[U-Boot] [PATCH v3 3/7] SECURE_BOOT: split the secure boot functionality in two parts

york sun york.sun at nxp.com
Wed Jan 27 18:01:13 CET 2016 

On 01/22/2016 03:10 AM, Aneesh Bansal wrote:
> There are two phases in Secure Boot
> 1. ISBC: In BootROM, validate the BootLoader (U-Boot).
> 2. ESBC: In U-Boot, continuing the Chain of Trust by
>          validating and booting LINUX.
> 
> For ESBC phase, there is no difference in SoC's based on ARM or PowerPC
> cores.
> 
> But the exit conditions after ISBC phase i.e. entry conditions for
> U-Boot are different for ARM and PowerPC.
> PowerPC:
> ========
> If Secure Boot is executed, a separate U-Boot target is required which
> must be compiled with a diffrent Text Base as compared to Non-Secure Boot.
> There are some LAW and TLB settings which are required specifically for
> Secure Boot scenario.
> 
> ARM:
> ====
> ARM based SoC's have a fixed memory map and exit conditions from BootROM
> are same irrespective of boot mode (Secure or Non-Secure).
> 
> Thus the current Secure Boot functionlity has been split into two parts:
> 
> CONFIG_CHAIN_OF_TRUST
> ========================
> This will have the following functionality as part of U-Boot:
> 1. Enable commands like esbc_validate, esbc_halt
> 2. Change the environment settings based on bootmode (determined at run time):
>      - If bootmode is non-secure, no change
>      - If bootmode is secure, set the following:
>          - bootdelay = 0 (Don't give boot prompt)
>          - bootcmd = Validate and execute the bootscript.
> 
> CONFIG_SECURE_BOOT
> =====================
> This is defined only for creating a different compile time target for secure boot.
> 
> Traditionally, both these functionalities were defined under CONFIG_SECURE_BOOT
> This patch is aimed at removing the requirement for a separate Secure Boot target
> for ARM based SoC's. CONFIG_CHAIN_OF_TRUST will be defined and boot mode will be
> determine at run time.
> 
> Another Security Requirement for running CHAIN_OF_TRUST is that U-Boot environemnt
> must not be picked from flash/external memory. This cannot be done based on bootmode
> at run time in current U-Boot architecture. Once this dependency is resolved, no separate
> SECURE_BOOT target will be required for ARM based SoC's.
> 
> Currently, the only code under CONFIG_SECURE_BOOT for ARM SoC's is defining
> CONFIG_ENV_IS_NOWHERE
> 
> Signed-off-by: Aneesh Bansal <aneesh.bansal at nxp.com>
> ---
> Changes in v3:
> None
> 
> Changes in v2:
> CONFIG_ENV_IS_NOWHERE is defined for Secure Boot
> 
>  arch/arm/include/asm/fsl_secure_boot.h     |  16 ++--
>  arch/powerpc/include/asm/fsl_secure_boot.h |  41 +++++-----
>  include/config_fsl_chain_trust.h           | 101 +++++++++++++++++++++++++
>  include/config_fsl_secboot.h               | 116 -----------------------------
>  4 files changed, 135 insertions(+), 139 deletions(-)
>  create mode 100644 include/config_fsl_chain_trust.h
>  delete mode 100644 include/config_fsl_secboot.h
> 

Change subject prefix to "secure_boot:". Slightly reformat commit message.
Applied to u-boot-fsl-qoriq master. Awaiting upstream.

Thanks.

York

More information about the U-Boot mailing list