From mboxrd@z Thu Jan  1 00:00:00 1970
From: Anatolij Gustschin <agust@denx.de>
Date: Tue, 28 Nov 2017 14:27:14 +0100
Subject: [U-Boot] [PATCH v3 1/6] x86: baytrail: Add fsp-header
 verification for secure boot FSP
In-Reply-To: <CAEUhbmV8JsQO1mu21Fw=7+vFh3gq97un03aKMXdaHnwffzs1Uw@mail.gmail.com>
References: <20171117011305.5655-1-agust@denx.de>
 <CAEUhbmV8JsQO1mu21Fw=7+vFh3gq97un03aKMXdaHnwffzs1Uw@mail.gmail.com>
Message-ID: <20171128142714.0702e65b@crub>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

Hi Bin,

On Tue, 21 Nov 2017 23:01:08 +0800
Bin Meng bmeng.cn at gmail.com wrote:
...
> > --- a/arch/x86/Kconfig
> > +++ b/arch/x86/Kconfig
> > @@ -350,7 +350,8 @@ config HAVE_FSP
> >  config FSP_FILE
> >         string "Firmware Support Package binary filename"
> >         depends on HAVE_FSP
> > -       default "fsp.bin"
> > +       default "fsp.bin" if !BAYTRAIL_SECURE_BOOT
> > +       default "fsp-sb.bin" if BAYTRAIL_SECURE_BOOT  
> 
> Since this Kconfig is generic to all x86, can we introduce a generic
> name here, something like:
> 
> default "fsp-sb.bin" if SECURE_BOOT
> 
> Then in the arch/x86/cpu/baytrail/Kconfig, we can have:
> 
> config BAYTRAIL_SECURE_BOOT
>         depends on HAVE_FSP
>         depends on SECURE_BOOT
>         default y if SECURE_BOOT

Ok, will rework in v4.

> Does U-Boot have any generic Kconfig option for secure boot?

No, currently there is not such generic option. But CONFIG_SECURE_BOOT
is used in some powerpc and arm configs. I'll add the generic option
to the top level Kconfig.
 
...
> > @@ -130,6 +140,20 @@ void fsp_init(u32 stack_top, u32 boot_mode, void *nvs_buf)
> >
> >         fsp_upd = &config_data.fsp_upd;
> >
> > +       /*
> > +        * On some platforms there is no 'enable_secure_boot' field
> > +        * in VPD region struct, so we have to use ifdef here.
> > +        */
> > +       #ifdef CONFIG_BAYTRAIL_SECURE_BOOT
> > +       /*
> > +        * If the enable secure boot flag is not 1, secure boot has not
> > +        * been activated in the FSP which results in the TXE-Engine not
> > +        * getting loaded
> > +        */
> > +       printf("FSP: Secure Boot %sabled\n",
> > +              fsp_vpd->enable_secure_boot == 1 ? "en" : "dis");
> > +       #endif
> > +  
> 
> Can we introduce some APIs like fsp_secure_boot_check() and move the
> above 2 blocks into baytrail directory that implements the API?

this makes sense, thanks. I'll add it as fsp_verify_boot_image() API
function that is empty when SECURE_BOOT not enabled.

Thanks,
Anatolij