From: York Sun <yorksun@freescale.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH] Add bootscript support to esbc_validate.
Date: Tue, 10 Mar 2015 09:32:33 -0700 [thread overview]
Message-ID: <54FF1CA1.80608@freescale.com> (raw)
In-Reply-To: <BY1PR0301MB1288B9DC21D3D3A445FD7D52EF180@BY1PR0301MB1288.namprd03.prod.outlook.com>
On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote:
> Hi York,
>
>> -----Original Message-----
>> From: Sun York-R58495
>> Sent: Tuesday, March 10, 2015 9:45 PM
>> To: Rana Gaurav-B46163; u-boot at lists.denx.de
>> Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320
>> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
>>
>>
>>
>> On 03/10/2015 01:38 AM, Gaurav Rana wrote:
>>> 1. Default environment will be used for secure boot flow which can't
>>> be edited or saved.
>>> 2. Command for secure boot is predefined in the default environment
>>> which will run on autoboot (and autoboot is the only option allowed
>>> in case of secure boot) and it looks like this:
>>> #define CONFIG_SECBOOT \
>>> "setenv bs_hdraddr 0xe8e00000;" \
>>> "esbc_validate $bs_hdraddr;" \
>>> "source $img_addr;" \
>>> "esbc_halt;"
>>> #endif
>>> 3. Boot Script can contain esbc_validate commands and bootm command.
>>> Uboot source command used in default secure boot command will run
>>> the bootscript.
>>> 4. Command esbc_halt added to ensure either bootm executes after
>>> validation of images or core should just spin.
>>>
>> What's the purpose of "esbc_halt"? Once it enters the spin, how to get it
>> out?
> The purpose of bootscript is to validate the next level images and then pass control to it, so bootscript must contain a bootm command. We don't expect control to return back to u-boot. Hence a command esbc_halt is introduced which would make the core spin and not provide uboot prompt in case bootscript doesn't pass control to next level image.
> For secure chain of trust, only validated bootscript should be allowed to execute and be responsible for passing control to next level image.
>
Ruchika,
Do you expect secure boot to run automatically once u-boot reaches the prompt
and the "source $img_addr" to actually boot the OS? You put "esbc_halt" as a
fall-back to catch failure above? It doesn't sounds very secure to me.
I am hoping other reviewers can chime in and give comments.
York
next prev parent reply other threads:[~2015-03-10 16:32 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-10 8:38 [U-Boot] [PATCH] Add bootscript support to esbc_validate Gaurav Rana
2015-03-10 16:15 ` York Sun
2015-03-10 16:25 ` Ruchika Gupta
2015-03-10 16:32 ` York Sun [this message]
2015-03-11 10:39 ` Ruchika Gupta
2015-03-11 17:50 ` York Sun
2015-03-11 18:44 ` Scott Wood
2015-03-11 18:47 ` York Sun
2015-04-23 23:26 ` York Sun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54FF1CA1.80608@freescale.com \
--to=yorksun@freescale.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox