[U-Boot] [RFC 06/15] secure boot: rename CONFIG_SECURE_BOOT

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [U-Boot] [RFC 06/15] secure boot: rename CONFIG_SECURE_BOOT
Date: Tue, 29 Oct 2019 14:19:28 +0900	[thread overview]
Message-ID: <20191029051927.GR10448@linaro.org> (raw)
In-Reply-To: <VE1PR04MB64943976EF0777ACBA4C0383E6870@VE1PR04MB6494.eurprd04.prod.outlook.com>

Priyanka, Stefano and Tom,

On Wed, Sep 25, 2019 at 04:19:43AM +0000, Priyanka Jain wrote:
> 
> 
> >-----Original Message-----
> >From: Stefano Babic <sbabic@denx.de>
> >Sent: Thursday, September 19, 2019 8:40 PM
> >To: Tom Rini <trini@konsulko.com>; AKASHI Takahiro
> ><takahiro.akashi@linaro.org>; Priyanka Jain <priyanka.jain@nxp.com>;
> >Stefano Babic <sbabic@denx.de>
> >Cc: xypron.glpk at gmx.de; agraf at csgraf.de; u-boot at lists.denx.de
> >Subject: Re: [U-Boot] [RFC 06/15] secure boot: rename CONFIG_SECURE_BOOT
> >
> >On 19/09/19 17:02, Tom Rini wrote:
> >> On Wed, Sep 18, 2019 at 10:26:34AM +0900, AKASHI Takahiro wrote:
> >>
> >>> The configuration, CONFIG_SECURE_BOOT, was scattered among different
> >>> architecture directories for different implementation. This will
> >>> prevent UEFI secure boot from being added later.
> >>>
> >>> So let's rename them, giving each implementation to different
> >>> configuration option. CONFIG_SECURE_BOOT still remains not to break
> >>> existing implicit dependency.
> >>>
> >>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >>> ---
> >>>  Kconfig                                   | 7 +++++++
> >>>  arch/arm/cpu/armv7/ls102xa/Kconfig        | 3 ++-
> >>>  arch/arm/cpu/armv8/fsl-layerscape/Kconfig | 3 ++-
> >>>  arch/arm/mach-imx/Kconfig                 | 3 ++-
> >>>  arch/powerpc/cpu/mpc85xx/Kconfig          | 3 ++-
> >>>  5 files changed, 15 insertions(+), 4 deletions(-)
> >>>
> >>> diff --git a/Kconfig b/Kconfig
> >>> index 1f0904f7045e..c11fc102a7d4 100644
> >>> --- a/Kconfig
> >>> +++ b/Kconfig
> >>> @@ -282,6 +282,13 @@ config SYS_LDSCRIPT
> >>>
> >>>  endmenu		# General setup
> >>>
> >>> +config SECURE_BOOT
> >>> +	bool "Secure Boot"
> >>> +	imply SHA256
> >>> +	help
> >>> +	  Enable Secure Boot feature. The actual behavior may vary
> >>> +	  from architecture to architecture.
> >>> +
> >>>  menu "Boot images"
> >>>
> >>>  config ANDROID_BOOT_IMAGE
> >>> diff --git a/arch/arm/cpu/armv7/ls102xa/Kconfig
> >>> b/arch/arm/cpu/armv7/ls102xa/Kconfig
> >>> index 94fa68250ddf..ce1bc580d23d 100644
> >>> --- a/arch/arm/cpu/armv7/ls102xa/Kconfig
> >>> +++ b/arch/arm/cpu/armv7/ls102xa/Kconfig
> >>> @@ -50,8 +50,9 @@ config MAX_CPUS
> >>>  	  cores, count the reserved ports. This will allocate enough memory
> >>>  	  in spin table to properly handle all cores.
> >>>
> >>> -config SECURE_BOOT
> >>> +config FSL_ARMV7_ENABLE_SECURE_BOOT
> >>>  	bool	"Secure Boot"
> >>> +	depends on SECURE_BOOT
> >>>  	help
> >>>  		Enable Freescale Secure Boot feature. Normally selected
> >>>  		by defconfig. If unsure, do not change.
> >>> diff --git a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
> >>> b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
> >>> index 42d31fdab0a0..d4cfe31f8ebf 100644
> >>> --- a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
> >>> +++ b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig
> >>> @@ -383,8 +383,9 @@ config EMC2305
> >>>  	 Enable the EMC2305 fan controller for configuration of fan
> >>>  	 speed.
> >>>
> >>> -config SECURE_BOOT
> >>> +config FSI_ARMV8_ENABLE_SECURE_BOOT
> >>>  	bool "Secure Boot"
> >>> +	depends on SECURE_BOOT
> >>>  	help
> >>>  		Enable Freescale Secure Boot feature
> >>>
> >>> diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
> >>> index aeb54934888d..e1602fd5f0e8 100644
> >>> --- a/arch/arm/mach-imx/Kconfig
> >>> +++ b/arch/arm/mach-imx/Kconfig
> >>> @@ -34,8 +34,9 @@ config USE_IMXIMG_PLUGIN
> >>>  	  i.MX6/7 supports DCD and Plugin. Enable this configuration
> >>>  	  to use Plugin, otherwise DCD will be used.
> >>>
> >>> -config SECURE_BOOT
> >>> +config FSL_IMX_ENABLE_SECURE_BOOT
> >>>  	bool "Support i.MX HAB features"
> >>> +	depends on SECURE_BOOT
> >>>  	depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5
> >>>  	select FSL_CAAM if HAS_CAAM
> >>>  	imply CMD_DEKBLOB
> >>> diff --git a/arch/powerpc/cpu/mpc85xx/Kconfig
> >>> b/arch/powerpc/cpu/mpc85xx/Kconfig
> >>> index c038a6ddb0f4..9cf6ebbfe3ce 100644
> >>> --- a/arch/powerpc/cpu/mpc85xx/Kconfig
> >>> +++ b/arch/powerpc/cpu/mpc85xx/Kconfig
> >>> @@ -1208,8 +1208,9 @@ config FSL_LAW
> >>>  	help
> >>>  		Use Freescale common code for Local Access Window
> >>>
> >>> -config SECURE_BOOT
> >>> +config FSL_MPC_ENABLE_SECURE_BOOT
> >>>  	bool	"Secure Boot"
> >>> +	depends on SECURE_BOOT
> >>>  	help
> >>>  		Enable Freescale Secure Boot feature. Normally selected
> >>>  		by defconfig. If unsure, do not change.
> >>
> >> I've added Priyanka Jain to the thread as the custodian for PowerPC
> >> and NXP stuff and Stefano Babic as the custodian for i.MX stuff.  I
> >> don't want to see "CONFIG_SECURE_BOOT" continue on as a config option,
> >> it's too broad.  Can we please rename and update the existing NXP
> >> CONFIG option (and I assume split it into a few ones to reflect better
> >> where things really changed fundamentally from one SoC/arch to the
> >> next) and update the help text?  Thanks!
> >
> >Sure - SECURE_BOOT for NXP means enabling HAB, a config can be rename to
> >identify the component itself (CONFIG_HAB for example).
> >
> >Regards,
> >Stefano
> >
> Sure, We will look into this and update NXP CONFIG_SECURE_BOOT option.
> Priyanka

Can we expect this re-work on NXP/Freescal platforms to be done
in the current release cycle, that is v2020.01?

If not, can I continue to use my match[1] as part of my UEFI secure boot
patch set for the time being?

  [1] https://lists.denx.de/pipermail/u-boot/2019-September/383908.html

Thanks,
-Takahiro Akashi


> >
> >--
> >================================================================
> >=====
> >DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> >HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
> >Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic at denx.de
> >================================================================
> >=====

next prev parent reply	other threads:[~2019-10-29  5:19 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-18  1:26 [U-Boot] [RFC 00/15] efi_loader: add secure boot support AKASHI Takahiro
2019-09-18  1:26 ` [U-Boot] [RFC 01/15] lib: charset: add u16_str<n>cmp() AKASHI Takahiro
2019-09-18 11:16   ` Heinrich Schuchardt
2019-09-18  1:26 ` [U-Boot] [RFC 02/15] test: add tests for u16_str<n>cmp() AKASHI Takahiro
2019-09-18 11:18   ` Heinrich Schuchardt
2019-09-18  1:26 ` [U-Boot] [RFC 03/15] include: pe.h: add image-signing-related definitions AKASHI Takahiro
2019-09-18  1:26 ` [U-Boot] [RFC 04/15] include: image.h: add key info to image_sign_info AKASHI Takahiro
2019-09-25 20:42   ` Simon Glass
2019-09-18  1:26 ` [U-Boot] [RFC 05/15] include: image.h: export hash algorithm helper functions AKASHI Takahiro
2019-09-25 20:42   ` Simon Glass
2019-09-18  1:26 ` [U-Boot] [RFC 06/15] secure boot: rename CONFIG_SECURE_BOOT AKASHI Takahiro
2019-09-19 15:02   ` Tom Rini
2019-09-19 15:10     ` Stefano Babic
2019-09-25  4:19       ` Priyanka Jain
2019-10-29  5:19         ` AKASHI Takahiro [this message]
2019-10-30  8:24           ` Priyanka Jain
2019-09-18  1:26 ` [U-Boot] [RFC 07/15] efi_loader: add signature verification functions AKASHI Takahiro
2019-09-18  1:26 ` [U-Boot] [RFC 08/15] efi_loader: variable: support variable authentication AKASHI Takahiro
2019-09-18  1:26 ` [U-Boot] [RFC 09/15] efi_loader: variable: add VendorKeys and SignatureSupport variables AKASHI Takahiro
2019-09-18  1:26 ` [U-Boot] [RFC 10/15] efi_loader: image_loader: support image authentication AKASHI Takahiro
2019-09-18  1:26 ` [U-Boot] [RFC 11/15] efi_loader: initialize secure boot state AKASHI Takahiro
2019-09-18  1:26 ` [U-Boot] [RFC 12/15] efi_loader: add CONFIG_EFI_SECURE_BOOT AKASHI Takahiro
2019-09-18  1:26 ` [U-Boot] [RFC 13/15] cmd: env: provide appropriate guid for well-defined variable AKASHI Takahiro
2019-09-18  1:26 ` [U-Boot] [RFC 14/15] efi_loader, pytest: add UEFI secure boot tests (image) AKASHI Takahiro
2019-09-18  1:26 ` [U-Boot] [RFC 15/15] efi_loader, pytest: add UEFI secure boot tests (authenticated variables) AKASHI Takahiro

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191029051927.GR10448@linaro.org \
    --to=takahiro.akashi@linaro.org \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox