[U-Boot] [PATCH 5/5] doc: x86: Add section about secure boot on Baytrail

Anatolij Gustschin agust at denx.de
Thu May 11 15:14:56 UTC 2017 

From: Markus Valentin <mv at denx.de>

Signed-off-by: Markus Valentin <mv at denx.de>
[agust: slightly reworded and fixed alignment]
Signed-off-by: Anatolij Gustschin <agust at denx.de>
---
 doc/README.x86 | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/doc/README.x86 b/doc/README.x86
index a38cc1b..8ba64b3 100644
--- a/doc/README.x86
+++ b/doc/README.x86
@@ -1056,6 +1056,45 @@ provides the same EFI run-time services) is not currently supported on x86.
 
 See README.efi for details of EFI support in U-Boot.
 
+Secure Boot for BayTrail
+------------------------
+U-Boot for BayTrail based platforms supports to boot in a verified manner using
+the Trusted Execution Enginge(TXE). To enable secure boot you need to enable
+ the Kconfig parameter CONFIG_BAYTRAIL_SECURE_BOOT.
+
+The verification of U-Boot happens by a public key appended to the so called
+secure boot manifest. The manifest gets created by the secure_boot_helper.py
+script which is located in the tools directory.
+
+To be able to perform a verified boot with U-Boot you need:
+ * A OEM-keypair which we use to sign U-Boot. Create this yourself like below:
+	mkdir mykeys && \
+	openssl req -batch -x509 -nodes -newkey rsa:2048 \
+		 -keyout 'mykeys/oemkey.pem' -out 'mykeys/pub_oemkey.pem'
+ * fpf_config.txt gets created by the helper script. It stores the fuse
+	register configuration to a text file which can be used by the Intel
+	FPT tool to write fuses (the FPT is provided in the TXE Firmware Kit).
+	It contains a hash over the public part of the OEM-keypair.
+	(To burn fuses run "FPT -writebatch fpf_config.txt" on the target)
+ * A secure boot enabled FSP[18] which we can assemble with the BCT Tool[19]
+	(the secure boot enabled fsp should be placed as fsp-sb.bin in the
+	board directory)
+
+If these prerequisites are met, you can build u-boot and call the helper script.
+The following commands give an example flow for the congatec conga-QA3 SoM:
+	make conga-qeval20-qa3-e3845-internal-uart-secure-boot_defconfig
+	make all
+	make u-boot.rom
+	python3 ./tools/secure_boot_helper.py \
+		-I board/congatec/conga-qeval20-qa3-e3845 \
+		-c fpf_config.txt \
+		--lock-fuses
+
+This creates a "u-boot-verified.rom", this file can be used as the normal
+u-boot.rom. For enabling the verification you need to configure the fuses
+either by burning them or by using the FPF-Mirroring feature for development.
+Further authentication can be done with the fit-image mechanism.
+
 64-bit Support
 --------------
 U-Boot supports booting a 64-bit kernel directly and is able to change to
@@ -1098,3 +1137,5 @@ References
 [15] doc/device-tree-bindings/misc/intel,irq-router.txt
 [16] http://www.acpi.info
 [17] https://www.acpica.org/downloads
+[18] https://github.com/IntelFsp/FSP.git
+[19] https://github.com/IntelFsp/BCT.git
-- 
2.7.4

More information about the U-Boot mailing list