From mboxrd@z Thu Jan 1 00:00:00 1970 From: York Sun Date: Wed, 11 Mar 2015 11:47:25 -0700 Subject: [U-Boot] [PATCH] Add bootscript support to esbc_validate. In-Reply-To: <1426099497.30327.62.camel@freescale.com> References: <1425976730-14526-1-git-send-email-gaurav.rana@freescale.com> <54FF1897.3030602@freescale.com> <54FF1CA1.80608@freescale.com> <55008078.2020201@freescale.com> <1426099497.30327.62.camel@freescale.com> Message-ID: <55008DBD.9020404@freescale.com> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On 03/11/2015 11:44 AM, Scott Wood wrote: > On Wed, 2015-03-11 at 10:50 -0700, York Sun wrote: >> >> On 03/11/2015 03:39 AM, Gupta Ruchika-R66431 wrote: >>> Hi York, >>> >>>> -----Original Message----- >>>> From: Sun York-R58495 >>>> Sent: Tuesday, March 10, 2015 10:03 PM >>>> To: Gupta Ruchika-R66431; Rana Gaurav-B46163; u-boot at lists.denx.de >>>> Cc: Wood Scott-B07421; Bansal Aneesh-B39320 >>>> Subject: Re: [PATCH] Add bootscript support to esbc_validate. >>>> >>>> On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote: >>>>> Hi York, >>>>> >>>>>> -----Original Message----- >>>>>> From: Sun York-R58495 >>>>>> Sent: Tuesday, March 10, 2015 9:45 PM >>>>>> To: Rana Gaurav-B46163; u-boot at lists.denx.de >>>>>> Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320 >>>>>> Subject: Re: [PATCH] Add bootscript support to esbc_validate. >>>>>> >>>>>> >>>>>> >>>>>> On 03/10/2015 01:38 AM, Gaurav Rana wrote: >>>>>>> 1. Default environment will be used for secure boot flow which >>>>>>> can't be edited or saved. >>>>>>> 2. Command for secure boot is predefined in the default environment >>>>>>> which will run on autoboot (and autoboot is the only option allowed >>>>>>> in case of secure boot) and it looks like this: >>>>>>> #define CONFIG_SECBOOT \ >>>>>>> "setenv bs_hdraddr 0xe8e00000;" \ >>>>>>> "esbc_validate $bs_hdraddr;" \ >>>>>>> "source $img_addr;" \ >>>>>>> "esbc_halt;" >>>>>>> #endif >>>>>>> 3. Boot Script can contain esbc_validate commands and bootm command. >>>>>>> Uboot source command used in default secure boot command will run >>>>>>> the bootscript. >>>>>>> 4. Command esbc_halt added to ensure either bootm executes after >>>>>>> validation of images or core should just spin. >>>>>>> >>>>>> What's the purpose of "esbc_halt"? Once it enters the spin, how to >>>>>> get it out? >>>>> The purpose of bootscript is to validate the next level images and then >>>> pass control to it, so bootscript must contain a bootm command. We don't >>>> expect control to return back to u-boot. Hence a command esbc_halt is >>>> introduced which would make the core spin and not provide uboot prompt in >>>> case bootscript doesn't pass control to next level image. >>>>> For secure chain of trust, only validated bootscript should be allowed to >>>> execute and be responsible for passing control to next level image. >>>>> >>>> >>>> Ruchika, >>>> >>>> Do you expect secure boot to run automatically once u-boot reaches the prompt >>>> and the "source $img_addr" to actually boot the OS? You put "esbc_halt" as a >>>> fall-back to catch failure above? It doesn't sounds very secure to me. >>> >>> The bootscript is first validated. Only an authenticated user, who has the private key can sign the bootscript. Thus validating bootscript is important in secure boot chain of trust. >>> >>> You are right regarding fallback as esbc_halt. In the esbc_halt implementation, we will add code to clear security secrets on the chip, and issue a reset. We will send a separate patch for that. >>> >> >> Wouldn't it be possible to call a reset/hang/panic when the validation fails, >> before "source $img_addr"? > > I'd assume it already has that, but it's still good to have something to > deal with the case where the script returns due to some failure. > If that's the case, I am OK with the addition of "esbc_halt" command. York