[U-Boot] [RFC 06/15] secure boot: rename CONFIG_SECURE_BOOT

Priyanka Jain priyanka.jain at nxp.com
Wed Oct 30 08:24:35 UTC 2019



>-----Original Message-----
>From: AKASHI Takahiro <takahiro.akashi at linaro.org>
>Sent: Tuesday, October 29, 2019 10:49 AM
>To: Priyanka Jain <priyanka.jain at nxp.com>; Stefano Babic <sbabic at denx.de>
>Cc: Tom Rini <trini at konsulko.com>; Udit Agarwal <udit.agarwal at nxp.com>;
>xypron.glpk at gmx.de; agraf at csgraf.de; u-boot at lists.denx.de
>Subject: Re: [U-Boot] [RFC 06/15] secure boot: rename CONFIG_SECURE_BOOT
>
>Priyanka, Stefano and Tom,
>
>On Wed, Sep 25, 2019 at 04:19:43AM +0000, Priyanka Jain wrote:
>>
>>
>> >-----Original Message-----
>> >From: Stefano Babic <sbabic at denx.de>
>> >Sent: Thursday, September 19, 2019 8:40 PM
>> >To: Tom Rini <trini at konsulko.com>; AKASHI Takahiro
>> ><takahiro.akashi at linaro.org>; Priyanka Jain <priyanka.jain at nxp.com>;
>> >Stefano Babic <sbabic at denx.de>
>> >Cc: xypron.glpk at gmx.de; agraf at csgraf.de; u-boot at lists.denx.de
>> >Subject: Re: [U-Boot] [RFC 06/15] secure boot: rename
>> >CONFIG_SECURE_BOOT
>> >
>> >On 19/09/19 17:02, Tom Rini wrote:
>> >> On Wed, Sep 18, 2019 at 10:26:34AM +0900, AKASHI Takahiro wrote:
>> >>
>> >>> The configuration, CONFIG_SECURE_BOOT, was scattered among
>> >>> different architecture directories for different implementation.
>> >>> This will prevent UEFI secure boot from being added later.
>> >>>
>> >>> So let's rename them, giving each implementation to different
>> >>> configuration option. CONFIG_SECURE_BOOT still remains not to
>> >>> break existing implicit dependency.
>> >>>
>> >>> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
>> >>> ---
>> >>>  Kconfig                                   | 7 +++++++
>> >>>  arch/arm/cpu/armv7/ls102xa/Kconfig        | 3 ++-
>> >>>  arch/arm/cpu/armv8/fsl-layerscape/Kconfig | 3 ++-
>> >>>  arch/arm/mach-imx/Kconfig                 | 3 ++-
>> >>>  arch/powerpc/cpu/mpc85xx/Kconfig          | 3 ++-
>> >>>  5 files changed, 15 insertions(+), 4 deletions(-)
>> >>>
>> >>> diff --git a/Kconfig b/Kconfig
>> >>> index 1f0904f7045e..c11fc102a7d4 100644
>> >>> --- a/Kconfig
>> >>> +++ b/Kconfig
>> >>> @@ -282,6 +282,13 @@ config SYS_LDSCRIPT
>> >>>
>> >>>  endmenu		# General setup
>> >>>
>> >>> +config SECURE_BOOT
>> >>> +	bool "Secure Boot"
>> >>> +	imply SHA256
>> >>> +	help
>> >>> +	  Enable Secure Boot feature. The actual behavior may vary
>> >>> +	  from architecture to architecture.
>> >>> +
>> >>>  menu "Boot images"
>> >>>
>> >>>  config ANDROID_BOOT_IMAGE
>> >>> diff --git a/arch/arm/cpu/armv7/ls102xa/Kconfig
>> >>> b/arch/arm/cpu/armv7/ls102xa/Kconfig
>> >>> index 94fa68250ddf..ce1bc580d23d 100644
>> >>> --- a/arch/arm/cpu/armv7/ls102xa/Kconfig
>> >>> +++ b/arch/arm/cpu/armv7/ls102xa/Kconfig
>> >>> @@ -50,8 +50,9 @@ config MAX_CPUS
>> >>>  	  cores, count the reserved ports. This will allocate enough memory
>> >>>  	  in spin table to properly handle all cores.
>> >>>
>> >>> -config SECURE_BOOT
>> >>> +config FSL_ARMV7_ENABLE_SECURE_BOOT
>> >>>  	bool	"Secure Boot"
>> >>> +	depends on SECURE_BOOT
>> >>>  	help
>> >>>  		Enable Freescale Secure Boot feature. Normally selected
>> >>>  		by defconfig. If unsure, do not change.
>> >>> diff --git a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
>> >>> b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
>> >>> index 42d31fdab0a0..d4cfe31f8ebf 100644
>> >>> --- a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
