From: York Sun <yorksun@freescale.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH] Add bootscript support to esbc_validate.
Date: Tue, 10 Mar 2015 09:32:33 -0700 [thread overview]
Message-ID: <54FF1CA1.80608@freescale.com> (raw)
In-Reply-To: <BY1PR0301MB1288B9DC21D3D3A445FD7D52EF180@BY1PR0301MB1288.namprd03.prod.outlook.com>
On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote:
> Hi York,
>
>> -----Original Message-----
>> From: Sun York-R58495
>> Sent: Tuesday, March 10, 2015 9:45 PM
>> To: Rana Gaurav-B46163; u-boot at lists.denx.de
>> Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320
>> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
>>
>>
>>
>> On 03/10/2015 01:38 AM, Gaurav Rana wrote:
>>> 1. Default environment will be used for secure boot flow which can't
>>> be edited or saved.
>>> 2. Command for secure boot is predefined in the default environment
>>> which will run on autoboot (and autoboot is the only option allowed
>>> in case of secure boot) and it looks like this:
>>> #define CONFIG_SECBOOT \
>>> "setenv bs_hdraddr 0xe8e00000;" \
>>> "esbc_validate $bs_hdraddr;" \
>>> "source $img_addr;" \
>>> "esbc_halt;"
>>> #endif
>>> 3. Boot Script can contain esbc_validate commands and bootm command.
>>> Uboot source command used in default secure boot command will run
>>> the bootscript.
>>> 4. Command esbc_halt added to ensure either bootm executes after
>>> validation of images or core should just spin.
>>>
>> What's the purpose of "esbc_halt"? Once it enters the spin, how to get it
>> out?
> The purpose of bootscript is to validate the next level images and then pass control to it, so bootscript must contain a bootm command. We don't expect control to return back to u-boot. Hence a command esbc_halt is introduced which would make the core spin and not provide uboot prompt in case bootscript doesn't pass control to next level image.
> For secure chain of trust, only validated bootscript should be allowed to execute and be responsible for passing control to next level image.
>
Ruchika,
Do you expect secure boot to run automatically once u-boot reaches the prompt
and the "source $img_addr" to actually boot the OS? You put "esbc_halt" as a
fall-back to catch failure above? It doesn't sounds very secure to me.
I am hoping other reviewers can chime in and give comments.
York
next prev parent reply other threads:[~2015-03-10 16:32 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-10 8:38 [U-Boot] [PATCH] Add bootscript support to esbc_validate Gaurav Rana
2015-03-10 16:15 ` York Sun
2015-03-10 16:25 ` Ruchika Gupta
2015-03-10 16:32 ` York Sun [this message]
2015-03-11 10:39 ` Ruchika Gupta
2015-03-11 17:50 ` York Sun
2015-03-11 18:44 ` Scott Wood
2015-03-11 18:47 ` York Sun
2015-04-23 23:26 ` York Sun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54FF1CA1.80608@freescale.com \
--to=yorksun@freescale.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.