From: Jun Nie <jun.nie@linaro.org>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH] rpi3: Enable verified boot from FIT image
Date: Thu, 11 Jul 2019 11:55:37 +0800 [thread overview]
Message-ID: <1562817337-949-1-git-send-email-jun.nie@linaro.org> (raw)
Enable verified boot from FIT image with select configs
and specify boot script image node in FIT image, the FIT
image is verified before it is run.
Code that reusing dtb in firmware is disabled, so that
the dtb with pubic key packed in u-boot.bin can be used
to verify the signature of next stage FIT image.
Signed-off-by: Jun Nie <jun.nie@linaro.org>
---
board/raspberrypi/rpi/rpi.c | 6 ++++++
include/configs/rpi.h | 15 ++++++++++++++-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/board/raspberrypi/rpi/rpi.c b/board/raspberrypi/rpi/rpi.c
index 617c892..950ee84 100644
--- a/board/raspberrypi/rpi/rpi.c
+++ b/board/raspberrypi/rpi/rpi.c
@@ -297,6 +297,7 @@ static void set_fdtfile(void)
env_set("fdtfile", fdtfile);
}
+#ifndef CONFIG_FIT_SIGNATURE
/*
* If the firmware provided a valid FDT at boot time, let's expose it in
* ${fdt_addr} so it may be passed unmodified to the kernel.
@@ -311,6 +312,7 @@ static void set_fdt_addr(void)
env_set_hex("fdt_addr", fw_dtb_pointer);
}
+#endif
/*
* Prevent relocation from stomping on a firmware provided FDT blob.
@@ -393,7 +395,9 @@ static void set_serial_number(void)
int misc_init_r(void)
{
+#ifndef CONFIG_FIT_SIGNATURE
set_fdt_addr();
+#endif
set_fdtfile();
set_usbethaddr();
#ifdef CONFIG_ENV_VARS_UBOOT_RUNTIME_CONFIG
@@ -470,6 +474,7 @@ int board_init(void)
return bcm2835_power_on_module(BCM2835_MBOX_POWER_DEVID_USB_HCD);
}
+#ifndef CONFIG_FIT_SIGNATURE
/*
* If the firmware passed a device tree use it for U-Boot.
*/
@@ -479,6 +484,7 @@ void *board_fdt_blob_setup(void)
return NULL;
return (void *)fw_dtb_pointer;
}
+#endif
int ft_board_setup(void *blob, bd_t *bd)
{
diff --git a/include/configs/rpi.h b/include/configs/rpi.h
index f76c7d1..ba91205 100644
--- a/include/configs/rpi.h
+++ b/include/configs/rpi.h
@@ -180,11 +180,24 @@
#include <config_distro_bootcmd.h>
+#ifdef CONFIG_FIT_SIGNATURE
+#define FIT_BOOT_CMD \
+ "boot_a_script=" \
+ "load ${devtype} ${devnum}:${distro_bootpart} " \
+ "${scriptaddr} ${prefix}${script}; " \
+ "iminfo ${scriptaddr};" \
+ "if test $? -eq 1; then reset; fi;" \
+ "source ${scriptaddr}:bootscr\0"
+#else
+#define FIT_BOOT_CMD ""
+#endif
+
#define CONFIG_EXTRA_ENV_SETTINGS \
"dhcpuboot=usb start; dhcp u-boot.uimg; bootm\0" \
ENV_DEVICE_SETTINGS \
ENV_MEM_LAYOUT_SETTINGS \
- BOOTENV
+ BOOTENV \
+ FIT_BOOT_CMD
#endif
--
2.7.4
next reply other threads:[~2019-07-11 3:55 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-11 3:55 Jun Nie [this message]
2019-07-26 14:23 ` [U-Boot] [PATCH] rpi3: Enable verified boot from FIT image Jun Nie
[not found] ` <630dc300-b668-d20e-62e5-314fa88e1985@suse.com>
2019-07-31 8:16 ` Jun Nie
2019-08-08 4:08 ` Jun Nie
2019-09-02 10:30 ` Matthias Brugger
2019-09-02 11:19 ` Heinrich Schuchardt
2019-09-02 23:45 ` AKASHI Takahiro
2019-09-03 7:12 ` Jun Nie
2019-09-06 10:05 ` Matthias Brugger
2019-09-06 21:04 ` Simon Glass
2019-09-06 22:41 ` Heinrich Schuchardt
2019-09-17 5:48 ` Simon Glass
2019-09-02 8:12 ` Jun Nie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1562817337-949-1-git-send-email-jun.nie@linaro.org \
--to=jun.nie@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox