From: Anatolij Gustschin <agust@denx.de>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH v3 1/6] x86: baytrail: Add fsp-header verification for secure boot FSP
Date: Tue, 28 Nov 2017 14:27:14 +0100 [thread overview]
Message-ID: <20171128142714.0702e65b@crub> (raw)
In-Reply-To: <CAEUhbmV8JsQO1mu21Fw=7+vFh3gq97un03aKMXdaHnwffzs1Uw@mail.gmail.com>
Hi Bin,
On Tue, 21 Nov 2017 23:01:08 +0800
Bin Meng bmeng.cn at gmail.com wrote:
...
> > --- a/arch/x86/Kconfig
> > +++ b/arch/x86/Kconfig
> > @@ -350,7 +350,8 @@ config HAVE_FSP
> > config FSP_FILE
> > string "Firmware Support Package binary filename"
> > depends on HAVE_FSP
> > - default "fsp.bin"
> > + default "fsp.bin" if !BAYTRAIL_SECURE_BOOT
> > + default "fsp-sb.bin" if BAYTRAIL_SECURE_BOOT
>
> Since this Kconfig is generic to all x86, can we introduce a generic
> name here, something like:
>
> default "fsp-sb.bin" if SECURE_BOOT
>
> Then in the arch/x86/cpu/baytrail/Kconfig, we can have:
>
> config BAYTRAIL_SECURE_BOOT
> depends on HAVE_FSP
> depends on SECURE_BOOT
> default y if SECURE_BOOT
Ok, will rework in v4.
> Does U-Boot have any generic Kconfig option for secure boot?
No, currently there is not such generic option. But CONFIG_SECURE_BOOT
is used in some powerpc and arm configs. I'll add the generic option
to the top level Kconfig.
...
> > @@ -130,6 +140,20 @@ void fsp_init(u32 stack_top, u32 boot_mode, void *nvs_buf)
> >
> > fsp_upd = &config_data.fsp_upd;
> >
> > + /*
> > + * On some platforms there is no 'enable_secure_boot' field
> > + * in VPD region struct, so we have to use ifdef here.
> > + */
> > + #ifdef CONFIG_BAYTRAIL_SECURE_BOOT
> > + /*
> > + * If the enable secure boot flag is not 1, secure boot has not
> > + * been activated in the FSP which results in the TXE-Engine not
> > + * getting loaded
> > + */
> > + printf("FSP: Secure Boot %sabled\n",
> > + fsp_vpd->enable_secure_boot == 1 ? "en" : "dis");
> > + #endif
> > +
>
> Can we introduce some APIs like fsp_secure_boot_check() and move the
> above 2 blocks into baytrail directory that implements the API?
this makes sense, thanks. I'll add it as fsp_verify_boot_image() API
function that is empty when SECURE_BOOT not enabled.
Thanks,
Anatolij
prev parent reply other threads:[~2017-11-28 13:27 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-17 1:13 [U-Boot] [PATCH v3 1/6] x86: baytrail: Add fsp-header verification for secure boot FSP Anatolij Gustschin
2017-11-20 15:40 ` Simon Glass
2017-11-21 15:01 ` Bin Meng
2017-11-28 13:27 ` Anatolij Gustschin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171128142714.0702e65b@crub \
--to=agust@denx.de \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox