diff mbox

[U-Boot] Add bootscript support to esbc_validate.

Message ID 1425976730-14526-1-git-send-email-gaurav.rana@freescale.com
State Accepted
Delegated to: York Sun
Headers show

Commit Message

gaurav rana March 10, 2015, 8:38 a.m. UTC 
1. Default environment will be used for secure boot flow
 which can't be edited or saved.
2. Command for secure boot is predefined in the default
 environment which will run on autoboot (and autoboot is
 the only option allowed in case of secure boot) and it
 looks like this:
 #define CONFIG_SECBOOT \
 "setenv bs_hdraddr 0xe8e00000;"                 \
 "esbc_validate $bs_hdraddr;"                    \
 "source $img_addr;"                             \
 "esbc_halt;"
 #endif
3. Boot Script can contain esbc_validate commands and bootm command.
 Uboot source command used in default secure boot command will
 run the bootscript.
4. Command esbc_halt added to ensure either bootm executes
 after validation of images or core should just spin.

Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
Signed-off-by: Gaurav Rana <gaurav.rana@freescale.com>
---
 arch/arm/include/asm/fsl_secure_boot.h     | 25 +++++++++
 arch/powerpc/include/asm/fsl_secure_boot.h | 19 +++++++
 board/freescale/common/cmd_esbc_validate.c | 16 ++++++
 include/config_fsl_secboot.h               | 89 ++++++++++++++++++++++++++++++
 include/configs/ls1021aqds.h               |  1 +
 5 files changed, 150 insertions(+)
 create mode 100644 arch/arm/include/asm/fsl_secure_boot.h
 create mode 100644 include/config_fsl_secboot.h

Comments

York Sun March 10, 2015, 4:15 p.m. UTC | #1 
On 03/10/2015 01:38 AM, Gaurav Rana wrote:
> 1. Default environment will be used for secure boot flow
>  which can't be edited or saved.
> 2. Command for secure boot is predefined in the default
>  environment which will run on autoboot (and autoboot is
>  the only option allowed in case of secure boot) and it
>  looks like this:
>  #define CONFIG_SECBOOT \
>  "setenv bs_hdraddr 0xe8e00000;"                 \
>  "esbc_validate $bs_hdraddr;"                    \
>  "source $img_addr;"                             \
>  "esbc_halt;"
>  #endif
> 3. Boot Script can contain esbc_validate commands and bootm command.
>  Uboot source command used in default secure boot command will
>  run the bootscript.
> 4. Command esbc_halt added to ensure either bootm executes
>  after validation of images or core should just spin.
>
What's the purpose of "esbc_halt"? Once it enters the spin, how to get it out?

York
Ruchika Gupta March 10, 2015, 4:25 p.m. UTC | #2 
Hi York,

> -----Original Message-----
> From: Sun York-R58495
> Sent: Tuesday, March 10, 2015 9:45 PM
> To: Rana Gaurav-B46163; u-boot@lists.denx.de
> Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320
> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
> 
> 
> 
> On 03/10/2015 01:38 AM, Gaurav Rana wrote:
> > 1. Default environment will be used for secure boot flow  which can't
> > be edited or saved.
> > 2. Command for secure boot is predefined in the default  environment
> > which will run on autoboot (and autoboot is  the only option allowed
> > in case of secure boot) and it  looks like this:
> >  #define CONFIG_SECBOOT \
> >  "setenv bs_hdraddr 0xe8e00000;"                 \
> >  "esbc_validate $bs_hdraddr;"                    \
> >  "source $img_addr;"                             \
> >  "esbc_halt;"
> >  #endif
> > 3. Boot Script can contain esbc_validate commands and bootm command.
> >  Uboot source command used in default secure boot command will  run
> > the bootscript.
> > 4. Command esbc_halt added to ensure either bootm executes  after
> > validation of images or core should just spin.
> >
> What's the purpose of "esbc_halt"? Once it enters the spin, how to get it
> out?
The purpose of bootscript is to validate the next level images and then pass control to it, so bootscript must contain a bootm command. We don't expect control to return back to u-boot. Hence a command esbc_halt is introduced which would make the core spin and not provide uboot prompt in case bootscript doesn't pass control to next level image. 
For secure chain of trust, only validated bootscript should be allowed to execute and be responsible for passing control to next level image.

