[U-Boot] [PATCH v3 1/5] sunxi: a64: Enable FIT Signature

Jagan Teki jagannadh.teki at gmail.com
Fri Dec 15 15:05:59 UTC 2017 

On Fri, Dec 15, 2017 at 8:06 PM, Andre Przywara <andre.przywara at arm.com> wrote:
> Hi,
>
> On 15/12/17 13:41, Maxime Ripard wrote:
>> On Thu, Dec 14, 2017 at 02:03:12PM +0530, Jagan Teki wrote:
>>> On Wed, Dec 13, 2017 at 9:09 PM, Maxime Ripard
>>> <maxime.ripard at free-electrons.com> wrote:
>>>> On Wed, Dec 13, 2017 at 11:33:02AM +0530, Jagan Teki wrote:
>>>>> From: Jagan Teki <jagannadh.teki at gmail.com>
>>>>>
>>>>> Enable FIT_SIGNATURE for sunxi a64.
>>>>>
>>>>> Signed-off-by: Jagan Teki <jagan at amarulasolutions.com>
>>>>> ---
>>>>> Changes for v3:
>>>>> - Move imply outside block
>>>>> Changes for v2:
>>>>> - Use imply instead of select
>>>>>
>>>>>  arch/arm/mach-sunxi/Kconfig | 1 +
>>>>>  1 file changed, 1 insertion(+)
>>>>>
>>>>> diff --git a/arch/arm/mach-sunxi/Kconfig b/arch/arm/mach-sunxi/Kconfig
>>>>> index 1fededd..05e2d47 100644
>>>>> --- a/arch/arm/mach-sunxi/Kconfig
>>>>> +++ b/arch/arm/mach-sunxi/Kconfig
>>>>> @@ -179,6 +179,7 @@ config MACH_SUN50I
>>>>>       select SUNXI_DRAM_DW_32BIT
>>>>>       select FIT
>>>>>       select SPL_LOAD_FIT
>>>>> +     imply FIT_SIGNATURE
>>>>
>>>> I'm really not sure we should force it by default. How much code size
>>>> is it adding?
>>>
>>> Why we need to consider u-boot size? (because it may cross the loader2 size?)
>>> Here is the delta of u-boot elf
>>
>> The same reason than anything else on our arm64 builds lately: we have
>> a u-boot binary too big for the size compared to our environment offset.
>
> I agree, and aside from that I don't see how this is useful:
> - We don't *need* this for Allwinner boards.

why? can you elaborate?

> - It is not usable without some more setup (which that other doc patch
> describes).

doc patch is rejected since we have redundant docs on the same topic.

> - As Maxime mentioned, this is not very helpful on it's own, due to it
> inherent vulnerability without a protected SPL as well.
> - No other boards seems to set FIT_SIGNATURE.

I'm mentioning this again, please check the other platforms as well
this is verified-boot not secure-boot, other platforms will do use
same.

thanks!
-- 
Jagan Teki
Free Software Engineer | www.openedev.com
U-Boot, Linux | Upstream Maintainer
Hyderabad, India.

More information about the U-Boot mailing list