[U-Boot] [PATCH v3 6/6] doc: x86: Add section about secure boot on Bay Trail

Fri Nov 17 01:16:18 UTC 2017

From: Markus Valentin <mv at denx.de>

Add short summary describing preparations for enabling secure boot
feature on Bay Trail SoC.

Signed-off-by: Markus Valentin <mv at denx.de>
Signed-off-by: Anatolij Gustschin <agust at denx.de>
---
Changes in v3:
 - add commit message
 - use 'U-Boot' consistently
 - reword and improve text since binman is now used for image signing

 doc/README.x86 | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/doc/README.x86 b/doc/README.x86
index 772e8d2a86..b64158816b 100644
--- a/doc/README.x86
+++ b/doc/README.x86
@@ -1141,6 +1141,53 @@ provides the same EFI run-time services) is not currently supported on x86.
 
 See README.efi for details of EFI support in U-Boot.
 
+Secure Boot for Bay Trail
+-------------------------
+U-Boot for Bay Trail based platforms supports booting in a verified manner using
+the Trusted Execution Enginge (TXE). To enable secure boot you need to enable
+the Kconfig option CONFIG_BAYTRAIL_SECURE_BOOT.
+
+The verification of U-Boot happens by a public key appended to the so called
+Secure Boot Manifest. The manifest will be created by binman after building
+the u-boot.rom image (by tools/binman/signing/baytrail.py script). binman
+will generate "u-boot-verified.rom" image containing the manifest. This
+image can be installed in SPI-NOR flash.
+
+To be able to perform a verified boot with U-Boot you need:
+ * A secure-boot-enabled FSP[18] which we can assemble with the BCT Tool[19]
+	(the secure-boot-enabled FSP should be placed as fsp-sb.bin in the
+	board directory)
+ * A OEM-keypair which we use to sign U-Boot. Create this yourself in the
+	build output directory like below:
+	mkdir keydir && \
+	openssl req -batch -x509 -nodes -newkey rsa:2048 \
+		 -keyout 'keydir/oemkey.pem' -out 'keydir/pub_oemkey.pem'
+	When secure boot option is enabled, the signing script expects
+	the keys to be in the 'keydir' subdir in the build output directory.
+ * fpf_config.txt file in the build output directory.
+	Copy the original FpfConfigFile.txt file from the TXE Firmware Kit to
+	fpf_config.txt. When fpf_config.txt file is present, the binman will
+	update its fuse file entry with the actual hash of the public part of
+	the OEM signing key (FUSE_FILE_OEM_KEY_HASH_1:). The secure-boot-enable
+	fuse file entry (FUSE_FILE_SECURE_BOOT_EN:) will also be enabled.
+	The modified fuse register configuration file can be used by the Intel
+	FPT tool to write fuses (the FPT tool is provided in the TXE Firmware
+	Kit. To burn fuses run "FPT -writebatch fpf_config.txt" on the target).
+
+If these prerequisites are met, you can enable CONFIG_BAYTRAIL_SECURE_BOOT
+option and build U-Boot. The following commands give an example flow for the
+Congatec conga-QA3 SoM on QEVAL 2.0 evalboard:
+	make conga-qeval20-qa3-e3845-internal-uart-secure-boot_defconfig
+	make all
+	make u-boot.rom
+
+This creates "u-boot-verified.rom" image. It can be used as the normal
+u-boot.rom. For enabling the verification you need to configure the OTP fuses
+either by burning them by FPT tool or by using the FPF-Mirroring feature
+for testing while development (see TXE Firmware Kit documentation for more
+details). Further authentication (Kernel/DTB) can be done with the FIT image
+mechanism.
+
 64-bit Support
 --------------
 U-Boot supports booting a 64-bit kernel directly and is able to change to
@@ -1183,3 +1230,5 @@ References
 [15] doc/device-tree-bindings/misc/intel,irq-router.txt
 [16] http://www.acpi.info
 [17] https://www.acpica.org/downloads
+[18] https://github.com/IntelFsp/FSP.git
+[19] https://github.com/IntelFsp/BCT.git
-- 
2.11.0

