[U-Boot] x86: SecureBoot: Bay Trail

[Markus Valentin <mv@denx.de>]

Hi,

On Fri, 2017-02-17 at 19:58 +0800, Bin Meng wrote:
> On Fri, Feb 17, 2017 at 5:26 PM, Markus Valentin <mv@denx.de> wrote:
> > 
> > Hi,
> > 
> > i'm implementing Secure Boot with U-Boot on a Intel Atom E3800 Series (Bay
> > Trail) based Plattform.
> > 
> > I did manage to get the first boot stage (Initial Boot Block) verified by
> > the
> > Trusted Execution Engine, next i need to verify the "ramstage" as they call
> > it.
> 
> How did you implement the first boot stage? Is it U-Boot SPL?
No, i'm not using SPL, but maybe i should?

Currently i follow the instructions from document #558081 "Enabling Secure Boot
with Intel FSP and coreboot" for Intel ? Atom TM Processor E3800 Product
Family".
There they state that i should extract a IBB(Initial Boot Block) which is the
last 127Kib from the u-boot.rom/coreboot.rom file. IBB plus a secure boot
"manifest" is the 1st stage that gets properly authenticated, copied to ram
?and executed(128Kib).
> 
> > 
> > 
> > Intel provides a manual on how to enable Secure Boot with coreboot in this
> > manual they extract the "ramstage" from the coreboot.rom file via cbfs.
> > 
> 
> Which manual is this?
#558081 "Enabling Secure Boot with Intel FSP and coreboot" for Intel ? Atom TM
Processor E3800 Product Family"
> 
> > 
> > How can i get the equivalent for the coreboot-ramstage from U-Boot?
> > 
> 
> My understanding is that since you already managed to have the
> hardware (TXE) successfully verify the first boot stage, the next step
> is all yours, which means you don't need anything like
> coreboot-ramstage. You can implement whatever loading/authenticating
> mechanism you put in the first boot stage to boot the 2nd stage.
Thats a good point, thanks. I already implemented verification in U-Boot for
verification of the fit-image public-key, so i could easily adopt it.?

best regards

Markus