[U-Boot] [PATCH] Add bootscript support to esbc_validate.

[York Sun <yorksun@freescale.com>]

On 03/11/2015 03:39 AM, Gupta Ruchika-R66431 wrote:
> Hi York,
> 
>> -----Original Message-----
>> From: Sun York-R58495
>> Sent: Tuesday, March 10, 2015 10:03 PM
>> To: Gupta Ruchika-R66431; Rana Gaurav-B46163; u-boot at lists.denx.de
>> Cc: Wood Scott-B07421; Bansal Aneesh-B39320
>> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
>>
>> On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote:
>>> Hi York,
>>>
>>>> -----Original Message-----
>>>> From: Sun York-R58495
>>>> Sent: Tuesday, March 10, 2015 9:45 PM
>>>> To: Rana Gaurav-B46163; u-boot at lists.denx.de
>>>> Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320
>>>> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
>>>>
>>>>
>>>>
>>>> On 03/10/2015 01:38 AM, Gaurav Rana wrote:
>>>>> 1. Default environment will be used for secure boot flow  which
>>>>> can't be edited or saved.
>>>>> 2. Command for secure boot is predefined in the default  environment
>>>>> which will run on autoboot (and autoboot is  the only option allowed
>>>>> in case of secure boot) and it  looks like this:
>>>>>  #define CONFIG_SECBOOT \
>>>>>  "setenv bs_hdraddr 0xe8e00000;"                 \
>>>>>  "esbc_validate $bs_hdraddr;"                    \
>>>>>  "source $img_addr;"                             \
>>>>>  "esbc_halt;"
>>>>>  #endif
>>>>> 3. Boot Script can contain esbc_validate commands and bootm command.
>>>>>  Uboot source command used in default secure boot command will  run
>>>>> the bootscript.
>>>>> 4. Command esbc_halt added to ensure either bootm executes  after
>>>>> validation of images or core should just spin.
>>>>>
>>>> What's the purpose of "esbc_halt"? Once it enters the spin, how to
>>>> get it out?
>>> The purpose of bootscript is to validate the next level images and then
>> pass control to it, so bootscript must contain a bootm command. We don't
>> expect control to return back to u-boot. Hence a command esbc_halt is
>> introduced which would make the core spin and not provide uboot prompt in
>> case bootscript doesn't pass control to next level image.
>>> For secure chain of trust, only validated bootscript should be allowed to
>> execute and be responsible for passing control to next level image.
>>>
>>
>> Ruchika,
>>
>> Do you expect secure boot to run automatically once u-boot reaches the prompt
>> and the "source $img_addr" to actually boot the OS? You put "esbc_halt" as a
>> fall-back to catch failure above? It doesn't sounds very secure to me.
> 
> The bootscript is first validated. Only an authenticated user, who has the private key can sign the bootscript. Thus validating bootscript is important in secure boot chain of trust. 
> 
> You are right regarding fallback as esbc_halt. In the esbc_halt implementation, we will add code to clear security secrets on the chip, and issue a reset. We will send a separate patch for that.
> 

Wouldn't it be possible to call a reset/hang/panic when the validation fails,
before "source $img_addr"?

York