| Message ID | 1471989321-25280-2-git-send-email-gary.bisson@boundarydevices.com |
|---|---|
| State | Superseded |
| Delegated to: | Stefano Babic |
| Headers | show |
Nicely done Gary! On 08/23/2016 02:55 PM, Gary Bisson wrote: > So the option can easily be selected through menuconfig. > > Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com> > --- > arch/arm/imx-common/Kconfig | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/arch/arm/imx-common/Kconfig b/arch/arm/imx-common/Kconfig > index 1b7da5a..5ee230e 100644 > --- a/arch/arm/imx-common/Kconfig > +++ b/arch/arm/imx-common/Kconfig > @@ -17,3 +17,12 @@ config IMX_BOOTAUX > depends on ARCH_MX7 || ARCH_MX6 > help > bootaux [addr] to boot auxiliary core. > + > +config SECURE_BOOT > + bool "Support i.MX HAB features" > + depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5 > + help > + This option enables the support for secure boot (HAB) which > + includes adding a CSF section to the final imx image and ^^^ This doesn't add a CSF section. Perhaps this should say "can enable a conditional section of an i.MX configuration (.cfg) file when producing an imx image". > + some security-related commands such as 'hab_status'. > + See doc/README.mxc_hab for more details. > You should probably include a note in README.mxc_hab about use in .cfg files.
Hi Eric, all, On Tue, Aug 23, 2016 at 05:24:48PM -0700, Eric Nelson wrote: > Nicely done Gary! > > On 08/23/2016 02:55 PM, Gary Bisson wrote: > > So the option can easily be selected through menuconfig. > > > > Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com> > > --- > > arch/arm/imx-common/Kconfig | 9 +++++++++ > > 1 file changed, 9 insertions(+) > > > > diff --git a/arch/arm/imx-common/Kconfig b/arch/arm/imx-common/Kconfig > > index 1b7da5a..5ee230e 100644 > > --- a/arch/arm/imx-common/Kconfig > > +++ b/arch/arm/imx-common/Kconfig > > @@ -17,3 +17,12 @@ config IMX_BOOTAUX > > depends on ARCH_MX7 || ARCH_MX6 > > help > > bootaux [addr] to boot auxiliary core. > > + > > +config SECURE_BOOT > > + bool "Support i.MX HAB features" > > + depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5 > > + help > > + This option enables the support for secure boot (HAB) which > > + includes adding a CSF section to the final imx image and > ^^^ > This doesn't add a CSF section. > > Perhaps this should say "can enable a conditional section of an > i.MX configuration (.cfg) file when producing an imx image". Well now that you pointed out this sentence, I realize that it doesn't even "add" the section per say, it just declares it in the IVT header. It is then up to you to create and concatenate the CSF binary to the u-boot.imx image. For those not familiar with HAB: https://boundarydevices.com/high-assurance-boot-hab-dummies/ Maybe in V2 I should keep it simple and just point to the README: This option enables the support for secure boot (HAB). See doc/README.mxc_hab for more details. > > + some security-related commands such as 'hab_status'. > > + See doc/README.mxc_hab for more details. > > > > You should probably include a note in README.mxc_hab about use > in .cfg files. Yes that is a good point, will do in V2. Regards, Gary
Hi Gary, On 08/24/2016 03:12 AM, Gary Bisson wrote: > Hi Eric, all, > > On Tue, Aug 23, 2016 at 05:24:48PM -0700, Eric Nelson wrote: >> Nicely done Gary! >> >> On 08/23/2016 02:55 PM, Gary Bisson wrote: >>> So the option can easily be selected through menuconfig. >>> >>> Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com> >>> --- >>> arch/arm/imx-common/Kconfig | 9 +++++++++ >>> 1 file changed, 9 insertions(+) >>> >>> diff --git a/arch/arm/imx-common/Kconfig b/arch/arm/imx-common/Kconfig >>> index 1b7da5a..5ee230e 100644 >>> --- a/arch/arm/imx-common/Kconfig >>> +++ b/arch/arm/imx-common/Kconfig >>> @@ -17,3 +17,12 @@ config IMX_BOOTAUX >>> depends on ARCH_MX7 || ARCH_MX6 >>> help >>> bootaux [addr] to boot auxiliary core. >>> + >>> +config SECURE_BOOT >>> + bool "Support i.MX HAB features" >>> + depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5 >>> + help >>> + This option enables the support for secure boot (HAB) which >>> + includes adding a CSF section to the final imx image and >> ^^^ >> This doesn't add a CSF section. >> >> Perhaps this should say "can enable a conditional section of an >> i.MX configuration (.cfg) file when producing an imx image". > > Well now that you pointed out this sentence, I realize that it doesn't > even "add" the section per say, it just declares it in the IVT header. > It is then up to you to create and concatenate the CSF binary to the > u-boot.imx image. > > For those not familiar with HAB: > https://boundarydevices.com/high-assurance-boot-hab-dummies/ > Nice! > Maybe in V2 I should keep it simple and just point to the README: > > This option enables the support for secure boot (HAB). > See doc/README.mxc_hab for more details. > Perfect. I think most folks only glance at the help while in menuconfig and README.mxc_hab is a better place for background. >>> + some security-related commands such as 'hab_status'. >>> + See doc/README.mxc_hab for more details. >>> >> >> You should probably include a note in README.mxc_hab about use >> in .cfg files. > > Yes that is a good point, will do in V2. > > Regards, > Gary >
diff --git a/arch/arm/imx-common/Kconfig b/arch/arm/imx-common/Kconfig index 1b7da5a..5ee230e 100644 --- a/arch/arm/imx-common/Kconfig +++ b/arch/arm/imx-common/Kconfig @@ -17,3 +17,12 @@ config IMX_BOOTAUX depends on ARCH_MX7 || ARCH_MX6 help bootaux [addr] to boot auxiliary core. + +config SECURE_BOOT + bool "Support i.MX HAB features" + depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5 + help + This option enables the support for secure boot (HAB) which + includes adding a CSF section to the final imx image and + some security-related commands such as 'hab_status'. + See doc/README.mxc_hab for more details.
So the option can easily be selected through menuconfig. Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com> --- arch/arm/imx-common/Kconfig | 9 +++++++++ 1 file changed, 9 insertions(+)