[U-Boot] [PATCH v3 1/6] x86: baytrail: Add fsp-header verification for secure boot FSP
Anatolij Gustschin
agust at denx.de
Tue Nov 28 13:27:14 UTC 2017
Hi Bin,
On Tue, 21 Nov 2017 23:01:08 +0800
Bin Meng bmeng.cn at gmail.com wrote:
...
> > --- a/arch/x86/Kconfig
> > +++ b/arch/x86/Kconfig
> > @@ -350,7 +350,8 @@ config HAVE_FSP
> > config FSP_FILE
> > string "Firmware Support Package binary filename"
> > depends on HAVE_FSP
> > - default "fsp.bin"
> > + default "fsp.bin" if !BAYTRAIL_SECURE_BOOT
> > + default "fsp-sb.bin" if BAYTRAIL_SECURE_BOOT
>
> Since this Kconfig is generic to all x86, can we introduce a generic
> name here, something like:
>
> default "fsp-sb.bin" if SECURE_BOOT
>
> Then in the arch/x86/cpu/baytrail/Kconfig, we can have:
>
> config BAYTRAIL_SECURE_BOOT
> depends on HAVE_FSP
> depends on SECURE_BOOT
> default y if SECURE_BOOT
Ok, will rework in v4.
> Does U-Boot have any generic Kconfig option for secure boot?
No, currently there is not such generic option. But CONFIG_SECURE_BOOT
is used in some powerpc and arm configs. I'll add the generic option
to the top level Kconfig.
...
> > @@ -130,6 +140,20 @@ void fsp_init(u32 stack_top, u32 boot_mode, void *nvs_buf)
> >
> > fsp_upd = &config_data.fsp_upd;
> >
> > + /*
> > + * On some platforms there is no 'enable_secure_boot' field
> > + * in VPD region struct, so we have to use ifdef here.
> > + */
> > + #ifdef CONFIG_BAYTRAIL_SECURE_BOOT
> > + /*
> > + * If the enable secure boot flag is not 1, secure boot has not
> > + * been activated in the FSP which results in the TXE-Engine not
> > + * getting loaded
> > + */
> > + printf("FSP: Secure Boot %sabled\n",
> > + fsp_vpd->enable_secure_boot == 1 ? "en" : "dis");
> > + #endif
> > +
>
> Can we introduce some APIs like fsp_secure_boot_check() and move the
> above 2 blocks into baytrail directory that implements the API?
this makes sense, thanks. I'll add it as fsp_verify_boot_image() API
function that is empty when SECURE_BOOT not enabled.
Thanks,
Anatolij
More information about the U-Boot
mailing list