From mboxrd@z Thu Jan 1 00:00:00 1970 From: Gary Bisson Date: Wed, 24 Aug 2016 12:17:57 +0200 Subject: [U-Boot] [PATCH 3/3] nitrogen6x: add secure boot support In-Reply-To: References: <1471989321-25280-1-git-send-email-gary.bisson@boundarydevices.com> <1471989321-25280-4-git-send-email-gary.bisson@boundarydevices.com> Message-ID: <20160824101757.GC7045@t450s.lan> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Hi Eric, all, On Tue, Aug 23, 2016 at 05:35:14PM -0700, Eric Nelson wrote: > Hi Gary, > > On 08/23/2016 02:55 PM, Gary Bisson wrote: > > Selecting the proper options to enable the build of the HAB tools. > > > > Also adding a CSF section to the imx final image so it can contain > > the signature information. > > > > Note, this support is disabled by default, one will have to select > > the SECURE_BOOT configuration through menuconfig to enable it. > > > > Signed-off-by: Gary Bisson > > --- > > board/boundary/nitrogen6x/nitrogen6dl.cfg | 3 +++ > > board/boundary/nitrogen6x/nitrogen6dl2g.cfg | 3 +++ > > board/boundary/nitrogen6x/nitrogen6q.cfg | 3 +++ > > board/boundary/nitrogen6x/nitrogen6q2g.cfg | 3 +++ > > board/boundary/nitrogen6x/nitrogen6s.cfg | 3 +++ > > board/boundary/nitrogen6x/nitrogen6s1g.cfg | 3 +++ > > include/configs/nitrogen6x.h | 9 +++++++++ > > 7 files changed, 27 insertions(+) > > > > diff --git a/board/boundary/nitrogen6x/nitrogen6dl.cfg b/board/boundary/nitrogen6x/nitrogen6dl.cfg > > index 1cdccad..5c3e961 100644 > > --- a/board/boundary/nitrogen6x/nitrogen6dl.cfg > > +++ b/board/boundary/nitrogen6x/nitrogen6dl.cfg > > @@ -20,6 +20,9 @@ BOOT_FROM spi > > > > #define __ASSEMBLY__ > > #include > > +#ifdef CONFIG_SECURE_BOOT > > +CSF CONFIG_CSF_SIZE > > +#endif > > #include "asm/arch/mx6-ddr.h" > > #include "asm/arch/iomux.h" > > #include "asm/arch/crm_regs.h" > > diff --git a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg > > index 516d67e..fe19ed0 100644 > > --- a/board/boundary/nitrogen6x/nitrogen6dl2g.cfg > > +++ b/board/boundary/nitrogen6x/nitrogen6dl2g.cfg > > @@ -20,6 +20,9 @@ BOOT_FROM spi > > > > #define __ASSEMBLY__ > > #include > > +#ifdef CONFIG_SECURE_BOOT > > +CSF CONFIG_CSF_SIZE > > +#endif > > #include "asm/arch/mx6-ddr.h" > > #include "asm/arch/iomux.h" > > #include "asm/arch/crm_regs.h" > > diff --git a/board/boundary/nitrogen6x/nitrogen6q.cfg b/board/boundary/nitrogen6x/nitrogen6q.cfg > > index b6642e6..60e1885 100644 > > --- a/board/boundary/nitrogen6x/nitrogen6q.cfg > > +++ b/board/boundary/nitrogen6x/nitrogen6q.cfg > > @@ -20,6 +20,9 @@ BOOT_FROM spi > > > > #define __ASSEMBLY__ > > #include > > +#ifdef CONFIG_SECURE_BOOT > > +CSF CONFIG_CSF_SIZE > > +#endif > > #include "asm/arch/mx6-ddr.h" > > #include "asm/arch/iomux.h" > > #include "asm/arch/crm_regs.h" > > diff --git a/board/boundary/nitrogen6x/nitrogen6q2g.cfg b/board/boundary/nitrogen6x/nitrogen6q2g.cfg > > index fe6dfc1..7a3ee94 100644 > > --- a/board/boundary/nitrogen6x/nitrogen6q2g.cfg > > +++ b/board/boundary/nitrogen6x/nitrogen6q2g.cfg > > @@ -20,6 +20,9 @@ BOOT_FROM spi > > > > #define __ASSEMBLY__ > > #include > > +#ifdef CONFIG_SECURE_BOOT > > +CSF CONFIG_CSF_SIZE > > +#endif > > #include "asm/arch/mx6-ddr.h" > > #include "asm/arch/iomux.h" > > #include "asm/arch/crm_regs.h" > > diff --git a/board/boundary/nitrogen6x/nitrogen6s.cfg b/board/boundary/nitrogen6x/nitrogen6s.cfg > > index ca30cd6..2540b7b 100644 > > --- a/board/boundary/nitrogen6x/nitrogen6s.cfg > > +++ b/board/boundary/nitrogen6x/nitrogen6s.cfg > > @@ -20,6 +20,9 @@ BOOT_FROM spi > > > > #define __ASSEMBLY__ > > #include > > +#ifdef CONFIG_SECURE_BOOT > > +CSF CONFIG_CSF_SIZE > > +#endif > > #include "asm/arch/mx6-ddr.h" > > #include "asm/arch/iomux.h" > > #include "asm/arch/crm_regs.h" > > diff --git a/board/boundary/nitrogen6x/nitrogen6s1g.cfg b/board/boundary/nitrogen6x/nitrogen6s1g.cfg > > index b1489fb..946af7b 100644 > > --- a/board/boundary/nitrogen6x/nitrogen6s1g.cfg > > +++ b/board/boundary/nitrogen6x/nitrogen6s1g.cfg > > @@ -20,6 +20,9 @@ BOOT_FROM spi > > > > #define __ASSEMBLY__ > > #include > > +#ifdef CONFIG_SECURE_BOOT > > +CSF CONFIG_CSF_SIZE > > +#endif > > #include "asm/arch/mx6-ddr.h" > > #include "asm/arch/iomux.h" > > #include "asm/arch/crm_regs.h" > > diff --git a/include/configs/nitrogen6x.h b/include/configs/nitrogen6x.h > > index b651eb3..3281e42 100644 > > --- a/include/configs/nitrogen6x.h > > +++ b/include/configs/nitrogen6x.h > > @@ -35,6 +35,15 @@ > > #define CONFIG_SF_DEFAULT_MODE (SPI_MODE_0) > > #endif > > > > +/* Secure boot (HAB) support */ > > +#ifdef CONFIG_SECURE_BOOT > > +#define CONFIG_CSF_SIZE 0x2000 > > +#define CONFIG_SYS_FSL_SEC_COMPAT 4 > > +#define CONFIG_FSL_CAAM > > +#define CONFIG_CMD_DEKBLOB > > +#define CONFIG_SYS_FSL_SEC_LE > > +#endif > > + > > I agree with the comment in your cover letter, that this belongs > in a common place. Does Fabio agree with that? Also, should we differenciate the options needed for signature only (SECURE_BOOT and CSF_SIZE) to the other that are only useful when encryption is needed. Regards, Gary