Ruchika
> 
> York
York Sun March 10, 2015, 4:32 p.m. UTC | #3 
On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote:
> Hi York,
> 
>> -----Original Message-----
>> From: Sun York-R58495
>> Sent: Tuesday, March 10, 2015 9:45 PM
>> To: Rana Gaurav-B46163; u-boot@lists.denx.de
>> Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320
>> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
>>
>>
>>
>> On 03/10/2015 01:38 AM, Gaurav Rana wrote:
>>> 1. Default environment will be used for secure boot flow  which can't
>>> be edited or saved.
>>> 2. Command for secure boot is predefined in the default  environment
>>> which will run on autoboot (and autoboot is  the only option allowed
>>> in case of secure boot) and it  looks like this:
>>>  #define CONFIG_SECBOOT \
>>>  "setenv bs_hdraddr 0xe8e00000;"                 \
>>>  "esbc_validate $bs_hdraddr;"                    \
>>>  "source $img_addr;"                             \
>>>  "esbc_halt;"
>>>  #endif
>>> 3. Boot Script can contain esbc_validate commands and bootm command.
>>>  Uboot source command used in default secure boot command will  run
>>> the bootscript.
>>> 4. Command esbc_halt added to ensure either bootm executes  after
>>> validation of images or core should just spin.
>>>
>> What's the purpose of "esbc_halt"? Once it enters the spin, how to get it
>> out?
> The purpose of bootscript is to validate the next level images and then pass control to it, so bootscript must contain a bootm command. We don't expect control to return back to u-boot. Hence a command esbc_halt is introduced which would make the core spin and not provide uboot prompt in case bootscript doesn't pass control to next level image. 
> For secure chain of trust, only validated bootscript should be allowed to execute and be responsible for passing control to next level image.
> 

Ruchika,

Do you expect secure boot to run automatically once u-boot reaches the prompt
and the "source $img_addr" to actually boot the OS? You put "esbc_halt" as a
fall-back to catch failure above? It doesn't sounds very secure to me.

I am hoping other reviewers can chime in and give comments.

York
Ruchika Gupta March 11, 2015, 10:39 a.m. UTC | #4 
Hi York,

> -----Original Message-----
> From: Sun York-R58495
> Sent: Tuesday, March 10, 2015 10:03 PM
> To: Gupta Ruchika-R66431; Rana Gaurav-B46163; u-boot@lists.denx.de
> Cc: Wood Scott-B07421; Bansal Aneesh-B39320
> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
> 
> On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote:
> > Hi York,
> >
> >> -----Original Message-----
> >> From: Sun York-R58495
> >> Sent: Tuesday, March 10, 2015 9:45 PM
> >> To: Rana Gaurav-B46163; u-boot@lists.denx.de
> >> Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320
> >> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
> >>
> >>
> >>
> >> On 03/10/2015 01:38 AM, Gaurav Rana wrote:
> >>> 1. Default environment will be used for secure boot flow  which
> >>> can't be edited or saved.
> >>> 2. Command for secure boot is predefined in the default  environment
> >>> which will run on autoboot (and autoboot is  the only option allowed
> >>> in case of secure boot) and it  looks like this:
> >>>  #define CONFIG_SECBOOT \
> >>>  "setenv bs_hdraddr 0xe8e00000;"                 \
> >>>  "esbc_validate $bs_hdraddr;"                    \
> >>>  "source $img_addr;"                             \
> >>>  "esbc_halt;"
> >>>  #endif
> >>> 3. Boot Script can contain esbc_validate commands and bootm command.
> >>>  Uboot source command used in default secure boot command will  run
> >>> the bootscript.
> >>> 4. Command esbc_halt added to ensure either bootm executes  after
> >>> validation of images or core should just spin.
> >>>
> >> What's the purpose of "esbc_halt"? Once it enters the spin, how to
> >> get it out?
> > The purpose of bootscript is to validate the next level images and then
> pass control to it, so bootscript must contain a bootm command. We don't
> expect control to return back to u-boot. Hence a command esbc_halt is
> introduced which would make the core spin and not provide uboot prompt in
> case bootscript doesn't pass control to next level image.
> > For secure chain of trust, only validated bootscript should be allowed to
> execute and be responsible for passing control to next level image.
> >
> 
> Ruchika,
> 
> Do you expect secure boot to run automatically once u-boot reaches the prompt
> and the "source $img_addr" to actually boot the OS? You put "esbc_halt" as a
> fall-back to catch failure above? It doesn't sounds very secure to me.

The bootscript is first validated. Only an authenticated user, who has the private key can sign the bootscript. Thus validating bootscript is important in secure boot chain of trust. 

You are right regarding fallback as esbc_halt. In the esbc_halt implementation, we will add code to clear security secrets on the chip, and issue a reset. We will send a separate patch for that.

Ruchika

> 
> I am hoping other reviewers can chime in and give comments.
> 
> York
York Sun March 11, 2015, 5:50 p.m. UTC | #5 
On 03/11/2015 03:39 AM, Gupta Ruchika-R66431 wrote:
> Hi York,
> 
>> -----Original Message-----
>> From: Sun York-R58495
>> Sent: Tuesday, March 10, 2015 10:03 PM
>> To: Gupta Ruchika-R66431; Rana Gaurav-B46163; u-boot@lists.denx.de
>> Cc: Wood Scott-B07421; Bansal Aneesh-B39320
>> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
>>
>> On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote:
>>> Hi York,
>>>
>>>> -----Original Message-----
>>>> From: Sun York-R58495
>>>> Sent: Tuesday, March 10, 2015 9:45 PM
>>>> To: Rana Gaurav-B46163; u-boot@lists.denx.de
>>>> Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320
>>>> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
>>>>
>>>>
>>>>
>>>> On 03/10/2015 01:38 AM, Gaurav Rana wrote:
>>>>> 1. Default environment will be used for secure boot flow  which
>>>>> can't be edited or saved.
>>>>> 2. Command for secure boot is predefined in the default  environment
>>>>> which will run on autoboot (and autoboot is  the only option allowed
>>>>> in case of secure boot) and it  looks like this:
>>>>>  #define CONFIG_SECBOOT \
>>>>>  "setenv bs_hdraddr 0xe8e00000;"                 \
>>>>>  "esbc_validate $bs_hdraddr;"                    \
>>>>>  "source $img_addr;"                             \
>>>>>  "esbc_halt;"
>>>>>  #endif
>>>>> 3. Boot Script can contain esbc_validate commands and bootm command.
>>>>>  Uboot source command used in default secure boot command will  run
>>>>> the bootscript.
>>>>> 4. Command esbc_halt added to ensure either bootm executes  after
>>>>> validation of images or core should just spin.
>>>>>
>>>> What's the purpose of "esbc_halt"? Once it enters the spin, how to
>>>> get it out?
>>> The purpose of bootscript is to validate the next level images and then
>> pass control to it, so bootscript must contain a bootm command. We don't
>> expect control to return back to u-boot. Hence a command esbc_halt is
>> introduced which would make the core spin and not provide uboot prompt in
>> case bootscript doesn't pass control to next level image.
>>> For secure chain of trust, only validated bootscript should be allowed to
>> execute and be responsible for passing control to next level image.
>>>
>>
>> Ruchika,
>>
>> Do you expect secure boot to run automatically once u-boot reaches the prompt
>> and the "source $img_addr" to actually boot the OS? You put "esbc_halt" as a
>> fall-back to catch failure above? It doesn't sounds very secure to me.
> 
> The bootscript is first validated. Only an authenticated user, who has the private key can sign the bootscript. Thus validating bootscript is important in secure boot chain of trust. 
> 
> You are right regarding fallback as esbc_halt. In the esbc_halt implementation, we will add code to clear security secrets on the chip, and issue a reset. We will send a separate patch for that.
> 

Wouldn't it be possible to call a reset/hang/panic when the validation fails,
before "source $img_addr"?

York
Scott Wood March 11, 2015, 6:44 p.m. UTC | #6 
On Wed, 2015-03-11 at 10:50 -0700, York Sun wrote:
> 
> On 03/11/2015 03:39 AM, Gupta Ruchika-R66431 wrote:
> > Hi York,
> > 
> >> -----Original Message-----
> >> From: Sun York-R58495
> >> Sent: Tuesday, March 10, 2015 10:03 PM
> >> To: Gupta Ruchika-R66431; Rana Gaurav-B46163; u-boot@lists.denx.de
> >> Cc: Wood Scott-B07421; Bansal Aneesh-B39320
> >> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
> >>
> >> On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote:
> >>> Hi York,
> >>>
> >>>> -----Original Message-----
> >>>> From: Sun York-R58495
> >>>> Sent: Tuesday, March 10, 2015 9:45 PM
> >>>> To: Rana Gaurav-B46163; u-boot@lists.denx.de
> >>>> Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320
> >>>> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
> >>>>
> >>>>
> >>>>
> >>>> On 03/10/2015 01:38 AM, Gaurav Rana wrote:
> >>>>> 1. Default environment will be used for secure boot flow  which
> >>>>> can't be edited or saved.
> >>>>> 2. Command for secure boot is predefined in the default  environment
> >>>>> which will run on autoboot (and autoboot is  the only option allowed
> >>>>> in case of secure boot) and it  looks like this:
> >>>>>  #define CONFIG_SECBOOT \
> >>>>>  "setenv bs_hdraddr 0xe8e00000;"                 \
> >>>>>  "esbc_validate $bs_hdraddr;"                    \
> >>>>>  "source $img_addr;"                             \
> >>>>>  "esbc_halt;"
> >>>>>  #endif
> >>>>> 3. Boot Script can contain esbc_validate commands and bootm command.
> >>>>>  Uboot source command used in default secure boot command will  run
> >>>>> the bootscript.
> >>>>> 4. Command esbc_halt added to ensure either bootm executes  after
> >>>>> validation of images or core should just spin.
> >>>>>
> >>>> What's the purpose of "esbc_halt"? Once it enters the spin, how to
> >>>> get it out?
> >>> The purpose of bootscript is to validate the next level images and then
> >> pass control to it, so bootscript must contain a bootm command. We don't
> >> expect control to return back to u-boot. Hence a command esbc_halt is
> >> introduced which would make the core spin and not provide uboot prompt in
> >> case bootscript doesn't pass control to next level image.
> >>> For secure chain of trust, only validated bootscript should be allowed to
> >> execute and be responsible for passing control to next level image.
> >>>
> >>
> >> Ruchika,
> >>
> >> Do you expect secure boot to run automatically once u-boot reaches the prompt
> >> and the "source $img_addr" to actually boot the OS? You put "esbc_halt" as a
> >> fall-back to catch failure above? It doesn't sounds very secure to me.
> > 
> > The bootscript is first validated. Only an authenticated user, who has the private key can sign the bootscript. Thus validating bootscript is important in secure boot chain of trust. 
> > 
> > You are right regarding fallback as esbc_halt. In the esbc_halt implementation, we will add code to clear security secrets on the chip, and issue a reset. We will send a separate patch for that.
> > 
> 
> Wouldn't it be possible to call a reset/hang/panic when the validation fails,
> before "source $img_addr"?

I'd assume it already has that, but it's still good to have something to
deal with the case where the script returns due to some failure.

