| Message ID | 20190918012643.25192-7-takahiro.akashi@linaro.org |
|---|---|
| State | RFC |
| Delegated to: | Heinrich Schuchardt |
| Headers | show |
| Series | efi_loader: add secure boot support | expand |
On Wed, Sep 18, 2019 at 10:26:34AM +0900, AKASHI Takahiro wrote: > The configuration, CONFIG_SECURE_BOOT, was scattered among different > architecture directories for different implementation. This will prevent > UEFI secure boot from being added later. > > So let's rename them, giving each implementation to different > configuration option. CONFIG_SECURE_BOOT still remains not to break > existing implicit dependency. > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > --- > Kconfig | 7 +++++++ > arch/arm/cpu/armv7/ls102xa/Kconfig | 3 ++- > arch/arm/cpu/armv8/fsl-layerscape/Kconfig | 3 ++- > arch/arm/mach-imx/Kconfig | 3 ++- > arch/powerpc/cpu/mpc85xx/Kconfig | 3 ++- > 5 files changed, 15 insertions(+), 4 deletions(-) > > diff --git a/Kconfig b/Kconfig > index 1f0904f7045e..c11fc102a7d4 100644 > --- a/Kconfig > +++ b/Kconfig > @@ -282,6 +282,13 @@ config SYS_LDSCRIPT > > endmenu # General setup > > +config SECURE_BOOT > + bool "Secure Boot" > + imply SHA256 > + help > + Enable Secure Boot feature. The actual behavior may vary > + from architecture to architecture. > + > menu "Boot images" > > config ANDROID_BOOT_IMAGE > diff --git a/arch/arm/cpu/armv7/ls102xa/Kconfig b/arch/arm/cpu/armv7/ls102xa/Kconfig > index 94fa68250ddf..ce1bc580d23d 100644 > --- a/arch/arm/cpu/armv7/ls102xa/Kconfig > +++ b/arch/arm/cpu/armv7/ls102xa/Kconfig > @@ -50,8 +50,9 @@ config MAX_CPUS > cores, count the reserved ports. This will allocate enough memory > in spin table to properly handle all cores. > > -config SECURE_BOOT > +config FSL_ARMV7_ENABLE_SECURE_BOOT > bool "Secure Boot" > + depends on SECURE_BOOT > help > Enable Freescale Secure Boot feature. Normally selected > by defconfig. If unsure, do not change. > diff --git a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig > index 42d31fdab0a0..d4cfe31f8ebf 100644 > --- a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig > +++ b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig > @@ -383,8 +383,9 @@ config EMC2305 > Enable the EMC2305 fan controller for configuration of fan > speed. > > -config SECURE_BOOT > +config FSI_ARMV8_ENABLE_SECURE_BOOT > bool "Secure Boot" > + depends on SECURE_BOOT > help > Enable Freescale Secure Boot feature > > diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig > index aeb54934888d..e1602fd5f0e8 100644 > --- a/arch/arm/mach-imx/Kconfig > +++ b/arch/arm/mach-imx/Kconfig > @@ -34,8 +34,9 @@ config USE_IMXIMG_PLUGIN > i.MX6/7 supports DCD and Plugin. Enable this configuration > to use Plugin, otherwise DCD will be used. > > -config SECURE_BOOT > +config FSL_IMX_ENABLE_SECURE_BOOT > bool "Support i.MX HAB features" > + depends on SECURE_BOOT > depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5 > select FSL_CAAM if HAS_CAAM > imply CMD_DEKBLOB > diff --git a/arch/powerpc/cpu/mpc85xx/Kconfig b/arch/powerpc/cpu/mpc85xx/Kconfig > index c038a6ddb0f4..9cf6ebbfe3ce 100644 > --- a/arch/powerpc/cpu/mpc85xx/Kconfig > +++ b/arch/powerpc/cpu/mpc85xx/Kconfig > @@ -1208,8 +1208,9 @@ config FSL_LAW > help > Use Freescale common code for Local Access Window > > -config SECURE_BOOT > +config FSL_MPC_ENABLE_SECURE_BOOT > bool "Secure Boot" > + depends on SECURE_BOOT > help > Enable Freescale Secure Boot feature. Normally selected > by defconfig. If unsure, do not change. I've added Priyanka Jain to the thread as the custodian for PowerPC and NXP stuff and Stefano Babic as the custodian for i.MX stuff. I don't want to see "CONFIG_SECURE_BOOT" continue on as a config option, it's too broad. Can we please rename and update the existing NXP CONFIG option (and I assume split it into a few ones to reflect better where things really changed fundamentally from one SoC/arch to the next) and update the help text? Thanks!
On 19/09/19 17:02, Tom Rini wrote: > On Wed, Sep 18, 2019 at 10:26:34AM +0900, AKASHI Takahiro wrote: > >> The configuration, CONFIG_SECURE_BOOT, was scattered among different >> architecture directories for different implementation. This will prevent >> UEFI secure boot from being added later. >> >> So let's rename them, giving each implementation to different >> configuration option. CONFIG_SECURE_BOOT still remains not to break >> existing implicit dependency. >> >> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> >> --- >> Kconfig | 7 +++++++ >> arch/arm/cpu/armv7/ls102xa/Kconfig | 3 ++- >> arch/arm/cpu/armv8/fsl-layerscape/Kconfig | 3 ++- >> arch/arm/mach-imx/Kconfig | 3 ++- >> arch/powerpc/cpu/mpc85xx/Kconfig | 3 ++- >> 5 files changed, 15 insertions(+), 4 deletions(-) >> >> diff --git a/Kconfig b/Kconfig >> index 1f0904f7045e..c11fc102a7d4 100644 >> --- a/Kconfig >> +++ b/Kconfig >> @@ -282,6 +282,13 @@ config SYS_LDSCRIPT >> >> endmenu # General setup >> >> +config SECURE_BOOT >> + bool "Secure Boot" >> + imply SHA256 >> + help >> + Enable Secure Boot feature. The actual behavior may vary >> + from architecture to architecture. >> + >> menu "Boot images" >> >> config ANDROID_BOOT_IMAGE >> diff --git a/arch/arm/cpu/armv7/ls102xa/Kconfig b/arch/arm/cpu/armv7/ls102xa/Kconfig >> index 94fa68250ddf..ce1bc580d23d 100644 >> --- a/arch/arm/cpu/armv7/ls102xa/Kconfig >> +++ b/arch/arm/cpu/armv7/ls102xa/Kconfig >> @@ -50,8 +50,9 @@ config MAX_CPUS >> cores, count the reserved ports. This will allocate enough memory >> in spin table to properly handle all cores. >> >> -config SECURE_BOOT >> +config FSL_ARMV7_ENABLE_SECURE_BOOT >> bool "Secure Boot" >> + depends on SECURE_BOOT >> help >> Enable Freescale Secure Boot feature. Normally selected >> by defconfig. If unsure, do not change. >> diff --git a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig >> index 42d31fdab0a0..d4cfe31f8ebf 100644 >> --- a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig >> +++ b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig >> @@ -383,8 +383,9 @@ config EMC2305 >> Enable the EMC2305 fan controller for configuration of fan >> speed. >> >> -config SECURE_BOOT >> +config FSI_ARMV8_ENABLE_SECURE_BOOT >> bool "Secure Boot" >> + depends on SECURE_BOOT >> help >> Enable Freescale Secure Boot feature >> >> diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig >> index aeb54934888d..e1602fd5f0e8 100644 >> --- a/arch/arm/mach-imx/Kconfig >> +++ b/arch/arm/mach-imx/Kconfig >> @@ -34,8 +34,9 @@ config USE_IMXIMG_PLUGIN >> i.MX6/7 supports DCD and Plugin. Enable this configuration >> to use Plugin, otherwise DCD will be used. >> >> -config SECURE_BOOT >> +config FSL_IMX_ENABLE_SECURE_BOOT >> bool "Support i.MX HAB features" >> + depends on SECURE_BOOT >> depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5 >> select FSL_CAAM if HAS_CAAM >> imply CMD_DEKBLOB >> diff --git a/arch/powerpc/cpu/mpc85xx/Kconfig b/arch/powerpc/cpu/mpc85xx/Kconfig >> index c038a6ddb0f4..9cf6ebbfe3ce 100644 >> --- a/arch/powerpc/cpu/mpc85xx/Kconfig >> +++ b/arch/powerpc/cpu/mpc85xx/Kconfig >> @@ -1208,8 +1208,9 @@ config FSL_LAW >> help >> Use Freescale common code for Local Access Window >> >> -config SECURE_BOOT >> +config FSL_MPC_ENABLE_SECURE_BOOT >> bool "Secure Boot" >> + depends on SECURE_BOOT >> help >> Enable Freescale Secure Boot feature. Normally selected >> by defconfig. If unsure, do not change. > > I've added Priyanka Jain to the thread as the custodian for PowerPC and > NXP stuff and Stefano Babic as the custodian for i.MX stuff. I don't > want to see "CONFIG_SECURE_BOOT" continue on as a config option, it's > too broad. Can we please rename and update the existing NXP CONFIG > option (and I assume split it into a few ones to reflect better where > things really changed fundamentally from one SoC/arch to the next) and > update the help text? Thanks! Sure - SECURE_BOOT for NXP means enabling HAB, a config can be rename to identify the component itself (CONFIG_HAB for example). Regards, Stefano
>-----Original Message----- >From: Stefano Babic <sbabic@denx.de> >Sent: Thursday, September 19, 2019 8:40 PM >To: Tom Rini <trini@konsulko.com>; AKASHI Takahiro ><takahiro.akashi@linaro.org>; Priyanka Jain <priyanka.jain@nxp.com>; >Stefano Babic <sbabic@denx.de> >Cc: xypron.glpk@gmx.de; agraf@csgraf.de; u-boot@lists.denx.de >Subject: Re: [U-Boot] [RFC 06/15] secure boot: rename CONFIG_SECURE_BOOT > >On 19/09/19 17:02, Tom Rini wrote: >> On Wed, Sep 18, 2019 at 10:26:34AM +0900, AKASHI Takahiro wrote: >> >>> The configuration, CONFIG_SECURE_BOOT, was scattered among different >>> architecture directories for different implementation. This will >>> prevent UEFI secure boot from being added later. >>> >>> So let's rename them, giving each implementation to different >>> configuration option. CONFIG_SECURE_BOOT still remains not to break >>> existing implicit dependency. >>> >>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> >>> --- >>> Kconfig | 7 +++++++ >>> arch/arm/cpu/armv7/ls102xa/Kconfig | 3 ++- >>> arch/arm/cpu/armv8/fsl-layerscape/Kconfig | 3 ++- >>> arch/arm/mach-imx/Kconfig | 3 ++- >>> arch/powerpc/cpu/mpc85xx/Kconfig | 3 ++- >>> 5 files changed, 15 insertions(+), 4 deletions(-) >>> >>> diff --git a/Kconfig b/Kconfig >>> index 1f0904f7045e..c11fc102a7d4 100644 >>> --- a/Kconfig >>> +++ b/Kconfig >>> @@ -282,6 +282,13 @@ config SYS_LDSCRIPT >>> >>> endmenu # General setup >>> >>> +config SECURE_BOOT >>> + bool "Secure Boot" >>> + imply SHA256 >>> + help >>> + Enable Secure Boot feature. The actual behavior may vary >>> + from architecture to architecture. >>> + >>> menu "Boot images" >>> >>> config ANDROID_BOOT_IMAGE >>> diff --git a/arch/arm/cpu/armv7/ls102xa/Kconfig >>> b/arch/arm/cpu/armv7/ls102xa/Kconfig >>> index 94fa68250ddf..ce1bc580d23d 100644 >>> --- a/arch/arm/cpu/armv7/ls102xa/Kconfig >>> +++ b/arch/arm/cpu/armv7/ls102xa/Kconfig >>> @@ -50,8 +50,9 @@ config MAX_CPUS >>> cores, count the reserved ports. This will allocate enough memory >>> in spin table to properly handle all cores. >>> >>> -config SECURE_BOOT >>> +config FSL_ARMV7_ENABLE_SECURE_BOOT >>> bool "Secure Boot" >>> + depends on SECURE_BOOT >>> help >>> Enable Freescale Secure Boot feature. Normally selected >>> by defconfig. If unsure, do not change. >>> diff --git a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig >>> b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig >>> index 42d31fdab0a0..d4cfe31f8ebf 100644 >>> --- a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig >>> +++ b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig >>> @@ -383,8 +383,9 @@ config EMC2305 >>> Enable the EMC2305 fan controller for configuration of fan >>> speed. >>> >>> -config SECURE_BOOT >>> +config FSI_ARMV8_ENABLE_SECURE_BOOT >>> bool "Secure Boot" >>> + depends on SECURE_BOOT >>> help >>> Enable Freescale Secure Boot feature >>> >>> diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig >>> index aeb54934888d..e1602fd5f0e8 100644 >>> --- a/arch/arm/mach-imx/Kconfig >>> +++ b/arch/arm/mach-imx/Kconfig >>> @@ -34,8 +34,9 @@ config USE_IMXIMG_PLUGIN >>> i.MX6/7 supports DCD and Plugin. Enable this configuration >>> to use Plugin, otherwise DCD will be used. >>> >>> -config SECURE_BOOT >>> +config FSL_IMX_ENABLE_SECURE_BOOT >>> bool "Support i.MX HAB features" >>> + depends on SECURE_BOOT >>> depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5 >>> select FSL_CAAM if HAS_CAAM >>> imply CMD_DEKBLOB >>> diff --git a/arch/powerpc/cpu/mpc85xx/Kconfig >>> b/arch/powerpc/cpu/mpc85xx/Kconfig >>> index c038a6ddb0f4..9cf6ebbfe3ce 100644 >>> --- a/arch/powerpc/cpu/mpc85xx/Kconfig >>> +++ b/arch/powerpc/cpu/mpc85xx/Kconfig >>> @@ -1208,8 +1208,9 @@ config FSL_LAW >>> help >>> Use Freescale common code for Local Access Window >>> >>> -config SECURE_BOOT >>> +config FSL_MPC_ENABLE_SECURE_BOOT >>> bool "Secure Boot" >>> + depends on SECURE_BOOT >>> help >>> Enable Freescale Secure Boot feature. Normally selected >>> by defconfig. If unsure, do not change. >> >> I've added Priyanka Jain to the thread as the custodian for PowerPC >> and NXP stuff and Stefano Babic as the custodian for i.MX stuff. I >> don't want to see "CONFIG_SECURE_BOOT" continue on as a config option, >> it's too broad. Can we please rename and update the existing NXP >> CONFIG option (and I assume split it into a few ones to reflect better >> where things really changed fundamentally from one SoC/arch to the >> next) and update the help text? Thanks! > >Sure - SECURE_BOOT for NXP means enabling HAB, a config can be rename to >identify the component itself (CONFIG_HAB for example). > >Regards, >Stefano > Sure, We will look into this and update NXP CONFIG_SECURE_BOOT option. Priyanka > >-- >================================================================ >===== >DENX Software Engineering GmbH, Managing Director: Wolfgang Denk >HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany >Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic@denx.de >================================================================ >=====
