[U-Boot] [PATCH v2 0/7] Adds support for secure boot on Keystone SoCs (K2E)

[Srinivas, Madan <madans@ti.com>]

On 9/2/2016 12:25 AM, Lokesh Vutla wrote:
>
>
> On Thursday 01 September 2016 10:34 AM, Madan Srinivas wrote:
>> This series adds support for secure keystone family of devices, more
>> specifically for K2E (Edison).This work is similar to what has already
>> been done for the AM43xx and AM57xx SoCs and leverages much of the
>> infrastructure from them.
>>
>> The big difference here is the ROM on keystone2 devices does not provide
>> any APIs for image authentication. Rather, the image authentication and
>> decryption routines and other security functions are provided by
>> software and can run on the ARM in Trustzone as well as on secure DSPs.
>>
>> A component known as the boot monitor acts as they gateway to this secure
>> processing, and abstracts out the details from the public world. Unlike
>> OMAP class devices, where u-boot calls ROM APIs, u-boot calls into the boot-
>> monitor on keystone devices.
>>
>> Other than this difference, most of the secure framework for AMxx and
>> DRAxx devices have been re-used.
>>
>> Couple of other points to note :-
>>
>> 	-Support for SPL on secure keystone devices is still TBD,
>> 	so boot from SPI flash, which needs SPL, is not supported currently
>> 	on K2 devices.
>>
>> 	-A single image will work across all other boot media for secure K2
>> 	devices.
>
> Overall looks good to me. What happened to the early abort seen on H2 HS
> devices. How are you handling it?
>
> Thanks and regards,
> Lokesh
>
The early abort is being handled in the boot monitor code. When the 
abort handler is implemented in u-boot, we can remove it from the boot 
monitor.

Regards,
Madan
>>
>> Changes in v2:
>> - Corrects typo in commit message for PATCH 1/7 in this series
>> - The following changes are  made to mon.c based on review comments
>> 	Adds NULL pointer check before calling authentication interface
>> 	Removes an unnecessary printf
>> 	Updates size of signed FIT blob after post processing removes header
>> - Adds a new name for the signed output image in config_secure.mk
>>    to keep it in line with the image name used by non-secure keystone
>>    devices.
>> - Changes the target for secure keystone devices in config.mk
>>    to u-boot_HS_MLO to keep it in line with the MLO target that
>>    is built for non-secure keystone devices.
>> - Updates k2e_hs_evm_defconfig to reduce the delta seen if one
>>    regenerates it using savedefconfig or similar tools.
>>
>> Madan Srinivas (4):
>>    include: image.h: Fixes build warning with
>>      CONFIG_FIT_IMAGE_POST_PROCESS
>>    arm: omap-common: adds secure image name common to OMAP and keystone
>>    arm: mach-keystone: config.mk: Adds support for secure images on K2
>>    doc: Updates info on using keystone secure devices from TI
>>
>> Vitaly Andrianov (3):
>>    arm: mach-keystone: Implements FIT post-processing call for keystone
>>      SoCs
>>    arm: omap-common: Enable support for K2 HS devices in u-boot
>>    configs: Adds a defconfig for K2E High Security EVM
>>
>>   arch/arm/cpu/armv7/omap-common/Kconfig          |  2 +-
>>   arch/arm/cpu/armv7/omap-common/config_secure.mk |  6 +++
>>   arch/arm/mach-keystone/config.mk                |  6 +++
>>   arch/arm/mach-keystone/mon.c                    | 55 +++++++++++++++++++++++++
>>   configs/k2e_hs_evm_defconfig                    | 43 +++++++++++++++++++
>>   doc/README.ti-secure                            | 20 +++++++++
>>   include/image.h                                 |  3 +-
>>   7 files changed, 133 insertions(+), 2 deletions(-)
>>   create mode 100644 configs/k2e_hs_evm_defconfig
>>