[U-Boot] [RFC 06/15] secure boot: rename CONFIG_SECURE_BOOT

Priyanka Jain priyanka.jain at nxp.com
Wed Sep 25 04:19:43 UTC 2019 


>-----Original Message-----
>From: Stefano Babic <sbabic at denx.de>
>Sent: Thursday, September 19, 2019 8:40 PM
>To: Tom Rini <trini at konsulko.com>; AKASHI Takahiro
><takahiro.akashi at linaro.org>; Priyanka Jain <priyanka.jain at nxp.com>;
>Stefano Babic <sbabic at denx.de>
>Cc: xypron.glpk at gmx.de; agraf at csgraf.de; u-boot at lists.denx.de
>Subject: Re: [U-Boot] [RFC 06/15] secure boot: rename CONFIG_SECURE_BOOT
>
>On 19/09/19 17:02, Tom Rini wrote:
>> On Wed, Sep 18, 2019 at 10:26:34AM +0900, AKASHI Takahiro wrote:
>>
>>> The configuration, CONFIG_SECURE_BOOT, was scattered among different
>>> architecture directories for different implementation. This will
>>> prevent UEFI secure boot from being added later.
>>>
>>> So let's rename them, giving each implementation to different
>>> configuration option. CONFIG_SECURE_BOOT still remains not to break
>>> existing implicit dependency.
>>>
>>> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
>>> ---
>>>  Kconfig                                   | 7 +++++++
>>>  arch/arm/cpu/armv7/ls102xa/Kconfig        | 3 ++-
>>>  arch/arm/cpu/armv8/fsl-layerscape/Kconfig | 3 ++-
>>>  arch/arm/mach-imx/Kconfig                 | 3 ++-
>>>  arch/powerpc/cpu/mpc85xx/Kconfig          | 3 ++-
>>>  5 files changed, 15 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/Kconfig b/Kconfig
>>> index 1f0904f7045e..c11fc102a7d4 100644
>>> --- a/Kconfig
>>> +++ b/Kconfig
>>> @@ -282,6 +282,13 @@ config SYS_LDSCRIPT
>>>
>>>  endmenu		# General setup
>>>
>>> +config SECURE_BOOT
>>> +	bool "Secure Boot"
>>> +	imply SHA256
>>> +	help
>>> +	  Enable Secure Boot feature. The actual behavior may vary
>>> +	  from architecture to architecture.
>>> +
>>>  menu "Boot images"
>>>
>>>  config ANDROID_BOOT_IMAGE
>>> diff --git a/arch/arm/cpu/armv7/ls102xa/Kconfig
>>> b/arch/arm/cpu/armv7/ls102xa/Kconfig
>>> index 94fa68250ddf..ce1bc580d23d 100644
>>> --- a/arch/arm/cpu/armv7/ls102xa/Kconfig
>>> +++ b/arch/arm/cpu/armv7/ls102xa/Kconfig
>>> @@ -50,8 +50,9 @@ config MAX_CPUS
>>>  	  cores, count the reserved ports. This will allocate enough memory
>>>  	  in spin table to properly handle all cores.
>>>
>>> -config SECURE_BOOT
>>> +config FSL_ARMV7_ENABLE_SECURE_BOOT
>>>  	bool	"Secure Boot"
>>> +	depends on SECURE_BOOT
>>>  	help
>>>  		Enable Freescale Secure Boot feature. Normally selected
>>>  		by defconfig. If unsure, do not change.
>>> diff --git a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
>>> b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
>>> index 42d31fdab0a0..d4cfe31f8ebf 100644
>>> --- a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
>>> +++ b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
>>> @@ -383,8 +383,9 @@ config EMC2305
>>>  	 Enable the EMC2305 fan controller for configuration of fan
>>>  	 speed.
>>>
>>> -config SECURE_BOOT
>>> +config FSI_ARMV8_ENABLE_SECURE_BOOT
>>>  	bool "Secure Boot"
>>> +	depends on SECURE_BOOT
>>>  	help
>>>  		Enable Freescale Secure Boot feature
>>>
>>> diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
>>> index aeb54934888d..e1602fd5f0e8 100644
>>> --- a/arch/arm/mach-imx/Kconfig
>>> +++ b/arch/arm/mach-imx/Kconfig
>>> @@ -34,8 +34,9 @@ config USE_IMXIMG_PLUGIN
>>>  	  i.MX6/7 supports DCD and Plugin. Enable this configuration
>>>  	  to use Plugin, otherwise DCD will be used.
>>>
>>> -config SECURE_BOOT
>>> +config FSL_IMX_ENABLE_SECURE_BOOT
>>>  	bool "Support i.MX HAB features"
>>> +	depends on SECURE_BOOT
>>>  	depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5
>>>  	select FSL_CAAM if HAS_CAAM
>>>  	imply CMD_DEKBLOB
>>> diff --git a/arch/powerpc/cpu/mpc85xx/Kconfig
>>> b/arch/powerpc/cpu/mpc85xx/Kconfig
>>> index c038a6ddb0f4..9cf6ebbfe3ce 100644
>>> --- a/arch/powerpc/cpu/mpc85xx/Kconfig
>>> +++ b/arch/powerpc/cpu/mpc85xx/Kconfig
>>> @@ -1208,8 +1208,9 @@ config FSL_LAW
>>>  	help
>>>  		Use Freescale common code for Local Access Window
>>>
>>> -config SECURE_BOOT
>>> +config FSL_MPC_ENABLE_SECURE_BOOT
>>>  	bool	"Secure Boot"
>>> +	depends on SECURE_BOOT
>>>  	help
>>>  		Enable Freescale Secure Boot feature. Normally selected
>>>  		by defconfig. If unsure, do not change.
>>
>> I've added Priyanka Jain to the thread as the custodian for PowerPC
>> and NXP stuff and Stefano Babic as the custodian for i.MX stuff.  I
>> don't want to see "CONFIG_SECURE_BOOT" continue on as a config option,
>> it's too broad.  Can we please rename and update the existing NXP
>> CONFIG option (and I assume split it into a few ones to reflect better
>> where things really changed fundamentally from one SoC/arch to the
>> next) and update the help text?  Thanks!
>
>Sure - SECURE_BOOT for NXP means enabling HAB, a config can be rename to
>identify the component itself (CONFIG_HAB for example).
>
>Regards,
>Stefano
>
Sure, We will look into this and update NXP CONFIG_SECURE_BOOT option.
Priyanka
>
>--
>================================================================
>=====
>DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
>HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
>Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic at denx.de
>================================================================
>=====

More information about the U-Boot mailing list