[v3 0/6] Add Vendor Authorized Boot (VAB) support

Siew Chin Lim elly.siew.chin.lim at intel.com
Fri Feb 5 11:52:06 CET 2021


This is the 3rd version of patchset to add Vendor Authorized Boot (VAB)
support for Intel Agilex SoC device.

Vendor Authorized Boot is a security feature for authenticating
the images such as U-Boot, ARM trusted Firmware, Linux kernel,
device tree blob and etc loaded from FIT. After those images are
loaded from FIT, the VAB certificate and signature block appended
at the end of each image are sent to Secure Device Manager (SDM)
for authentication. U-Boot will validate the SHA384 of the image
against the SHA384 hash stored in the VAB certificate before
sending the image to SDM for authentication.

Patch status:
Have changes: Patch 2, 3
Other patches unchanged.

Detail changelog can find in commit message.

v2->v3:
--------
Patch 2:
- Changes in secure_vab.c
  - Add description for function 'socfpga_vendor_authentication'.
  - Relocate vab certificate to first memory bank before trigger SMC call
    to send mailbox command because ATF only able to access first memory bank.
  - Report error instead of bypass the authentication in SPL if
    Secure Device Manager (SDM) does not support VAB.
  - Print success string if VAB success.
  - Replace #ifdef with if(IS_ENABLED(CONFIG_...)).

Patch 3:
- Remove the print in 'vab' command to avoid duplicated print out.
  The 'socfpga_vendor_authntication' function in secure_vab.c will
  print out the string if VAB success.

History:
--------
[v1]: https://patchwork.ozlabs.org/project/uboot/cover/20201110070505.26935-1-elly.siew.chin.lim@intel.com/
[v2]: https://patchwork.ozlabs.org/project/uboot/cover/20210107100337.45293-1-elly.siew.chin.lim@intel.com/

Siew Chin Lim (6):
  arm: socfpga: Move Stratix10 and Agilex to use TARGET_SOCFPGA_SOC64
  arm: socfpga: soc64: Support Vendor Authorized Boot (VAB)
  arm: socfpga: cmd: Support 'vab' command
  arm: socfpga: dts: soc64: Update filename in binman node of FIT image
    with VAB support
  configs: socfpga: soc64: Move CONFIG_BOOTCOMMAND to defconfig
  configs: socfpga: Add defconfig for Agilex with VAB support

 arch/arm/Kconfig                                   |   6 +-
 arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi         |  22 +++
 arch/arm/mach-socfpga/Kconfig                      |  20 ++
 arch/arm/mach-socfpga/Makefile                     |   3 +
 arch/arm/mach-socfpga/include/mach/mailbox_s10.h   |   1 +
 arch/arm/mach-socfpga/include/mach/reset_manager.h |   3 +-
 arch/arm/mach-socfpga/include/mach/secure_vab.h    |  63 ++++++
 .../arm/mach-socfpga/include/mach/system_manager.h |   3 +-
 arch/arm/mach-socfpga/secure_vab.c                 | 218 +++++++++++++++++++++
 arch/arm/mach-socfpga/vab.c                        |  34 ++++
 common/Kconfig.boot                                |   2 +-
 configs/socfpga_agilex_atf_defconfig               |   2 +
 configs/socfpga_agilex_defconfig                   |   2 +
 ..._atf_defconfig => socfpga_agilex_vab_defconfig} |   4 +
 configs/socfpga_stratix10_atf_defconfig            |   2 +
 configs/socfpga_stratix10_defconfig                |   2 +
 drivers/ddr/altera/Kconfig                         |   6 +-
 drivers/fpga/Kconfig                               |   2 +-
 drivers/sysreset/Kconfig                           |   2 +-
 include/configs/socfpga_soc64_common.h             |   8 +-
 20 files changed, 385 insertions(+), 20 deletions(-)
 create mode 100644 arch/arm/mach-socfpga/include/mach/secure_vab.h
 create mode 100644 arch/arm/mach-socfpga/secure_vab.c
 create mode 100644 arch/arm/mach-socfpga/vab.c
 copy configs/{socfpga_agilex_atf_defconfig => socfpga_agilex_vab_defconfig} (91%)

-- 
2.13.0



More information about the U-Boot mailing list