[U-Boot] [RFC 06/15] secure boot: rename CONFIG_SECURE_BOOT

Stefano Babic sbabic at denx.de
Thu Sep 19 15:10:14 UTC 2019


On 19/09/19 17:02, Tom Rini wrote:
> On Wed, Sep 18, 2019 at 10:26:34AM +0900, AKASHI Takahiro wrote:
> 
>> The configuration, CONFIG_SECURE_BOOT, was scattered among different
>> architecture directories for different implementation. This will prevent
>> UEFI secure boot from being added later.
>>
>> So let's rename them, giving each implementation to different
>> configuration option. CONFIG_SECURE_BOOT still remains not to break
>> existing implicit dependency.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
>> ---
>>  Kconfig                                   | 7 +++++++
>>  arch/arm/cpu/armv7/ls102xa/Kconfig        | 3 ++-
>>  arch/arm/cpu/armv8/fsl-layerscape/Kconfig | 3 ++-
>>  arch/arm/mach-imx/Kconfig                 | 3 ++-
>>  arch/powerpc/cpu/mpc85xx/Kconfig          | 3 ++-
>>  5 files changed, 15 insertions(+), 4 deletions(-)
>>
>> diff --git a/Kconfig b/Kconfig
>> index 1f0904f7045e..c11fc102a7d4 100644
>> --- a/Kconfig
>> +++ b/Kconfig
>> @@ -282,6 +282,13 @@ config SYS_LDSCRIPT
>>  
>>  endmenu		# General setup
>>  
>> +config SECURE_BOOT
>> +	bool "Secure Boot"
>> +	imply SHA256
>> +	help
>> +	  Enable Secure Boot feature. The actual behavior may vary
>> +	  from architecture to architecture.
>> +
>>  menu "Boot images"
>>  
>>  config ANDROID_BOOT_IMAGE
>> diff --git a/arch/arm/cpu/armv7/ls102xa/Kconfig b/arch/arm/cpu/armv7/ls102xa/Kconfig
>> index 94fa68250ddf..ce1bc580d23d 100644
>> --- a/arch/arm/cpu/armv7/ls102xa/Kconfig
>> +++ b/arch/arm/cpu/armv7/ls102xa/Kconfig
>> @@ -50,8 +50,9 @@ config MAX_CPUS
>>  	  cores, count the reserved ports. This will allocate enough memory
>>  	  in spin table to properly handle all cores.
>>  
>> -config SECURE_BOOT
>> +config FSL_ARMV7_ENABLE_SECURE_BOOT
>>  	bool	"Secure Boot"
>> +	depends on SECURE_BOOT
>>  	help
>>  		Enable Freescale Secure Boot feature. Normally selected
>>  		by defconfig. If unsure, do not change.
>> diff --git a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
>> index 42d31fdab0a0..d4cfe31f8ebf 100644
>> --- a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
>> +++ b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
>> @@ -383,8 +383,9 @@ config EMC2305
>>  	 Enable the EMC2305 fan controller for configuration of fan
>>  	 speed.
>>  
>> -config SECURE_BOOT
>> +config FSI_ARMV8_ENABLE_SECURE_BOOT
>>  	bool "Secure Boot"
>> +	depends on SECURE_BOOT
>>  	help
>>  		Enable Freescale Secure Boot feature
>>  
>> diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
>> index aeb54934888d..e1602fd5f0e8 100644
>> --- a/arch/arm/mach-imx/Kconfig
>> +++ b/arch/arm/mach-imx/Kconfig
>> @@ -34,8 +34,9 @@ config USE_IMXIMG_PLUGIN
>>  	  i.MX6/7 supports DCD and Plugin. Enable this configuration
>>  	  to use Plugin, otherwise DCD will be used.
>>  
>> -config SECURE_BOOT
>> +config FSL_IMX_ENABLE_SECURE_BOOT
>>  	bool "Support i.MX HAB features"
>> +	depends on SECURE_BOOT
>>  	depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5
>>  	select FSL_CAAM if HAS_CAAM
>>  	imply CMD_DEKBLOB
>> diff --git a/arch/powerpc/cpu/mpc85xx/Kconfig b/arch/powerpc/cpu/mpc85xx/Kconfig
>> index c038a6ddb0f4..9cf6ebbfe3ce 100644
>> --- a/arch/powerpc/cpu/mpc85xx/Kconfig
>> +++ b/arch/powerpc/cpu/mpc85xx/Kconfig
>> @@ -1208,8 +1208,9 @@ config FSL_LAW
>>  	help
>>  		Use Freescale common code for Local Access Window
>>  
>> -config SECURE_BOOT
>> +config FSL_MPC_ENABLE_SECURE_BOOT
>>  	bool	"Secure Boot"
>> +	depends on SECURE_BOOT
>>  	help
>>  		Enable Freescale Secure Boot feature. Normally selected
>>  		by defconfig. If unsure, do not change.
> 
> I've added Priyanka Jain to the thread as the custodian for PowerPC and
> NXP stuff and Stefano Babic as the custodian for i.MX stuff.  I don't
> want to see "CONFIG_SECURE_BOOT" continue on as a config option, it's
> too broad.  Can we please rename and update the existing NXP CONFIG
> option (and I assume split it into a few ones to reflect better where
> things really changed fundamentally from one SoC/arch to the next) and
> update the help text?  Thanks!

Sure - SECURE_BOOT for NXP means enabling HAB, a config can be rename to
identify the component itself (CONFIG_HAB for example).

Regards,
Stefano


-- 
=====================================================================
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic at denx.de
=====================================================================


More information about the U-Boot mailing list