[U-Boot] [PATCH v2 0/9] Secure Boot by Authenticating/Decrypting SPL FIT blobs
Andreas Dannenberg
dannenberg at ti.com
Fri Jun 24 17:57:08 CEST 2016
This is an updated version of a patch series that introduces a generic way
to optionally post-process blobs as they get extracted by the SPL from the
u-boot.img FIT image, and uses this scheme to perform some authentication/
decryption related processing on TI's high-secure (HS) SoC variants. For
additional background please see here [1].
Despite there being a few changes (see below) based on previous feedback
(thanks!) I did carry forward most of the Reviewed-by: tags as I felt the
fundamental approach and most if not all of the building blocks pretty much
stayed intact, I hope that's okay.
I've also completely re-rested the series on all applicable HS devices and
checked for any build issues as well as runtime issues without findings.
Changes PATCH->PATCH v2:
- Added some glue code to suppress SPL "Authentication passed" log messages
in case of UART/Y-Modem boot (thanks Lokesh)
- Dropped the .NOTPARALLEL make hack when building the 'dtbs' target. Now, we
rely on Yamada-san's patch [2] that fixes this on a more global scale
- Fixed some typos (thanks Yamada-san)
- Turned the __weak function call for inserting a post-processing function
into a Kconfig option (thanks Simon). Also enabled that Kconfig option
on applicable AM43xx HS, AM57xx HS, DRA7xx HS, and DRA72xx HS device
variants defconfig files (note there is a dependency on [3] which renames
the AM437x HS defconfig file)
- Introduced a new header file omap_sec_common.h for commom security API as
using omap_common.h as done previously led to issues trying to use this file
on AM43xx type devices. This device family (and AM335x as well) is not
supported by omap_common.h, and trying to include this file into AM43xx board
files leads to all kinds of issues (the registers and definitions are simply
not compatible)
- Re-ordered the series so that the Kconfig option is introduced after all
of the building blocks have been put into place (generic infrastructure and
the TI-specific implementation).
- Minor readme update to account for the new Kconfig option
Changes RFC->PATCH:
- Update of README.ti-secure
- Unification of some of the secure ROM API call stuff between AM43xx and
OMAP5-based platforms by moving those into common files
- Replacement of puts() with printf()
- Minor build simplification/cleanup
- Addition of "Reviewed-by:" comments for files that were pretty much carried
over from the RFC as-is
- Addition of AM437x HS device build support (was missing in RFC)
- Removal of some redundant conditional compile directives
- Rebased on upstream U-Boot commit "Prepare v2016.07-rc2"
--
Andreas Dannenberg
Texas Instruments Inc
[1] http://lists.denx.de/pipermail/u-boot/2016-June/258716.html
[2] http://lists.denx.de/pipermail/u-boot/2016-June/258912.html
[3] http://lists.denx.de/pipermail/u-boot/2016-June/258896.html
Andreas Dannenberg (5):
arm: omap-common: add secure rom call API for secure devices
arm: omap-common: secure ROM signature verify API
arm: omap-common: Update to generate secure U-Boot FIT blob
arm: omap5: add U-Boot FIT signing and SPL image post-processing
doc: Update info on using secure devices from TI
Daniel Allred (3):
arm: cache: add missing dummy functions for when dcache disabled
arm: omap-common: add secure smc entry
spl: fit: add support for post-processing of images
Madan Srinivas (1):
arm: am4x: add U-Boot FIT signing and SPL image post-processing
Kconfig | 4 +
arch/arm/cpu/armv7/am33xx/config.mk | 1 +
arch/arm/cpu/armv7/cache_v7.c | 8 ++
arch/arm/cpu/armv7/omap-common/Makefile | 2 +
arch/arm/cpu/armv7/omap-common/config_secure.mk | 75 ++++++++--
arch/arm/cpu/armv7/omap-common/lowlevel_init.S | 45 ++++--
arch/arm/cpu/armv7/omap-common/sec-common.c | 138 ++++++++++++++++++
arch/arm/cpu/armv7/omap5/config.mk | 3 +
arch/arm/include/asm/omap_common.h | 6 +
arch/arm/include/asm/omap_sec_common.h | 30 ++++
board/ti/am43xx/board.c | 8 ++
board/ti/am57xx/board.c | 8 ++
board/ti/dra7xx/evm.c | 9 ++
common/spl/spl_fit.c | 21 ++-
configs/am43xx_hs_evm_defconfig | 1 +
configs/am57xx_hs_evm_defconfig | 1 +
configs/dra7xx_hs_evm_defconfig | 1 +
doc/README.ti-secure | 177 ++++++++++++++++--------
include/image.h | 17 +++
19 files changed, 473 insertions(+), 82 deletions(-)
create mode 100644 arch/arm/cpu/armv7/omap-common/sec-common.c
create mode 100644 arch/arm/include/asm/omap_sec_common.h
--
2.6.4
More information about the U-Boot
mailing list