[U-Boot] [PATCH 5/5] doc: x86: Add section about secure boot on Baytrail
Anatolij Gustschin
agust at denx.de
Thu May 11 15:14:56 UTC 2017
From: Markus Valentin <mv at denx.de>
Signed-off-by: Markus Valentin <mv at denx.de>
[agust: slightly reworded and fixed alignment]
Signed-off-by: Anatolij Gustschin <agust at denx.de>
---
doc/README.x86 | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/doc/README.x86 b/doc/README.x86
index a38cc1b..8ba64b3 100644
--- a/doc/README.x86
+++ b/doc/README.x86
@@ -1056,6 +1056,45 @@ provides the same EFI run-time services) is not currently supported on x86.
See README.efi for details of EFI support in U-Boot.
+Secure Boot for BayTrail
+------------------------
+U-Boot for BayTrail based platforms supports to boot in a verified manner using
+the Trusted Execution Enginge(TXE). To enable secure boot you need to enable
+ the Kconfig parameter CONFIG_BAYTRAIL_SECURE_BOOT.
+
+The verification of U-Boot happens by a public key appended to the so called
+secure boot manifest. The manifest gets created by the secure_boot_helper.py
+script which is located in the tools directory.
+
+To be able to perform a verified boot with U-Boot you need:
+ * A OEM-keypair which we use to sign U-Boot. Create this yourself like below:
+ mkdir mykeys && \
+ openssl req -batch -x509 -nodes -newkey rsa:2048 \
+ -keyout 'mykeys/oemkey.pem' -out 'mykeys/pub_oemkey.pem'
+ * fpf_config.txt gets created by the helper script. It stores the fuse
+ register configuration to a text file which can be used by the Intel
+ FPT tool to write fuses (the FPT is provided in the TXE Firmware Kit).
+ It contains a hash over the public part of the OEM-keypair.
+ (To burn fuses run "FPT -writebatch fpf_config.txt" on the target)
+ * A secure boot enabled FSP[18] which we can assemble with the BCT Tool[19]
+ (the secure boot enabled fsp should be placed as fsp-sb.bin in the
+ board directory)
+
+If these prerequisites are met, you can build u-boot and call the helper script.
+The following commands give an example flow for the congatec conga-QA3 SoM:
+ make conga-qeval20-qa3-e3845-internal-uart-secure-boot_defconfig
+ make all
+ make u-boot.rom
+ python3 ./tools/secure_boot_helper.py \
+ -I board/congatec/conga-qeval20-qa3-e3845 \
+ -c fpf_config.txt \
+ --lock-fuses
+
+This creates a "u-boot-verified.rom", this file can be used as the normal
+u-boot.rom. For enabling the verification you need to configure the fuses
+either by burning them or by using the FPF-Mirroring feature for development.
+Further authentication can be done with the fit-image mechanism.
+
64-bit Support
--------------
U-Boot supports booting a 64-bit kernel directly and is able to change to
@@ -1098,3 +1137,5 @@ References
[15] doc/device-tree-bindings/misc/intel,irq-router.txt
[16] http://www.acpi.info
[17] https://www.acpica.org/downloads
+[18] https://github.com/IntelFsp/FSP.git
+[19] https://github.com/IntelFsp/BCT.git
--
2.7.4
More information about the U-Boot
mailing list