+
+#ifndef CONFIG_DM
+#define CONFIG_DM
+#endif
+
+#ifndef CONFIG_FSL_CAAM
+#define CONFIG_FSL_CAAM
+#endif
-#ifndef CONFIG_FIT_SIGNATURE
/* If Boot Script is not on NOR and is required to be copied on RAM */
#ifdef CONFIG_BOOTSCRIPT_COPY_RAM
#define CONFIG_BS_HDR_ADDR_RAM 0x00010000
@@ -105,10 +114,8 @@
#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xee020000
#endif
-#endif
-
-#include <config_fsl_secboot.h>
-#endif
+#endif /* #ifdef CONFIG_BOOTSCRIPT_COPY_RAM */
-#endif
+#include <config_fsl_chain_trust.h>
+#endif /* #ifdef CONFIG_CHAIN_OF_TRUST */
#endif
diff --git a/include/config_fsl_chain_trust.h b/include/config_fsl_chain_trust.h
new file mode 100644
index 0000000..45dda56
--- /dev/null
+++ b/include/config_fsl_chain_trust.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright 2015 Freescale Semiconductor, Inc.
+ *
+ * SPDX-License-Identifier: GPL-2.0+
+ */
+
+#ifndef __CONFIG_FSL_CHAIN_TRUST_H
+#define __CONFIG_FSL_CHAIN_TRUST_H
+
+/* For secure boot, since ENVIRONMENT in flash/external memories is
+ * not verified, undef CONFIG_ENV_xxx and set default env
+ * (CONFIG_ENV_IS_NOWHERE)
+ */
+#ifdef CONFIG_SECURE_BOOT
+
+#undef CONFIG_ENV_IS_IN_EEPROM
+#undef CONFIG_ENV_IS_IN_NAND
+#undef CONFIG_ENV_IS_IN_MMC
+#undef CONFIG_ENV_IS_IN_SPI_FLASH
+#undef CONFIG_ENV_IS_IN_FLASH
+
+#define CONFIG_ENV_IS_NOWHERE
+
+#endif
+
+#ifdef CONFIG_CHAIN_OF_TRUST
+
+#ifndef CONFIG_EXTRA_ENV
+#define CONFIG_EXTRA_ENV ""
+#endif
+
+/*
+ * Control should not reach back to uboot after validation of images
+ * for secure boot flow and therefore bootscript should have
+ * the bootm command. If control reaches back to uboot anyhow
+ * after validating images, core should just spin.
+ */
+
+/*
+ * Define the key hash for boot script here if public/private key pair used to
+ * sign bootscript are different from the SRK hash put in the fuse
+ * Example of defining KEY_HASH is
+ * #define CONFIG_BOOTSCRIPT_KEY_HASH \
+ * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b"
+ */
+
+#ifdef CONFIG_BOOTSCRIPT_KEY_HASH
+#define CONFIG_SECBOOT \
+ "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \
+ "setenv bootargs \'root=/dev/ram rw console=ttyS0,115200 " \
+ "ramdisk_size=600000\';" \
+ CONFIG_EXTRA_ENV \
+ "esbc_validate $bs_hdraddr " \
+ __stringify(CONFIG_BOOTSCRIPT_KEY_HASH)";" \
+ "source $img_addr;" \
+ "esbc_halt\0"
+#else
+#define CONFIG_SECBOOT \
+ "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \
+ "setenv bootargs \'root=/dev/ram rw console=ttyS0,115200 " \
+ "ramdisk_size=600000\';" \
+ CONFIG_EXTRA_ENV \
+ "esbc_validate $bs_hdraddr;" \
+ "source $img_addr;" \
+ "esbc_halt\0"
+#endif
+
+/* For secure boot flow, default environment used will be used */
+#if defined(CONFIG_SYS_RAMBOOT)
+#ifdef CONFIG_BOOTSCRIPT_COPY_RAM
+#define CONFIG_BS_COPY_ENV \
+ "setenv bs_hdr_ram " __stringify(CONFIG_BS_HDR_ADDR_RAM)";" \
+ "setenv bs_hdr_flash " __stringify(CONFIG_BS_HDR_ADDR_FLASH)";" \
+ "setenv bs_hdr_size " __stringify(CONFIG_BS_HDR_SIZE)";" \
+ "setenv bs_ram " __stringify(CONFIG_BS_ADDR_RAM)";" \
+ "setenv bs_flash " __stringify(CONFIG_BS_ADDR_FLASH)";" \
+ "setenv bs_size " __stringify(CONFIG_BS_SIZE)";"
+
+#if defined(CONFIG_RAMBOOT_NAND)
+#define CONFIG_BS_COPY_CMD \
+ "nand read $bs_hdr_ram $bs_hdr_flash $bs_hdr_size ;" \
+ "nand read $bs_ram $bs_flash $bs_size ;"
+#endif /* CONFIG_RAMBOOT_NAND */
+#endif /* CONFIG_BOOTSCRIPT_COPY_RAM */
+
+#endif
+
+#ifndef CONFIG_BS_COPY_ENV
+#define CONFIG_BS_COPY_ENV
+#endif
+
+#ifndef CONFIG_BS_COPY_CMD
+#define CONFIG_BS_COPY_CMD
+#endif
+
+#define CONFIG_CHAIN_BOOT_CMD CONFIG_BS_COPY_ENV \
+ CONFIG_BS_COPY_CMD \
+ CONFIG_SECBOOT
+
+#endif
+#endif
diff --git a/include/config_fsl_secboot.h b/include/config_fsl_secboot.h
deleted file mode 100644
index fc6788a..0000000
--- a/include/config_fsl_secboot.h
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
- * Copyright 2015 Freescale Semiconductor, Inc.