-Scott
York Sun March 11, 2015, 6:47 p.m. UTC | #7 
On 03/11/2015 11:44 AM, Scott Wood wrote:
> On Wed, 2015-03-11 at 10:50 -0700, York Sun wrote:
>>
>> On 03/11/2015 03:39 AM, Gupta Ruchika-R66431 wrote:
>>> Hi York,
>>>
>>>> -----Original Message-----
>>>> From: Sun York-R58495
>>>> Sent: Tuesday, March 10, 2015 10:03 PM
>>>> To: Gupta Ruchika-R66431; Rana Gaurav-B46163; u-boot@lists.denx.de
>>>> Cc: Wood Scott-B07421; Bansal Aneesh-B39320
>>>> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
>>>>
>>>> On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote:
>>>>> Hi York,
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Sun York-R58495
>>>>>> Sent: Tuesday, March 10, 2015 9:45 PM
>>>>>> To: Rana Gaurav-B46163; u-boot@lists.denx.de
>>>>>> Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320
>>>>>> Subject: Re: [PATCH] Add bootscript support to esbc_validate.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 03/10/2015 01:38 AM, Gaurav Rana wrote:
>>>>>>> 1. Default environment will be used for secure boot flow  which
>>>>>>> can't be edited or saved.
>>>>>>> 2. Command for secure boot is predefined in the default  environment
>>>>>>> which will run on autoboot (and autoboot is  the only option allowed
>>>>>>> in case of secure boot) and it  looks like this:
>>>>>>>  #define CONFIG_SECBOOT \
>>>>>>>  "setenv bs_hdraddr 0xe8e00000;"                 \
>>>>>>>  "esbc_validate $bs_hdraddr;"                    \
>>>>>>>  "source $img_addr;"                             \
>>>>>>>  "esbc_halt;"
>>>>>>>  #endif
>>>>>>> 3. Boot Script can contain esbc_validate commands and bootm command.
>>>>>>>  Uboot source command used in default secure boot command will  run
>>>>>>> the bootscript.
>>>>>>> 4. Command esbc_halt added to ensure either bootm executes  after
>>>>>>> validation of images or core should just spin.
>>>>>>>
>>>>>> What's the purpose of "esbc_halt"? Once it enters the spin, how to
>>>>>> get it out?
>>>>> The purpose of bootscript is to validate the next level images and then
>>>> pass control to it, so bootscript must contain a bootm command. We don't
>>>> expect control to return back to u-boot. Hence a command esbc_halt is
>>>> introduced which would make the core spin and not provide uboot prompt in
>>>> case bootscript doesn't pass control to next level image.
>>>>> For secure chain of trust, only validated bootscript should be allowed to
>>>> execute and be responsible for passing control to next level image.
>>>>>
>>>>
>>>> Ruchika,
>>>>
>>>> Do you expect secure boot to run automatically once u-boot reaches the prompt
>>>> and the "source $img_addr" to actually boot the OS? You put "esbc_halt" as a
>>>> fall-back to catch failure above? It doesn't sounds very secure to me.
>>>
>>> The bootscript is first validated. Only an authenticated user, who has the private key can sign the bootscript. Thus validating bootscript is important in secure boot chain of trust. 
>>>
>>> You are right regarding fallback as esbc_halt. In the esbc_halt implementation, we will add code to clear security secrets on the chip, and issue a reset. We will send a separate patch for that.
>>>
>>
>> Wouldn't it be possible to call a reset/hang/panic when the validation fails,
>> before "source $img_addr"?
> 
> I'd assume it already has that, but it's still good to have something to
> deal with the case where the script returns due to some failure.
> 

If that's the case, I am OK with the addition of "esbc_halt" command.

York
York Sun April 23, 2015, 11:26 p.m. UTC | #8 
On 03/10/2015 01:38 AM, Gaurav Rana wrote:
> 1. Default environment will be used for secure boot flow
>  which can't be edited or saved.
> 2. Command for secure boot is predefined in the default
>  environment which will run on autoboot (and autoboot is
>  the only option allowed in case of secure boot) and it
>  looks like this:
>  #define CONFIG_SECBOOT \
>  "setenv bs_hdraddr 0xe8e00000;"                 \
>  "esbc_validate $bs_hdraddr;"                    \
>  "source $img_addr;"                             \
>  "esbc_halt;"
>  #endif
> 3. Boot Script can contain esbc_validate commands and bootm command.
>  Uboot source command used in default secure boot command will
>  run the bootscript.
> 4. Command esbc_halt added to ensure either bootm executes
>  after validation of images or core should just spin.
> 
> Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
> Signed-off-by: Gaurav Rana <gaurav.rana@freescale.com>
> ---

Applied to fsl-qoriq master, awaiting upstream.

