From: "Jorge Ramirez-Ortiz, Foundries" <jorge@foundries.io>
To: michal.simek@xilinx.com, trini@konsulko.com, sjg@chromium.org
Cc: u-boot@lists.denx.de, ricardo@foundries.io, mike@foundries.io,
igor.opaniuk@foundries.io
Subject: FIT image: load secure FPGA
Date: Mon, 4 Oct 2021 22:32:26 +0200 [thread overview]
Message-ID: <20211004203226.GA4704@trex> (raw)
Hello,
We are enabling secure boot on Zynqmp with SPL.
The issue however is that during secure boot, the bootrom not only
validates the first loader (SPL and PMUFW combo) but it will also
expect a signed bitstream during load(FPGA).
Since currently the SPL load of an FPGA image from FIT does not
support loading images for authentication (fpga_loads), I'd like to
discuss how to best implement such support.
A pretty standard file.its description of the FPGA loadable looks like
this:
fpga {
description = "FPGA binary";
data = /incbin/("${DEPLOY_DIR_IMAGE}/${SPL_FPGA_BINARY}");
type = "fpga";
arch = "${UBOOT_ARCH}";
compression = "none";
load = <${fpgaloadaddr}>;
hash-1 {
algo = "${FIT_HASH_ALG}";
};
};
We could extend imagetool.h struct image_tool_params to add more
params or perhpas just define different 'types' of fpga?
Something like:
"fpga"
"fpga-auth" : authenticated
"fpga-enc" : encrypted
"fpga-sec" : encrypted and authenticated
Then it would be a matter of modifying
https://github.com/u-boot/u-boot/blob/master/common/spl/spl_fit.c#L572
any thoughts?
TIA
Jorge
next reply other threads:[~2021-10-04 20:32 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-04 20:32 Jorge Ramirez-Ortiz, Foundries [this message]
2021-10-04 20:54 ` FIT image: load secure FPGA Alex G.
2021-10-05 5:45 ` Jorge Ramirez-Ortiz, Foundries
2021-10-05 6:08 ` Jorge Ramirez-Ortiz, Foundries
2021-10-05 12:14 ` Michal Simek
2022-01-19 16:03 ` Adrian Fiergolski
2022-01-19 16:44 ` Jorge Ramirez-Ortiz, Foundries
2022-01-19 16:51 ` Jorge Ramirez-Ortiz, Foundries
2022-01-19 17:22 ` Jorge Ramirez-Ortiz, Foundries
2022-01-19 17:48 ` Oleksandr Suvorov
2022-02-07 12:24 ` Adrian Fiergolski
2022-02-09 7:51 ` Jorge Ramirez-Ortiz, Foundries
2022-02-09 12:20 ` Adrian Fiergolski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211004203226.GA4704@trex \
--to=jorge@foundries.io \
--cc=igor.opaniuk@foundries.io \
--cc=michal.simek@xilinx.com \
--cc=mike@foundries.io \
--cc=ricardo@foundries.io \
--cc=sjg@chromium.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox