From mboxrd@z Thu Jan  1 00:00:00 1970
From: York Sun <yorksun@freescale.com>
Date: Tue, 10 Mar 2015 09:32:33 -0700
Subject: [U-Boot] [PATCH] Add bootscript support to esbc_validate.
In-Reply-To: <BY1PR0301MB1288B9DC21D3D3A445FD7D52EF180@BY1PR0301MB1288.namprd03.prod.outlook.com>
References: <1425976730-14526-1-git-send-email-gaurav.rana@freescale.com>
 <54FF1897.3030602@freescale.com>
 <BY1PR0301MB1288B9DC21D3D3A445FD7D52EF180@BY1PR0301MB1288.namprd03.prod.outlook.com>
Message-ID: <54FF1CA1.80608@freescale.com>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote:
> Hi York,
> 
>> -----Original Message-----
>> From: Sun York-R58495
>> Sent: Tuesday, March 10, 2015 9:45 PM
>> To: Rana Gaurav-B46163; u-boot at lists.denx.de
>> Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320
>> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
>>
>>
>>
>> On 03/10/2015 01:38 AM, Gaurav Rana wrote:
>>> 1. Default environment will be used for secure boot flow  which can't
>>> be edited or saved.
>>> 2. Command for secure boot is predefined in the default  environment
>>> which will run on autoboot (and autoboot is  the only option allowed
>>> in case of secure boot) and it  looks like this:
>>>  #define CONFIG_SECBOOT \
>>>  "setenv bs_hdraddr 0xe8e00000;"                 \
>>>  "esbc_validate $bs_hdraddr;"                    \
>>>  "source $img_addr;"                             \
>>>  "esbc_halt;"
>>>  #endif
>>> 3. Boot Script can contain esbc_validate commands and bootm command.
>>>  Uboot source command used in default secure boot command will  run
>>> the bootscript.
>>> 4. Command esbc_halt added to ensure either bootm executes  after
>>> validation of images or core should just spin.
>>>
>> What's the purpose of "esbc_halt"? Once it enters the spin, how to get it
>> out?
> The purpose of bootscript is to validate the next level images and then pass control to it, so bootscript must contain a bootm command. We don't expect control to return back to u-boot. Hence a command esbc_halt is introduced which would make the core spin and not provide uboot prompt in case bootscript doesn't pass control to next level image. 
> For secure chain of trust, only validated bootscript should be allowed to execute and be responsible for passing control to next level image.
> 

Ruchika,

Do you expect secure boot to run automatically once u-boot reaches the prompt
and the "source $img_addr" to actually boot the OS? You put "esbc_halt" as a
fall-back to catch failure above? It doesn't sounds very secure to me.

I am hoping other reviewers can chime in and give comments.

York