[v5 2/7] arm: socfpga: soc64: Support Vendor Authorized Boot (VAB)

Tan, Ley Foon ley.foon.tan at intel.com
Fri Mar 5 10:09:52 CET 2021



> -----Original Message-----
> From: Lim, Elly Siew Chin <elly.siew.chin.lim at intel.com>
> Sent: Monday, March 1, 2021 8:04 PM
> To: u-boot at lists.denx.de
> Cc: Marek Vasut <marex at denx.de>; Tan, Ley Foon
> <ley.foon.tan at intel.com>; See, Chin Liang <chin.liang.see at intel.com>;
> Simon Goldschmidt <simon.k.r.goldschmidt at gmail.com>; Chee, Tien Fong
> <tien.fong.chee at intel.com>; Westergreen, Dalon
> <dalon.westergreen at intel.com>; Simon Glass <sjg at chromium.org>; Gan,
> Yau Wai <yau.wai.gan at intel.com>; Lim, Elly Siew Chin
> <elly.siew.chin.lim at intel.com>
> Subject: [v5 2/7] arm: socfpga: soc64: Support Vendor Authorized Boot (VAB)
> 
> Vendor Authorized Boot is a security feature for authenticating the images
> such as U-Boot, ARM trusted Firmware, Linux kernel, device tree blob and
> etc loaded from FIT. After those images are loaded from FIT, the VAB
> certificate and signature block appended at the end of each image are sent
> to Secure Device Manager (SDM) for authentication. U-Boot will validate the
> SHA384 of the image against the SHA384 hash stored in the VAB certificate
> before sending the image to SDM for authentication.
> 
> Signed-off-by: Siew Chin Lim <elly.siew.chin.lim at intel.com>
> 
> ---
> v5:
> - In arch/arm/mach-socfpga/board.c
>   - Move '#if IS_ENABLED(CONFIG_SOCFPGA_SECURE_VAB_AUTH)' inside
> board_fit_image_post_process function.
>   - Move '#if IS_ENABLED(CONFIG_SPL_BUID)' outside board_prep_linux
> function.
> 
> v4:
> - Move function 'board_fit_image_post_process' and 'board_prep_linux'
>   from secure_vab.c to board.c.
> ---
>  arch/arm/mach-socfpga/Kconfig                    |  15 ++
>  arch/arm/mach-socfpga/Makefile                   |   2 +
>  arch/arm/mach-socfpga/board.c                    |  45 +++++-
>  arch/arm/mach-socfpga/include/mach/mailbox_s10.h |   1 +
>  arch/arm/mach-socfpga/include/mach/secure_vab.h  |  63 ++++++++
>  arch/arm/mach-socfpga/secure_vab.c               | 186
> +++++++++++++++++++++++
>  common/Kconfig.boot                              |   2 +-
>  7 files changed, 309 insertions(+), 5 deletions(-)  create mode 100644
> arch/arm/mach-socfpga/include/mach/secure_vab.h
>  create mode 100644 arch/arm/mach-socfpga/secure_vab.c
> 

Reviewed-by: Ley Foon Tan <ley.foon.tan at intel.com>


More information about the U-Boot mailing list