[U-Boot] [PATCH v2 0/9] Secure Boot by Authenticating/Decrypting SPL FIT blobs

Andreas Dannenberg dannenberg at ti.com
Fri Jun 24 17:57:08 CEST 2016


This is an updated version of a patch series that introduces a generic way
to optionally post-process blobs as they get extracted by the SPL from the
u-boot.img FIT image, and uses this scheme to perform some authentication/
decryption related processing on TI's high-secure (HS) SoC variants. For
additional background please see here [1].

Despite there being a few changes (see below) based on previous feedback
(thanks!) I did carry forward most of the Reviewed-by: tags as I felt the
fundamental approach and most if not all of the building blocks pretty much
stayed intact, I hope that's okay.

I've also completely re-rested the series on all applicable HS devices and
checked for any build issues as well as runtime issues without findings.

Changes PATCH->PATCH v2:
- Added some glue code to suppress SPL "Authentication passed" log messages
  in case of UART/Y-Modem boot (thanks Lokesh)
- Dropped the .NOTPARALLEL make hack when building the 'dtbs' target. Now, we
  rely on Yamada-san's patch [2] that fixes this on a more global scale
- Fixed some typos (thanks Yamada-san)
- Turned the __weak function call for inserting a post-processing function
  into a Kconfig option (thanks Simon). Also enabled that Kconfig option
  on applicable AM43xx HS, AM57xx HS, DRA7xx HS, and DRA72xx HS device
  variants defconfig files (note there is a dependency on [3] which renames
  the AM437x HS defconfig file)
- Introduced a new header file omap_sec_common.h for commom security API as
  using omap_common.h as done previously led to issues trying to use this file
  on AM43xx type devices. This device family (and AM335x as well) is not
  supported by omap_common.h, and trying to include this file into AM43xx board
  files leads to all kinds of issues (the registers and definitions are simply
  not compatible)
- Re-ordered the series so that the Kconfig option is introduced after all
  of the building blocks have been put into place (generic infrastructure and
  the TI-specific implementation).
- Minor readme update to account for the new Kconfig option

Changes RFC->PATCH:
- Update of README.ti-secure
- Unification of some of the secure ROM API call stuff between AM43xx and
  OMAP5-based platforms by moving those into common files
- Replacement of puts() with printf()
- Minor build simplification/cleanup
- Addition of "Reviewed-by:" comments for files that were pretty much carried
  over from the RFC as-is
- Addition of AM437x HS device build support (was missing in RFC)
- Removal of some redundant conditional compile directives
- Rebased on upstream U-Boot commit "Prepare v2016.07-rc2"


--
Andreas Dannenberg
Texas Instruments Inc


[1] http://lists.denx.de/pipermail/u-boot/2016-June/258716.html
[2] http://lists.denx.de/pipermail/u-boot/2016-June/258912.html
[3] http://lists.denx.de/pipermail/u-boot/2016-June/258896.html

Andreas Dannenberg (5):
  arm: omap-common: add secure rom call API for secure devices
  arm: omap-common: secure ROM signature verify API
  arm: omap-common: Update to generate secure U-Boot FIT blob
  arm: omap5: add U-Boot FIT signing and SPL image post-processing
  doc: Update info on using secure devices from TI

Daniel Allred (3):
  arm: cache: add missing dummy functions for when dcache disabled
  arm: omap-common: add secure smc entry
  spl: fit: add support for post-processing of images

Madan Srinivas (1):
  arm: am4x: add U-Boot FIT signing and SPL image post-processing

 Kconfig                                         |   4 +
 arch/arm/cpu/armv7/am33xx/config.mk             |   1 +
 arch/arm/cpu/armv7/cache_v7.c                   |   8 ++
 arch/arm/cpu/armv7/omap-common/Makefile         |   2 +
 arch/arm/cpu/armv7/omap-common/config_secure.mk |  75 ++++++++--
 arch/arm/cpu/armv7/omap-common/lowlevel_init.S  |  45 ++++--
 arch/arm/cpu/armv7/omap-common/sec-common.c     | 138 ++++++++++++++++++
 arch/arm/cpu/armv7/omap5/config.mk              |   3 +
 arch/arm/include/asm/omap_common.h              |   6 +
 arch/arm/include/asm/omap_sec_common.h          |  30 ++++
 board/ti/am43xx/board.c                         |   8 ++
 board/ti/am57xx/board.c                         |   8 ++
 board/ti/dra7xx/evm.c                           |   9 ++
 common/spl/spl_fit.c                            |  21 ++-
 configs/am43xx_hs_evm_defconfig                 |   1 +
 configs/am57xx_hs_evm_defconfig                 |   1 +
 configs/dra7xx_hs_evm_defconfig                 |   1 +
 doc/README.ti-secure                            | 177 ++++++++++++++++--------
 include/image.h                                 |  17 +++
 19 files changed, 473 insertions(+), 82 deletions(-)
 create mode 100644 arch/arm/cpu/armv7/omap-common/sec-common.c
 create mode 100644 arch/arm/include/asm/omap_sec_common.h

-- 
2.6.4



More information about the U-Boot mailing list