>> >>> +++ b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
>> >>> @@ -383,8 +383,9 @@ config EMC2305
>> >>>  	 Enable the EMC2305 fan controller for configuration of fan
>> >>>  	 speed.
>> >>>
>> >>> -config SECURE_BOOT
>> >>> +config FSI_ARMV8_ENABLE_SECURE_BOOT
>> >>>  	bool "Secure Boot"
>> >>> +	depends on SECURE_BOOT
>> >>>  	help
>> >>>  		Enable Freescale Secure Boot feature
>> >>>
>> >>> diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
>> >>> index aeb54934888d..e1602fd5f0e8 100644
>> >>> --- a/arch/arm/mach-imx/Kconfig
>> >>> +++ b/arch/arm/mach-imx/Kconfig
>> >>> @@ -34,8 +34,9 @@ config USE_IMXIMG_PLUGIN
>> >>>  	  i.MX6/7 supports DCD and Plugin. Enable this configuration
>> >>>  	  to use Plugin, otherwise DCD will be used.
>> >>>
>> >>> -config SECURE_BOOT
>> >>> +config FSL_IMX_ENABLE_SECURE_BOOT
>> >>>  	bool "Support i.MX HAB features"
>> >>> +	depends on SECURE_BOOT
>> >>>  	depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5
>> >>>  	select FSL_CAAM if HAS_CAAM
>> >>>  	imply CMD_DEKBLOB
>> >>> diff --git a/arch/powerpc/cpu/mpc85xx/Kconfig
>> >>> b/arch/powerpc/cpu/mpc85xx/Kconfig
>> >>> index c038a6ddb0f4..9cf6ebbfe3ce 100644
>> >>> --- a/arch/powerpc/cpu/mpc85xx/Kconfig
>> >>> +++ b/arch/powerpc/cpu/mpc85xx/Kconfig
>> >>> @@ -1208,8 +1208,9 @@ config FSL_LAW
>> >>>  	help
>> >>>  		Use Freescale common code for Local Access Window
>> >>>
>> >>> -config SECURE_BOOT
>> >>> +config FSL_MPC_ENABLE_SECURE_BOOT
>> >>>  	bool	"Secure Boot"
>> >>> +	depends on SECURE_BOOT
>> >>>  	help
>> >>>  		Enable Freescale Secure Boot feature. Normally selected
>> >>>  		by defconfig. If unsure, do not change.
>> >>
>> >> I've added Priyanka Jain to the thread as the custodian for PowerPC
>> >> and NXP stuff and Stefano Babic as the custodian for i.MX stuff.  I
>> >> don't want to see "CONFIG_SECURE_BOOT" continue on as a config
>> >> option, it's too broad.  Can we please rename and update the
>> >> existing NXP CONFIG option (and I assume split it into a few ones
>> >> to reflect better where things really changed fundamentally from
>> >> one SoC/arch to the
>> >> next) and update the help text?  Thanks!
>> >
>> >Sure - SECURE_BOOT for NXP means enabling HAB, a config can be rename
>> >to identify the component itself (CONFIG_HAB for example).
>> >
>> >Regards,
>> >Stefano
>> >
>> Sure, We will look into this and update NXP CONFIG_SECURE_BOOT option.
>> Priyanka
>
>Can we expect this re-work on NXP/Freescal platforms to be done in the
>current release cycle, that is v2020.01?
>
Yes, we are working on the changes for NXP ARM and mpc85xx platforms.

Regards
Priyanka
 
>If not, can I continue to use my match[1] as part of my UEFI secure boot patch
>set for the time being?
>
>  [1]
>https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.de
>nx.de%2Fpipermail%2Fu-boot%2F2019-
>September%2F383908.html&data=02%7C01%7Cpriyanka.jain%40nxp.com
>%7C00a34480e43c4950cb0808d75c2f836b%7C686ea1d3bc2b4c6fa92cd99c5c30
>1635%7C0%7C0%7C637079231443969244&sdata=gvOKFn6Rt7sgbmrbMo
>Vq2cawyetW5z6H50Qhv0aX0rA%3D&reserved=0
>
>Thanks,
>-Takahiro Akashi
>
>
>> >
>> >--
>>
>>================================================================
>> >=====
>> >DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
>> >HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>> >Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic at denx.de
>>
>>================================================================
>> >=====


More information about the U-Boot mailing list