[U-Boot] [PATCH v3 0/7] Determine Boot mode at run time
Aneesh Bansal
aneesh.bansal at nxp.com
Fri Jan 22 12:07:21 CET 2016
There are two phases in Secure Boot
1. ISBC: In BootROM, validate the BootLoader (U-Boot).
2. ESBC: In U-Boot, continuing the Chain of Trust by
validating and booting LINUX.
For ESBC phase, there is no difference in SoC's based on ARM or PowerPC
cores.
But the exit conditions after ISBC phase i.e. entry conditions for
U-Boot are different for ARM and PowerPC.
PowerPC:
========
If Secure Boot is executed, a separate U-Boot target is required which
must be compiled with a diffrent Text Base as compared to Non-Secure Boot.
There are some LAW and TLB settings which are required specifically for
Secure Boot scenario.
ARM:
====
ARM based SoC's have a fixed memory map and exit conditions from BootROM
are same irrespective of boot mode (Secure or Non-Secure).
This patchset is aimed at removing the requirement for a separate Secure Boot
target for ARM based SoC's.
Another Security Requirement for running CHAIN_OF_TRUST is that U-Boot environemnt
must not be picked from flash/external memory. This cannot be done based on bootmode
at run time in current U-Boot architecture. Once this dependency is resolved, no separate
SECURE_BOOT target will be required for ARM based SoC's.
Currently, the only code under CONFIG_SECURE_BOOT for ARM SoC's is defining
CONFIG_ENV_IS_NOWHERE
The patches have been tested on LS1043, LS1021, P3041 and T1024.
The patch set is dependent on following:
http://patchwork.ozlabs.org/patch/553826/
Aneesh Bansal (7):
include/configs: make secure boot header file include uniform
include/configs: move definition of CONFIG_CMD_BLOB
SECURE_BOOT: split the secure boot functionality in two parts
create function to determine boot mode
enable chain of trust for ARM platforms
enable chain of trust for PowerPC platforms
SECURE_BOOT: change error handler for esbc_validate
arch/arm/cpu/armv8/fsl-layerscape/soc.c | 6 ++
.../include/asm/arch-fsl-layerscape/immap_lsch2.h | 3 +
arch/arm/include/asm/arch-ls102xa/immap_ls102xa.h | 2 +
arch/arm/include/asm/fsl_secure_boot.h | 20 +++-
arch/powerpc/cpu/mpc85xx/cpu_init.c | 14 +++
arch/powerpc/include/asm/fsl_secure_boot.h | 47 ++++++---
arch/powerpc/include/asm/immap_85xx.h | 3 +
board/freescale/common/Makefile | 1 +
board/freescale/common/cmd_esbc_validate.c | 7 +-
board/freescale/common/fsl_chain_of_trust.c | 70 +++++++++++++
board/freescale/common/fsl_validate.c | 7 ++
board/freescale/ls1021aqds/ls1021aqds.c | 4 +
board/freescale/ls1021atwr/ls1021atwr.c | 4 +
include/config_fsl_chain_trust.h | 101 ++++++++++++++++++
include/config_fsl_secboot.h | 116 ---------------------
include/configs/B4860QDS.h | 4 -
include/configs/BSC9132QDS.h | 4 -
include/configs/P1010RDB.h | 4 -
include/configs/P2041RDB.h | 4 -
include/configs/T102xQDS.h | 10 +-
include/configs/T102xRDB.h | 10 +-
include/configs/T1040QDS.h | 3 -
include/configs/T104xRDB.h | 3 -
include/configs/T208xQDS.h | 4 -
include/configs/T208xRDB.h | 4 -
include/configs/T4240QDS.h | 4 -
include/configs/T4240RDB.h | 9 --
include/configs/corenet_ds.h | 4 -
include/configs/ls1021aqds.h | 5 +-
include/configs/ls1021atwr.h | 5 +-
include/configs/ls1043a_common.h | 8 ++
include/configs/ls1043aqds.h | 2 +
include/configs/ls1043ardb.h | 8 --
include/fsl_validate.h | 2 +
34 files changed, 299 insertions(+), 203 deletions(-)
create mode 100644 board/freescale/common/fsl_chain_of_trust.c
create mode 100644 include/config_fsl_chain_trust.h
delete mode 100644 include/config_fsl_secboot.h
--
1.8.1.4
More information about the U-Boot
mailing list