Priyanka, Stefano and Tom, On Wed, Sep 25, 2019 at 04:19:43AM +0000, Priyanka Jain wrote: > > > >-----Original Message----- > >From: Stefano Babic <sbabic@denx.de> > >Sent: Thursday, September 19, 2019 8:40 PM > >To: Tom Rini <trini@konsulko.com>; AKASHI Takahiro > ><takahiro.akashi@linaro.org>; Priyanka Jain <priyanka.jain@nxp.com>; > >Stefano Babic <sbabic@denx.de> > >Cc: xypron.glpk@gmx.de; agraf@csgraf.de; u-boot@lists.denx.de > >Subject: Re: [U-Boot] [RFC 06/15] secure boot: rename CONFIG_SECURE_BOOT > > > >On 19/09/19 17:02, Tom Rini wrote: > >> On Wed, Sep 18, 2019 at 10:26:34AM +0900, AKASHI Takahiro wrote: > >> > >>> The configuration, CONFIG_SECURE_BOOT, was scattered among different > >>> architecture directories for different implementation. This will > >>> prevent UEFI secure boot from being added later. > >>> > >>> So let's rename them, giving each implementation to different > >>> configuration option. CONFIG_SECURE_BOOT still remains not to break > >>> existing implicit dependency. > >>> > >>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > >>> --- > >>> Kconfig | 7 +++++++ > >>> arch/arm/cpu/armv7/ls102xa/Kconfig | 3 ++- > >>> arch/arm/cpu/armv8/fsl-layerscape/Kconfig | 3 ++- > >>> arch/arm/mach-imx/Kconfig | 3 ++- > >>> arch/powerpc/cpu/mpc85xx/Kconfig | 3 ++- > >>> 5 files changed, 15 insertions(+), 4 deletions(-) > >>> > >>> diff --git a/Kconfig b/Kconfig > >>> index 1f0904f7045e..c11fc102a7d4 100644 > >>> --- a/Kconfig > >>> +++ b/Kconfig > >>> @@ -282,6 +282,13 @@ config SYS_LDSCRIPT > >>> > >>> endmenu # General setup > >>> > >>> +config SECURE_BOOT > >>> + bool "Secure Boot" > >>> + imply SHA256 > >>> + help > >>> + Enable Secure Boot feature. The actual behavior may vary > >>> + from architecture to architecture. > >>> + > >>> menu "Boot images" > >>> > >>> config ANDROID_BOOT_IMAGE > >>> diff --git a/arch/arm/cpu/armv7/ls102xa/Kconfig > >>> b/arch/arm/cpu/armv7/ls102xa/Kconfig > >>> index 94fa68250ddf..ce1bc580d23d 100644 > >>> --- a/arch/arm/cpu/armv7/ls102xa/Kconfig > >>> +++ b/arch/arm/cpu/armv7/ls102xa/Kconfig > >>> @@ -50,8 +50,9 @@ config MAX_CPUS > >>> cores, count the reserved ports. This will allocate enough memory > >>> in spin table to properly handle all cores. > >>> > >>> -config SECURE_BOOT > >>> +config FSL_ARMV7_ENABLE_SECURE_BOOT > >>> bool "Secure Boot" > >>> + depends on SECURE_BOOT > >>> help > >>> Enable Freescale Secure Boot feature. Normally selected > >>> by defconfig. If unsure, do not change. > >>> diff --git a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig > >>> b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig > >>> index 42d31fdab0a0..d4cfe31f8ebf 100644 > >>> --- a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig > >>> +++ b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig > >>> @@ -383,8 +383,9 @@ config EMC2305 > >>> Enable the EMC2305 fan controller for configuration of fan > >>> speed. > >>> > >>> -config SECURE_BOOT > >>> +config FSI_ARMV8_ENABLE_SECURE_BOOT > >>> bool "Secure Boot" > >>> + depends on SECURE_BOOT > >>> help > >>> Enable Freescale Secure Boot feature > >>> > >>> diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig > >>> index aeb54934888d..e1602fd5f0e8 100644 > >>> --- a/arch/arm/mach-imx/Kconfig > >>> +++ b/arch/arm/mach-imx/Kconfig > >>> @@ -34,8 +34,9 @@ config USE_IMXIMG_PLUGIN > >>> i.MX6/7 supports