- *
- * SPDX-License-Identifier: GPL-2.0+
- */
-
-#ifndef __CONFIG_FSL_SECBOOT_H
-#define __CONFIG_FSL_SECBOOT_H
-
-#ifdef CONFIG_SECURE_BOOT
-
-#ifndef CONFIG_CMD_ESBC_VALIDATE
-#define CONFIG_CMD_ESBC_VALIDATE
-#endif
-
-#ifndef CONFIG_EXTRA_ENV
-#define CONFIG_EXTRA_ENV ""
-#endif
-
-/*
- * Control should not reach back to uboot after validation of images
- * for secure boot flow and therefore bootscript should have
- * the bootm command. If control reaches back to uboot anyhow
- * after validating images, core should just spin.
- */
-
-/*
- * Define the key hash for boot script here if public/private key pair used to
- * sign bootscript are different from the SRK hash put in the fuse
- * Example of defining KEY_HASH is
- * #define CONFIG_BOOTSCRIPT_KEY_HASH \
- * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b"
- */
-
-#ifdef CONFIG_BOOTSCRIPT_KEY_HASH
-#define CONFIG_SECBOOT \
- "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \
- "setenv bootargs \'root=/dev/ram rw console=ttyS0,115200 " \
- "ramdisk_size=600000\';" \
- CONFIG_EXTRA_ENV \
- "esbc_validate $bs_hdraddr " \
- __stringify(CONFIG_BOOTSCRIPT_KEY_HASH)";" \
- "source $img_addr;" \
- "esbc_halt\0"
-#else
-#define CONFIG_SECBOOT \
- "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \
- "setenv bootargs \'root=/dev/ram rw console=ttyS0,115200 " \
- "ramdisk_size=600000\';" \
- CONFIG_EXTRA_ENV \
- "esbc_validate $bs_hdraddr;" \
- "source $img_addr;" \
- "esbc_halt\0"
-#endif
-
-/* For secure boot flow, default environment used will be used */
-#if defined(CONFIG_SYS_RAMBOOT)
-#ifdef CONFIG_BOOTSCRIPT_COPY_RAM
-#define CONFIG_BS_COPY_ENV \
- "setenv bs_hdr_ram " __stringify(CONFIG_BS_HDR_ADDR_RAM)";" \
- "setenv bs_hdr_flash " __stringify(CONFIG_BS_HDR_ADDR_FLASH)";" \
- "setenv bs_hdr_size " __stringify(CONFIG_BS_HDR_SIZE)";" \
- "setenv bs_ram " __stringify(CONFIG_BS_ADDR_RAM)";" \
- "setenv bs_flash " __stringify(CONFIG_BS_ADDR_FLASH)";" \
- "setenv bs_size " __stringify(CONFIG_BS_SIZE)";"
-
-#if defined(CONFIG_RAMBOOT_NAND)
-#define CONFIG_BS_COPY_CMD \
- "nand read $bs_hdr_ram $bs_hdr_flash $bs_hdr_size ;" \
- "nand read $bs_ram $bs_flash $bs_size ;"
-#endif /* CONFIG_RAMBOOT_NAND */
-#endif /* CONFIG_BOOTSCRIPT_COPY_RAM */
-
-#if defined(CONFIG_RAMBOOT_SPIFLASH)
-#undef CONFIG_ENV_IS_IN_SPI_FLASH
-#elif defined(CONFIG_RAMBOOT_NAND)
-#undef CONFIG_ENV_IS_IN_NAND
-#elif defined(CONFIG_RAMBOOT_SDCARD)
-#undef CONFIG_ENV_IS_IN_MMC
-#endif
-#else /*CONFIG_SYS_RAMBOOT*/
-#undef CONFIG_ENV_IS_IN_FLASH
-#endif
-
-#define CONFIG_ENV_IS_NOWHERE
-
-#ifndef CONFIG_BS_COPY_ENV
-#define CONFIG_BS_COPY_ENV
-#endif
-
-#ifndef CONFIG_BS_COPY_CMD
-#define CONFIG_BS_COPY_CMD
-#endif
-
-#define CONFIG_SECBOOT_CMD CONFIG_BS_COPY_ENV \
- CONFIG_BS_COPY_CMD \
- CONFIG_SECBOOT
-/*
- * We don't want boot delay for secure boot flow
- * before autoboot starts
- */
-#undef CONFIG_BOOTDELAY
-#define CONFIG_BOOTDELAY 0
-#undef CONFIG_BOOTCOMMAND
-#define CONFIG_BOOTCOMMAND CONFIG_SECBOOT_CMD
-
-/*
- * CONFIG_ZERO_BOOTDELAY_CHECK should not be defined for
- * secure boot flow as defining this would enable a user to
- * reach uboot prompt by pressing some key before start of
- * autoboot
- */
-#undef CONFIG_ZERO_BOOTDELAY_CHECK
-
-#endif
-#endif
--
1.8.1.4
More information about the U-Boot
mailing list