From mboxrd@z Thu Jan 1 00:00:00 1970 From: Markus Valentin Date: Mon, 20 Feb 2017 10:10:59 +0100 Subject: [U-Boot] x86: SecureBoot: Bay Trail In-Reply-To: References: <1487323614.2758.64.camel@denx.de> Message-ID: <1487581859.2758.88.camel@denx.de> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Hi, On Fri, 2017-02-17 at 19:58 +0800, Bin Meng wrote: > On Fri, Feb 17, 2017 at 5:26 PM, Markus Valentin wrote: > > > > Hi, > > > > i'm implementing Secure Boot with U-Boot on a Intel Atom E3800 Series (Bay > > Trail) based Plattform. > > > > I did manage to get the first boot stage (Initial Boot Block) verified by > > the > > Trusted Execution Engine, next i need to verify the "ramstage" as they call > > it. > > How did you implement the first boot stage? Is it U-Boot SPL? No, i'm not using SPL, but maybe i should? Currently i follow the instructions from document #558081 "Enabling Secure Boot with Intel FSP and coreboot" for Intel ? Atom TM Processor E3800 Product Family". There they state that i should extract a IBB(Initial Boot Block) which is the last 127Kib from the u-boot.rom/coreboot.rom file. IBB plus a secure boot "manifest" is the 1st stage that gets properly authenticated, copied to ram ?and executed(128Kib). > > > > > > > Intel provides a manual on how to enable Secure Boot with coreboot in this > > manual they extract the "ramstage" from the coreboot.rom file via cbfs. > > > > Which manual is this? #558081 "Enabling Secure Boot with Intel FSP and coreboot" for Intel ? Atom TM Processor E3800 Product Family" > > > > > How can i get the equivalent for the coreboot-ramstage from U-Boot? > > > > My understanding is that since you already managed to have the > hardware (TXE) successfully verify the first boot stage, the next step > is all yours, which means you don't need anything like > coreboot-ramstage. You can implement whatever loading/authenticating > mechanism you put in the first boot stage to boot the 2nd stage. Thats a good point, thanks. I already implemented verification in U-Boot for verification of the fit-image public-key, so i could easily adopt it.? best regards Markus