DCD and Plugin. Enable this configuration > >>> to use Plugin, otherwise DCD will be used. > >>> > >>> -config SECURE_BOOT > >>> +config FSL_IMX_ENABLE_SECURE_BOOT > >>> bool "Support i.MX HAB features" > >>> + depends on SECURE_BOOT > >>> depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5 > >>> select FSL_CAAM if HAS_CAAM > >>> imply CMD_DEKBLOB > >>> diff --git a/arch/powerpc/cpu/mpc85xx/Kconfig > >>> b/arch/powerpc/cpu/mpc85xx/Kconfig > >>> index c038a6ddb0f4..9cf6ebbfe3ce 100644 > >>> --- a/arch/powerpc/cpu/mpc85xx/Kconfig > >>> +++ b/arch/powerpc/cpu/mpc85xx/Kconfig > >>> @@ -1208,8 +1208,9 @@ config FSL_LAW > >>> help > >>> Use Freescale common code for Local Access Window > >>> > >>> -config SECURE_BOOT > >>> +config FSL_MPC_ENABLE_SECURE_BOOT > >>> bool "Secure Boot" > >>> + depends on SECURE_BOOT > >>> help > >>> Enable Freescale Secure Boot feature. Normally selected > >>> by defconfig. If unsure, do not change. > >> > >> I've added Priyanka Jain to the thread as the custodian for PowerPC > >> and NXP stuff and Stefano Babic as the custodian for i.MX stuff. I > >> don't want to see "CONFIG_SECURE_BOOT" continue on as a config option, > >> it's too broad. Can we please rename and update the existing NXP > >> CONFIG option (and I assume split it into a few ones to reflect better > >> where things really changed fundamentally from one SoC/arch to the > >> next) and update the help text? Thanks! > > > >Sure - SECURE_BOOT for NXP means enabling HAB, a config can be rename to > >identify the component itself (CONFIG_HAB for example). > > > >Regards, > >Stefano > > > Sure, We will look into this and update NXP CONFIG_SECURE_BOOT option. > Priyanka Can we expect this re-work on NXP/Freescal platforms to be done in the current release cycle, that is v2020.01? If not, can I continue to use my match[1] as part of my UEFI secure boot patch set for the time being? [1] https://lists.denx.de/pipermail/u-boot/2019-September/383908.html Thanks, -Takahiro Akashi > > > >-- > >================================================================ > >===== > >DENX Software Engineering GmbH, Managing Director: Wolfgang Denk > >HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany > >Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic@denx.de > >================================================================ > >=====
>-----Original Message----- >From: AKASHI Takahiro <takahiro.akashi@linaro.org> >Sent: Tuesday, October 29, 2019 10:49 AM >To: Priyanka Jain <priyanka.jain@nxp.com>; Stefano Babic <sbabic@denx.de> >Cc: Tom Rini <trini@konsulko.com>; Udit Agarwal <udit.agarwal@nxp.com>; >xypron.glpk@gmx.de; agraf@csgraf.de; u-boot@lists.denx.de >Subject: Re: [U-Boot] [RFC 06/15] secure boot: rename CONFIG_SECURE_BOOT > >Priyanka, Stefano and Tom, > >On Wed, Sep 25, 2019 at 04:19:43AM +0000, Priyanka Jain wrote: >> >> >> >-----Original Message----- >> >From: Stefano Babic <sbabic@denx.de> >> >Sent: Thursday, September 19, 2019 8:40 PM >> >To: Tom Rini <trini@konsulko.com>; AKASHI Takahiro >> ><takahiro.akashi@linaro.org>; Priyanka Jain <priyanka.jain@nxp.com>; >> >Stefano