[U-Boot] [RFC 06/15] secure boot: rename CONFIG_SECURE_BOOT

AKASHI Takahiro takahiro.akashi at linaro.org
Tue Oct 29 05:19:28 UTC 2019 

Priyanka, Stefano and Tom,

On Wed, Sep 25, 2019 at 04:19:43AM +0000, Priyanka Jain wrote:
> 
> 
> >-----Original Message-----
> >From: Stefano Babic <sbabic at denx.de>
> >Sent: Thursday, September 19, 2019 8:40 PM
> >To: Tom Rini <trini at konsulko.com>; AKASHI Takahiro
> ><takahiro.akashi at linaro.org>; Priyanka Jain <priyanka.jain at nxp.com>;
> >Stefano Babic <sbabic at denx.de>
> >Cc: xypron.glpk at gmx.de; agraf at csgraf.de; u-boot at lists.denx.de
> >Subject: Re: [U-Boot] [RFC 06/15] secure boot: rename CONFIG_SECURE_BOOT
> >
> >On 19/09/19 17:02, Tom Rini wrote:
> >> On Wed, Sep 18, 2019 at 10:26:34AM +0900, AKASHI Takahiro wrote:
> >>
> >>> The configuration, CONFIG_SECURE_BOOT, was scattered among different
> >>> architecture directories for different implementation. This will
> >>> prevent UEFI secure boot from being added later.
> >>>
> >>> So let's rename them, giving each implementation to different
> >>> configuration option. CONFIG_SECURE_BOOT still remains not to break
> >>> existing implicit dependency.
> >>>
> >>> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
> >>> ---
> >>>  Kconfig                                   | 7 +++++++
> >>>  arch/arm/cpu/armv7/ls102xa/Kconfig        | 3 ++-
> >>>  arch/arm/cpu/armv8/fsl-layerscape/Kconfig | 3 ++-
> >>>  arch/arm/mach-imx/Kconfig                 | 3 ++-
> >>>  arch/powerpc/cpu/mpc85xx/Kconfig          | 3 ++-
> >>>  5 files changed, 15 insertions(+), 4 deletions(-)
> >>>
> >>> diff --git a/Kconfig b/Kconfig
> >>> index 1f0904f7045e..c11fc102a7d4 100644
> >>> --- a/Kconfig
> >>> +++ b/Kconfig
> >>> @@ -282,6 +282,13 @@ config SYS_LDSCRIPT
> >>>
> >>>  endmenu		# General setup
> >>>
> >>> +config SECURE_BOOT
> >>> +	bool "Secure Boot"
> >>> +	imply SHA256
> >>> +	help
> >>> +	  Enable Secure Boot feature. The actual behavior may vary
> >>> +	  from architecture to architecture.
> >>> +
> >>>  menu "Boot images"
> >>>
> >>>  config ANDROID_BOOT_IMAGE
> >>> diff --git a/arch/arm/cpu/armv7/ls102xa/Kconfig
> >>> b/arch/arm/cpu/armv7/ls102xa/Kconfig
> >>> index 94fa68250ddf..ce1bc580d23d 100644
> >>> --- a/arch/arm/cpu/armv7/ls102xa/Kconfig
> >>> +++ b/arch/arm/cpu/armv7/ls102xa/Kconfig
> >>> @@ -50,8 +50,9 @@ config MAX_CPUS
> >>>  	  cores, count the reserved ports. This will allocate enough memory
> >>>  	  in spin table to properly handle all cores.
> >>>
> >>> -config SECURE_BOOT
> >>> +config FSL_ARMV7_ENABLE_SECURE_BOOT
> >>>  	bool	"Secure Boot"
> >>> +	depends on SECURE_BOOT
> >>>  	help
> >>>  		Enable Freescale Secure Boot feature. Normally selected
> >>>  		by defconfig. If unsure, do not change.
> >>> diff --git a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
> >>> b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
> >>> index 42d31fdab0a0..d4cfe31f8ebf 100644
> >>> --- a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
> >>> +++ b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
> >>> @@ -383,8 +383,9 @@ config EMC2305
> >>>  	 Enable the EMC2305 fan controller for configuration of fan
> >>>  	 speed.
> >>>
> >>> -config SECURE_BOOT
> >>> +config FSI_ARMV8_ENABLE_SECURE_BOOT
> >>>  	bool "Secure Boot"
> >>> +	depends on SECURE_BOOT
> >>>  	help
> >>>  		Enable Freescale Secure Boot feature
> >>>
> >>> diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
> >>> index aeb54934888d..e1602fd5f0e8 100644
> >>> --- a/arch/arm/mach-imx/Kconfig
> >>> +++ b/arch/arm/mach-imx/Kconfig
> >>> @@ -34,8 +34,9 @@ config USE_IMXIMG_PLUGIN
> >>>  	  i.MX6/7 supports DCD and Plugin. Enable this configuration
> >>>  	  to use Plugin, otherwise DCD will be used.
> >>>
> >>> -config SECURE_BOOT
> >>> +config FSL_IMX_ENABLE_SECURE_BOOT
> >>>  	bool "Support i.MX HAB features"
> >>> +	depends on SECURE_BOOT
> >>>  	depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5
> >>>  	select FSL_CAAM if HAS_CAAM
> >>>  	imply CMD_DEKBLOB
> >>> diff --git a/arch/powerpc/cpu/mpc85xx/Kconfig
> >>> b/arch/powerpc/cpu/mpc85xx/Kconfig
> >>> index c038a6ddb0f4..9cf6ebbfe3ce 100644
> >>> --- a/arch/powerpc/cpu/mpc85xx/Kconfig
> >>> +++ b/arch/powerpc/cpu/mpc85xx/Kconfig
> >>> @@ -1208,8 +1208,9 @@ config FSL_LAW
> >>>  	help
> >>>  		Use Freescale common code for Local Access Window
> >>>
> >>> -config SECURE_BOOT
> >>> +config FSL_MPC_ENABLE_SECURE_BOOT
> >>>  	bool	"Secure Boot"
> >>> +	depends on SECURE_BOOT
> >>>  	help
> >>>  		Enable Freescale Secure Boot feature. Normally selected
> >>>  		by defconfig. If unsure, do not change.
> >>
> >> I've added Priyanka Jain to the thread as the custodian for PowerPC
> >> and NXP stuff and Stefano Babic as the custodian for i.MX stuff.  I
> >> don't want to see "CONFIG_SECURE_BOOT" continue on as a config option,
> >> it's too broad.  Can we please rename and update the existing NXP
> >> CONFIG option (and I assume split it into a few ones to reflect better
> >> where things really changed fundamentally from one SoC/arch to the
> >> next) and update the help text?  Thanks!
> >
> >Sure - SECURE_BOOT for NXP means enabling HAB, a config can be rename to
> >identify the component itself (CONFIG_HAB for example).
> >
> >Regards,
> >Stefano
> >
> Sure, We will look into this and update NXP CONFIG_SECURE_BOOT option.
> Priyanka

Can we expect this re-work on NXP/Freescal platforms to be done
in the current release cycle, that is v2020.01?

If not, can I continue to use my match[1] as part of my UEFI secure boot
patch set for the time being?

  [1] https://lists.denx.de/pipermail/u-boot/2019-September/383908.html

Thanks,
-Takahiro Akashi


> >
> >--
> >================================================================
> >=====
> >DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> >HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
> >Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic at denx.de
> >================================================================
> >=====

More information about the U-Boot mailing list