[v2 2/6] arm: socfpga: soc64: Support Vendor Authorized Boot (VAB)
Simon Glass
sjg at chromium.org
Thu Jan 7 13:36:29 CET 2021
On Thu, 7 Jan 2021 at 03:03, Siew Chin Lim <elly.siew.chin.lim at intel.com> wrote:
>
> Vendor Authorized Boot is a security feature for authenticating
> the images such as U-Boot, ARM trusted Firmware, Linux kernel,
> device tree blob and etc loaded from FIT. After those images are
> loaded from FIT, the VAB certificate and signature block appended
> at the end of each image are sent to Secure Device Manager (SDM)
> for authentication. U-Boot will validate the SHA384 of the image
> against the SHA384 hash stored in the VAB certificate before
> sending the image to SDM for authentication.
>
> Signed-off-by: Siew Chin Lim <elly.siew.chin.lim at intel.com>
>
> ---
> v2
> ---
> - Renamed SECURE_VAB_AUTH* to SOCFPGA_SECURE_VAB_AUTH*
> - Changes in secure_vab.c
> - Changed to use SZ_1K for 1024
> - Updated comment in secure_vab.c of "... the certificate for T"
> - The code will report error before end of the function if reach
> maximum retry.
> - In board_prep_linux function, only execute linux_qspi_enable
> command if it exists in enviroment variable. It is optional.
> ---
> arch/arm/mach-socfpga/Kconfig | 15 ++
> arch/arm/mach-socfpga/Makefile | 2 +
> arch/arm/mach-socfpga/include/mach/mailbox_s10.h | 1 +
> arch/arm/mach-socfpga/include/mach/secure_vab.h | 63 ++++++++
> arch/arm/mach-socfpga/secure_vab.c | 193 +++++++++++++++++++++++
> common/Kconfig.boot | 2 +-
> 6 files changed, 275 insertions(+), 1 deletion(-)
> create mode 100644 arch/arm/mach-socfpga/include/mach/secure_vab.h
> create mode 100644 arch/arm/mach-socfpga/secure_vab.c
I think this could use a few more function comments. Also try to use
if() instead of #if
Regards,
Simon
More information about the U-Boot
mailing list