[U-Boot] x86: SecureBoot: Bay Trail
Markus Valentin
mv at denx.de
Mon Feb 20 09:10:59 UTC 2017
Hi,
On Fri, 2017-02-17 at 19:58 +0800, Bin Meng wrote:
> On Fri, Feb 17, 2017 at 5:26 PM, Markus Valentin <mv at denx.de> wrote:
> >
> > Hi,
> >
> > i'm implementing Secure Boot with U-Boot on a Intel Atom E3800 Series (Bay
> > Trail) based Plattform.
> >
> > I did manage to get the first boot stage (Initial Boot Block) verified by
> > the
> > Trusted Execution Engine, next i need to verify the "ramstage" as they call
> > it.
>
> How did you implement the first boot stage? Is it U-Boot SPL?
No, i'm not using SPL, but maybe i should?
Currently i follow the instructions from document #558081 "Enabling Secure Boot
with Intel FSP and coreboot" for Intel ® Atom TM Processor E3800 Product
Family".
There they state that i should extract a IBB(Initial Boot Block) which is the
last 127Kib from the u-boot.rom/coreboot.rom file. IBB plus a secure boot
"manifest" is the 1st stage that gets properly authenticated, copied to ram
and executed(128Kib).
>
> >
> >
> > Intel provides a manual on how to enable Secure Boot with coreboot in this
> > manual they extract the "ramstage" from the coreboot.rom file via cbfs.
> >
>
> Which manual is this?
#558081 "Enabling Secure Boot with Intel FSP and coreboot" for Intel ® Atom TM
Processor E3800 Product Family"
>
> >
> > How can i get the equivalent for the coreboot-ramstage from U-Boot?
> >
>
> My understanding is that since you already managed to have the
> hardware (TXE) successfully verify the first boot stage, the next step
> is all yours, which means you don't need anything like
> coreboot-ramstage. You can implement whatever loading/authenticating
> mechanism you put in the first boot stage to boot the 2nd stage.
Thats a good point, thanks. I already implemented verification in U-Boot for
verification of the fit-image public-key, so i could easily adopt it.
best regards
Markus
More information about the U-Boot
mailing list