Babic <sbabic@denx.de> >> >Cc: xypron.glpk@gmx.de; agraf@csgraf.de; u-boot@lists.denx.de >> >Subject: Re: [U-Boot] [RFC 06/15] secure boot: rename >> >CONFIG_SECURE_BOOT >> > >> >On 19/09/19 17:02, Tom Rini wrote: >> >> On Wed, Sep 18, 2019 at 10:26:34AM +0900, AKASHI Takahiro wrote: >> >> >> >>> The configuration, CONFIG_SECURE_BOOT, was scattered among >> >>> different architecture directories for different implementation. >> >>> This will prevent UEFI secure boot from being added later. >> >>> >> >>> So let's rename them, giving each implementation to different >> >>> configuration option. CONFIG_SECURE_BOOT still remains not to >> >>> break existing implicit dependency. >> >>> >> >>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> >> >>> --- >> >>> Kconfig | 7 +++++++ >> >>> arch/arm/cpu/armv7/ls102xa/Kconfig | 3 ++- >> >>> arch/arm/cpu/armv8/fsl-layerscape/Kconfig | 3 ++- >> >>> arch/arm/mach-imx/Kconfig | 3 ++- >> >>> arch/powerpc/cpu/mpc85xx/Kconfig | 3 ++- >> >>> 5 files changed, 15 insertions(+), 4 deletions(-) >> >>> >> >>> diff --git a/Kconfig b/Kconfig >> >>> index 1f0904f7045e..c11fc102a7d4 100644 >> >>> --- a/Kconfig >> >>> +++ b/Kconfig >> >>> @@ -282,6 +282,13 @@ config SYS_LDSCRIPT >> >>> >> >>> endmenu # General setup >> >>> >> >>> +config SECURE_BOOT >> >>> + bool "Secure Boot" >> >>> + imply SHA256 >> >>> + help >> >>> + Enable Secure Boot feature. The actual behavior may vary >> >>> + from architecture to architecture. >> >>> + >> >>> menu "Boot images" >> >>> >> >>> config ANDROID_BOOT_IMAGE >> >>> diff --git a/arch/arm/cpu/armv7/ls102xa/Kconfig >> >>> b/arch/arm/cpu/armv7/ls102xa/Kconfig >> >>> index 94fa68250ddf..ce1bc580d23d 100644 >> >>> --- a/arch/arm/cpu/armv7/ls102xa/Kconfig >> >>> +++ b/arch/arm/cpu/armv7/ls102xa/Kconfig >> >>> @@ -50,8 +50,9 @@ config MAX_CPUS >> >>> cores, count the reserved ports. This will allocate enough memory >> >>> in spin table to properly handle all cores. >> >>> >> >>> -config SECURE_BOOT >> >>> +config FSL_ARMV7_ENABLE_SECURE_BOOT >> >>> bool "Secure Boot" >> >>> + depends on SECURE_BOOT >> >>> help >> >>> Enable Freescale Secure Boot feature. Normally selected >> >>> by defconfig. If unsure, do not change. >> >>> diff --git a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig >> >>> b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig >> >>> index 42d31fdab0a0..d4cfe31f8ebf 100644 >> >>> --- a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig >> >>> +++ b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig >> >>> @@ -383,8 +383,9 @@ config EMC2305 >> >>> Enable the EMC2305 fan controller for configuration of fan >> >>> speed. >> >>> >> >>> -config SECURE_BOOT >> >>> +config FSI_ARMV8_ENABLE_SECURE_BOOT >> >>> bool "Secure Boot" >> >>> + depends on SECURE_BOOT >> >>> help >> >>> Enable Freescale Secure Boot feature >> >>> >> >>> diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig >> >>> index aeb54934888d..e1602fd5f0e8 100644 >> >>> --- a/arch/arm/mach-imx/Kconfig >> >>> +++ b/arch/arm/mach-imx/Kconfig >> >>> @@ -34,8 +34,9 @@ config USE_IMXIMG_PLUGIN >> >>> i.MX6/7 supports DCD and