York
diff mbox

Patch

diff --git a/arch/arm/include/asm/fsl_secure_boot.h b/arch/arm/include/asm/fsl_secure_boot.h
new file mode 100644
index 0000000..f097c81
--- /dev/null
+++ b/arch/arm/include/asm/fsl_secure_boot.h
@@ -0,0 +1,25 @@ 
+/*
+ * Copyright 2015 Freescale Semiconductor, Inc.
+ *
+ * SPDX-License-Identifier:	GPL-2.0+
+ */
+
+#ifndef __FSL_SECURE_BOOT_H
+#define __FSL_SECURE_BOOT_H
+
+#ifdef CONFIG_SECURE_BOOT
+#ifndef CONFIG_FIT_SIGNATURE
+
+#define CONFIG_EXTRA_ENV \
+	"setenv fdt_high 0xcfffffff;"	\
+	"setenv initrd_high 0xcfffffff;"	\
+	"setenv hwconfig \'fsl_ddr:ctlr_intlv=null,bank_intlv=null\';"
+
+/* The address needs to be modified according to NOR memory map */
+#define CONFIG_BOOTSCRIPT_HDR_ADDR	0x600a0000
+
+#include <config_fsl_secboot.h>
+#endif
+#endif
+
+#endif
diff --git a/arch/powerpc/include/asm/fsl_secure_boot.h b/arch/powerpc/include/asm/fsl_secure_boot.h
index 49f6814..8f794ef 100644
--- a/arch/powerpc/include/asm/fsl_secure_boot.h
+++ b/arch/powerpc/include/asm/fsl_secure_boot.h
@@ -67,5 +67,24 @@ 
 #define CONFIG_FSL_ISBC_KEY_EXT
 #endif
 
+#ifndef CONFIG_FIT_SIGNATURE
+/* The bootscript header address is different for B4860 because the NOR
+ * mapping is different on B4 due to reduced NOR size.
+ */
+#if defined(CONFIG_B4860QDS)
+#define CONFIG_BOOTSCRIPT_HDR_ADDR	0xecc00000
+#elif defined(CONFIG_FSL_CORENET)
+#define CONFIG_BOOTSCRIPT_HDR_ADDR	0xe8e00000
+#elif defined(CONFIG_BSC9132QDS)
+#define CONFIG_BOOTSCRIPT_HDR_ADDR	0x88020000
+#elif defined(CONFIG_C29XPCIE)
+#define CONFIG_BOOTSCRIPT_HDR_ADDR	0xec020000
+#else
+#define CONFIG_BOOTSCRIPT_HDR_ADDR	0xee020000
+#endif
+
+#include <config_fsl_secboot.h>
+#endif
+
 #endif
 #endif
diff --git a/board/freescale/common/cmd_esbc_validate.c b/board/freescale/common/cmd_esbc_validate.c
index 8500ba5..8bbe85b 100644
--- a/board/freescale/common/cmd_esbc_validate.c
+++ b/board/freescale/common/cmd_esbc_validate.c
@@ -8,6 +8,16 @@ 
 #include <command.h>
 #include <fsl_validate.h>
 
