From patchwork Fri Nov 17 01:16:18 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anatolij Gustschin X-Patchwork-Id: 838831 X-Patchwork-Delegate: bmeng.cn@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 3ydKwB2mPFz9s0Z for ; Fri, 17 Nov 2017 12:17:14 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id DC308C21DA3; Fri, 17 Nov 2017 01:16:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 965A7C21DC8; Fri, 17 Nov 2017 01:16:31 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id BB193C21DC4; Fri, 17 Nov 2017 01:16:25 +0000 (UTC) Received: from mail-out.m-online.net (mail-out.m-online.net [212.18.0.9]) by lists.denx.de (Postfix) with ESMTPS id 49471C21DBA for ; Fri, 17 Nov 2017 01:16:20 +0000 (UTC) Received: from frontend01.mail.m-online.net (unknown [192.168.8.182]) by mail-out.m-online.net (Postfix) with ESMTP id 3ydKv80q1gz1qs0Z; Fri, 17 Nov 2017 02:16:20 +0100 (CET) Received: from localhost (dynscan1.mnet-online.de [192.168.6.70]) by mail.m-online.net (Postfix) with ESMTP id 3ydKv80hwRz1s7pm; Fri, 17 Nov 2017 02:16:20 +0100 (CET) X-Virus-Scanned: amavisd-new at mnet-online.de Received: from mail.mnet-online.de ([192.168.8.182]) by localhost (dynscan1.mail.m-online.net [192.168.6.70]) (amavisd-new, port 10024) with ESMTP id 9-SBZHHWAYEx; Fri, 17 Nov 2017 02:16:18 +0100 (CET) X-Auth-Info: TRAOEcZyC1DsH8ElZT7/56Yw2qWUe8FxPd8upREoqD0= Received: from crub.?040none?041 (p4FCB4189.dip0.t-ipconnect.de [79.203.65.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.mnet-online.de (Postfix) with ESMTPSA; Fri, 17 Nov 2017 02:16:18 +0100 (CET) From: Anatolij Gustschin To: u-boot@lists.denx.de Date: Fri, 17 Nov 2017 02:16:18 +0100 Message-Id: <20171117011618.5969-1-agust@denx.de> X-Mailer: git-send-email 2.11.0 Subject: [U-Boot] [PATCH v3 6/6] doc: x86: Add section about secure boot on Bay Trail X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" From: Markus Valentin Add short summary describing preparations for enabling secure boot feature on Bay Trail SoC. Signed-off-by: Markus Valentin Signed-off-by: Anatolij Gustschin Reviewed-by: Simon Glass --- Changes in v3: - add commit message - use 'U-Boot' consistently - reword and improve text since binman is now used for image signing doc/README.x86 | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/doc/README.x86 b/doc/README.x86 index 772e8d2a86..b64158816b 100644 --- a/doc/README.x86 +++ b/doc/README.x86 @@ -1141,6 +1141,53 @@ provides the same EFI run-time services) is not currently supported on x86. See README.efi for details of EFI support in U-Boot. +Secure Boot for Bay Trail +------------------------- +U-Boot for Bay Trail based platforms supports booting in a verified manner using +the Trusted Execution Enginge (TXE). To enable secure boot you need to enable +the Kconfig option CONFIG_BAYTRAIL_SECURE_BOOT. + +The verification of U-Boot happens by a public key appended to the so called +Secure Boot Manifest. The manifest will be created by binman after building +the u-boot.rom image (by tools/binman/signing/baytrail.py script). binman +will generate "u-boot-verified.rom" image containing the manifest. This +image can be installed in SPI-NOR flash. + +To be able to perform a verified boot with U-Boot you need: + * A secure-boot-enabled FSP[18] which we can assemble with the BCT Tool[19] + (the secure-boot-enabled FSP should be placed as fsp-sb.bin in the + board directory) + * A OEM-keypair which we use to sign U-Boot. Create this yourself in the + build output directory like below: + mkdir keydir && \ + openssl req -batch -x509 -nodes -newkey rsa:2048 \ + -keyout 'keydir/oemkey.pem' -out 'keydir/pub_oemkey.pem' + When secure boot option is enabled, the signing script expects + the keys to be in the 'keydir' subdir in the build output directory. + * fpf_config.txt file in the build output directory. + Copy the original FpfConfigFile.txt file from the TXE Firmware Kit to + fpf_config.txt. When fpf_config.txt file is present, the binman will + update its fuse file entry with the actual hash of the public part of + the OEM signing key (FUSE_FILE_OEM_KEY_HASH_1:). The secure-boot-enable + fuse file entry (FUSE_FILE_SECURE_BOOT_EN:) will also be enabled. + The modified fuse register configuration file can be used by the Intel + FPT tool to write fuses (the FPT tool is provided in the TXE Firmware + Kit. To burn fuses run "FPT -writebatch fpf_config.txt" on the target). + +If these prerequisites are met, you can enable CONFIG_BAYTRAIL_SECURE_BOOT +option and build U-Boot. The following commands give an example flow for the +Congatec conga-QA3 SoM on QEVAL 2.0 evalboard: + make conga-qeval20-qa3-e3845-internal-uart-secure-boot_defconfig + make all + make u-boot.rom + +This creates "u-boot-verified.rom" image. It can be used as the normal +u-boot.rom. For enabling the verification you need to configure the OTP fuses +either by burning them by FPT tool or by using the FPF-Mirroring feature +for testing while development (see TXE Firmware Kit documentation for more +details). Further authentication (Kernel/DTB) can be done with the FIT image +mechanism. + 64-bit Support -------------- U-Boot supports booting a 64-bit kernel directly and is able to change to @@ -1183,3 +1230,5 @@ References [15] doc/device-tree-bindings/misc/intel,irq-router.txt [16] http://www.acpi.info [17] https://www.acpica.org/downloads +[18] https://github.com/IntelFsp/FSP.git +[19] https://github.com/IntelFsp/BCT.git