[U-Boot] [PATCH] Add bootscript support to esbc_validate.

[Scott Wood <scottwood@freescale.com>]

On Wed, 2015-03-11 at 10:50 -0700, York Sun wrote:
> 
> On 03/11/2015 03:39 AM, Gupta Ruchika-R66431 wrote:
> > Hi York,
> > 
> >> -----Original Message-----
> >> From: Sun York-R58495
> >> Sent: Tuesday, March 10, 2015 10:03 PM
> >> To: Gupta Ruchika-R66431; Rana Gaurav-B46163; u-boot at lists.denx.de
> >> Cc: Wood Scott-B07421; Bansal Aneesh-B39320
> >> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
> >>
> >> On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote:
> >>> Hi York,
> >>>
> >>>> -----Original Message-----
> >>>> From: Sun York-R58495
> >>>> Sent: Tuesday, March 10, 2015 9:45 PM
> >>>> To: Rana Gaurav-B46163; u-boot at lists.denx.de
> >>>> Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320
> >>>> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
> >>>>
> >>>>
> >>>>
> >>>> On 03/10/2015 01:38 AM, Gaurav Rana wrote:
> >>>>> 1. Default environment will be used for secure boot flow  which
> >>>>> can't be edited or saved.
> >>>>> 2. Command for secure boot is predefined in the default  environment
> >>>>> which will run on autoboot (and autoboot is  the only option allowed
> >>>>> in case of secure boot) and it  looks like this:
> >>>>>  #define CONFIG_SECBOOT \
> >>>>>  "setenv bs_hdraddr 0xe8e00000;"                 \
> >>>>>  "esbc_validate $bs_hdraddr;"                    \
> >>>>>  "source $img_addr;"                             \
> >>>>>  "esbc_halt;"
> >>>>>  #endif
> >>>>> 3. Boot Script can contain esbc_validate commands and bootm command.
> >>>>>  Uboot source command used in default secure boot command will  run
> >>>>> the bootscript.
> >>>>> 4. Command esbc_halt added to ensure either bootm executes  after
> >>>>> validation of images or core should just spin.
> >>>>>
> >>>> What's the purpose of "esbc_halt"? Once it enters the spin, how to
> >>>> get it out?
> >>> The purpose of bootscript is to validate the next level images and then
> >> pass control to it, so bootscript must contain a bootm command. We don't
> >> expect control to return back to u-boot. Hence a command esbc_halt is
> >> introduced which would make the core spin and not provide uboot prompt in
> >> case bootscript doesn't pass control to next level image.
> >>> For secure chain of trust, only validated bootscript should be allowed to
> >> execute and be responsible for passing control to next level image.
> >>>
> >>
> >> Ruchika,
> >>
> >> Do you expect secure boot to run automatically once u-boot reaches the prompt
> >> and the "source $img_addr" to actually boot the OS? You put "esbc_halt" as a
> >> fall-back to catch failure above? It doesn't sounds very secure to me.
> > 
> > The bootscript is first validated. Only an authenticated user, who has the private key can sign the bootscript. Thus validating bootscript is important in secure boot chain of trust. 
> > 
> > You are right regarding fallback as esbc_halt. In the esbc_halt implementation, we will add code to clear security secrets on the chip, and issue a reset. We will send a separate patch for that.
> > 
> 
> Wouldn't it be possible to call a reset/hang/panic when the validation fails,
> before "source $img_addr"?

I'd assume it already has that, but it's still good to have something to
deal with the case where the script returns due to some failure.

-Scott