[U-Boot] [PATCH v3 0/7] Determine Boot mode at run time
Tom Rini
trini at konsulko.com
Mon Jan 25 16:36:12 CET 2016
On Fri, Jan 22, 2016 at 04:37:21PM +0530, Aneesh Bansal wrote:
> There are two phases in Secure Boot
> 1. ISBC: In BootROM, validate the BootLoader (U-Boot).
> 2. ESBC: In U-Boot, continuing the Chain of Trust by
> validating and booting LINUX.
>
> For ESBC phase, there is no difference in SoC's based on ARM or PowerPC
> cores.
>
> But the exit conditions after ISBC phase i.e. entry conditions for
> U-Boot are different for ARM and PowerPC.
> PowerPC:
> ========
> If Secure Boot is executed, a separate U-Boot target is required which
> must be compiled with a diffrent Text Base as compared to Non-Secure Boot.
> There are some LAW and TLB settings which are required specifically for
> Secure Boot scenario.
>
> ARM:
> ====
> ARM based SoC's have a fixed memory map and exit conditions from BootROM
> are same irrespective of boot mode (Secure or Non-Secure).
>
> This patchset is aimed at removing the requirement for a separate Secure Boot
> target for ARM based SoC's.
>
> Another Security Requirement for running CHAIN_OF_TRUST is that U-Boot environemnt
> must not be picked from flash/external memory. This cannot be done based on bootmode
> at run time in current U-Boot architecture. Once this dependency is resolved, no separate
> SECURE_BOOT target will be required for ARM based SoC's.
>
> Currently, the only code under CONFIG_SECURE_BOOT for ARM SoC's is defining
> CONFIG_ENV_IS_NOWHERE
>
> The patches have been tested on LS1043, LS1021, P3041 and T1024.
>
> The patch set is dependent on following:
> http://patchwork.ozlabs.org/patch/553826/
>
> Aneesh Bansal (7):
> include/configs: make secure boot header file include uniform
> include/configs: move definition of CONFIG_CMD_BLOB
> SECURE_BOOT: split the secure boot functionality in two parts
> create function to determine boot mode
> enable chain of trust for ARM platforms
> enable chain of trust for PowerPC platforms
> SECURE_BOOT: change error handler for esbc_validate
>
> arch/arm/cpu/armv8/fsl-layerscape/soc.c | 6 ++
> .../include/asm/arch-fsl-layerscape/immap_lsch2.h | 3 +
> arch/arm/include/asm/arch-ls102xa/immap_ls102xa.h | 2 +
> arch/arm/include/asm/fsl_secure_boot.h | 20 +++-
> arch/powerpc/cpu/mpc85xx/cpu_init.c | 14 +++
> arch/powerpc/include/asm/fsl_secure_boot.h | 47 ++++++---
> arch/powerpc/include/asm/immap_85xx.h | 3 +
> board/freescale/common/Makefile | 1 +
> board/freescale/common/cmd_esbc_validate.c | 7 +-
> board/freescale/common/fsl_chain_of_trust.c | 70 +++++++++++++
> board/freescale/common/fsl_validate.c | 7 ++
> board/freescale/ls1021aqds/ls1021aqds.c | 4 +
> board/freescale/ls1021atwr/ls1021atwr.c | 4 +
> include/config_fsl_chain_trust.h | 101 ++++++++++++++++++
> include/config_fsl_secboot.h | 116 ---------------------
> include/configs/B4860QDS.h | 4 -
> include/configs/BSC9132QDS.h | 4 -
> include/configs/P1010RDB.h | 4 -
> include/configs/P2041RDB.h | 4 -
> include/configs/T102xQDS.h | 10 +-
> include/configs/T102xRDB.h | 10 +-
> include/configs/T1040QDS.h | 3 -
> include/configs/T104xRDB.h | 3 -
> include/configs/T208xQDS.h | 4 -
> include/configs/T208xRDB.h | 4 -
> include/configs/T4240QDS.h | 4 -
> include/configs/T4240RDB.h | 9 --
> include/configs/corenet_ds.h | 4 -
> include/configs/ls1021aqds.h | 5 +-
> include/configs/ls1021atwr.h | 5 +-
> include/configs/ls1043a_common.h | 8 ++
> include/configs/ls1043aqds.h | 2 +
> include/configs/ls1043ardb.h | 8 --
> include/fsl_validate.h | 2 +
> 34 files changed, 299 insertions(+), 203 deletions(-)
> create mode 100644 board/freescale/common/fsl_chain_of_trust.c
> create mode 100644 include/config_fsl_chain_trust.h
> delete mode 100644 include/config_fsl_secboot.h
Looking at the config file changes, I think we need to move a bunch of
this stuff to Kconfig so that we can get these consistent and correct
each time.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20160125/a92cc69f/attachment.sig>
More information about the U-Boot
mailing list