+static int do_esbc_halt(cmd_tbl_t *cmdtp, int flag, int argc,
+				char * const argv[])
+{
+	printf("Core is entering spin loop.\n");
+loop:
+	goto loop;
+
+	return 0;
+}
+
 static int do_esbc_validate(cmd_tbl_t *cmdtp, int flag, int argc,
 				char * const argv[])
 {
@@ -32,3 +42,9 @@  U_BOOT_CMD(
 	"Validates signature on a given image using RSA verification",
 	esbc_validate_help_text
 );
+
+U_BOOT_CMD(
+	esbc_halt,	1,	0,	do_esbc_halt,
+	"Put the core in spin loop ",
+	""
+);
diff --git a/include/config_fsl_secboot.h b/include/config_fsl_secboot.h
new file mode 100644
index 0000000..050b157
--- /dev/null
+++ b/include/config_fsl_secboot.h
@@ -0,0 +1,89 @@ 
+/*
+ * Copyright 2015 Freescale Semiconductor, Inc.
+ *
+ * SPDX-License-Identifier:	GPL-2.0+
+ */
+
+#ifndef __CONFIG_FSL_SECBOOT_H
+#define __CONFIG_FSL_SECBOOT_H
+
+#ifdef CONFIG_SECURE_BOOT
+
+#ifndef CONFIG_CMD_ESBC_VALIDATE
+#define CONFIG_CMD_ESBC_VALIDATE
+#endif
+
+#ifndef CONFIG_EXTRA_ENV
+#define CONFIG_EXTRA_ENV	""
+#endif
+
+/*
+ * Control should not reach back to uboot after validation of images
+ * for secure boot flow and therefore bootscript should have
+ * the bootm command. If control reaches back to uboot anyhow
+ * after validating images, core should just spin.
+ */
+
+/*
+ * Define the key hash for boot script here if public/private key pair used to
+ * sign bootscript are different from the SRK hash put in the fuse
+ * Example of defining KEY_HASH is
+ * #define CONFIG_BOOTSCRIPT_KEY_HASH \
+ *	 "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b"
+ */
+
+#ifdef CONFIG_BOOTSCRIPT_KEY_HASH
+#define CONFIG_SECBOOT \
+	"setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \
+	"setenv bootargs \'root=/dev/ram rw console=ttyS0,115200 "	\
+	"ramdisk_size=600000\';"	\
+	CONFIG_EXTRA_ENV	\
+	"esbc_validate $bs_hdraddr " \
+	  __stringify(CONFIG_BOOTSCRIPT_KEY_HASH)";" \
+	"source $img_addr;"	\
+	"esbc_halt\0"
+#else
+#define CONFIG_SECBOOT \
+	"setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \
+	"setenv bootargs \'root=/dev/ram rw console=ttyS0,115200 "	\
+	"ramdisk_size=600000\';"	\
+	CONFIG_EXTRA_ENV	\
+	"esbc_validate $bs_hdraddr;" \
+	"source $img_addr;"	\
+	"esbc_halt\0"
+#endif
+
+/* For secure boot flow, default environment used will be used */
+#if defined(CONFIG_SYS_RAMBOOT)
+#if defined(CONFIG_RAMBOOT_SPIFLASH)
+#undef CONFIG_ENV_IS_IN_SPI_FLASH
+#elif defined(CONFIG_RAMBOOT_NAND)
+#undef CONFIG_ENV_IS_IN_NAND
+#elif defined(CONFIG_RAMBOOT_SDCARD)
+#undef CONFIG_ENV_IS_IN_MMC
+#endif
+#else /*CONFIG_SYS_RAMBOOT*/
+#undef CONFIG_ENV_IS_IN_FLASH
+#endif
+
+#define CONFIG_ENV_IS_NOWHERE
+
+/*
+ * We don't want boot delay for secure boot flow
+ * before autoboot starts
+ */
+#undef CONFIG_BOOTDELAY
+#define CONFIG_BOOTDELAY	0
+#undef CONFIG_BOOTCOMMAND
+#define CONFIG_BOOTCOMMAND		CONFIG_SECBOOT
+
+/*
+ * CONFIG_ZERO_BOOTDELAY_CHECK should not be defined for
+ * secure boot flow as defining this would enable a user to
+ * reach uboot prompt by pressing some key before start of
+ * autoboot
+ */
+#undef CONFIG_ZERO_BOOTDELAY_CHECK
+
+#endif
+#endif
diff --git a/include/configs/ls1021aqds.h b/include/configs/ls1021aqds.h
index 3dc4da3..ea7eb8a 100644
--- a/include/configs/ls1021aqds.h
+++ b/include/configs/ls1021aqds.h
@@ -656,6 +656,7 @@  unsigned long get_board_ddr_clk(void);
 
 #ifdef CONFIG_SECURE_BOOT
 #define CONFIG_CMD_BLOB
+#include <asm/fsl_secure_boot.h>
 #endif
 
 #endif