Plugin. Enable this configuration >> >>> to use Plugin, otherwise DCD will be used. >> >>> >> >>> -config SECURE_BOOT >> >>> +config FSL_IMX_ENABLE_SECURE_BOOT >> >>> bool "Support i.MX HAB features" >> >>> + depends on SECURE_BOOT >> >>> depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5 >> >>> select FSL_CAAM if HAS_CAAM >> >>> imply CMD_DEKBLOB >> >>> diff --git a/arch/powerpc/cpu/mpc85xx/Kconfig >> >>> b/arch/powerpc/cpu/mpc85xx/Kconfig >> >>> index c038a6ddb0f4..9cf6ebbfe3ce 100644 >> >>> --- a/arch/powerpc/cpu/mpc85xx/Kconfig >> >>> +++ b/arch/powerpc/cpu/mpc85xx/Kconfig >> >>> @@ -1208,8 +1208,9 @@ config FSL_LAW >> >>> help >> >>> Use Freescale common code for Local Access Window >> >>> >> >>> -config SECURE_BOOT >> >>> +config FSL_MPC_ENABLE_SECURE_BOOT >> >>> bool "Secure Boot" >> >>> + depends on SECURE_BOOT >> >>> help >> >>> Enable Freescale Secure Boot feature. Normally selected >> >>> by defconfig. If unsure, do not change. >> >> >> >> I've added Priyanka Jain to the thread as the custodian for PowerPC >> >> and NXP stuff and Stefano Babic as the custodian for i.MX stuff. I >> >> don't want to see "CONFIG_SECURE_BOOT" continue on as a config >> >> option, it's too broad. Can we please rename and update the >> >> existing NXP CONFIG option (and I assume split it into a few ones >> >> to reflect better where things really changed fundamentally from >> >> one SoC/arch to the >> >> next) and update the help text? Thanks! >> > >> >Sure - SECURE_BOOT for NXP means enabling HAB, a config can be rename >> >to identify the component itself (CONFIG_HAB for example). >> > >> >Regards, >> >Stefano >> > >> Sure, We will look into this and update NXP CONFIG_SECURE_BOOT option. >> Priyanka > >Can we expect this re-work on NXP/Freescal platforms to be done in the >current release cycle, that is v2020.01? > Yes, we are working on the changes for NXP ARM and mpc85xx platforms. Regards Priyanka >If not, can I continue to use my match[1] as part of my UEFI secure boot patch >set for the time being? > > [1] >https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.de >nx.de%2Fpipermail%2Fu-boot%2F2019- >September%2F383908.html&data=02%7C01%7Cpriyanka.jain%40nxp.com >%7C00a34480e43c4950cb0808d75c2f836b%7C686ea1d3bc2b4c6fa92cd99c5c30 >1635%7C0%7C0%7C637079231443969244&sdata=gvOKFn6Rt7sgbmrbMo >Vq2cawyetW5z6H50Qhv0aX0rA%3D&reserved=0 > >Thanks, >-Takahiro Akashi > > >> > >> >-- >> >>================================================================ >> >===== >> >DENX Software Engineering GmbH, Managing Director: Wolfgang Denk >> >HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany >> >Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic@denx.de >> >>================================================================ >> >=====
diff --git a/Kconfig b/Kconfig index 1f0904f7045e..c11fc102a7d4 100644 --- a/Kconfig +++ b/Kconfig @@ -282,6 +282,13 @@ config SYS_LDSCRIPT endmenu # General setup +config SECURE_BOOT + bool "Secure Boot" + imply SHA256 + help + Enable Secure Boot feature. The actual behavior may vary + from architecture to architecture. + menu "Boot images" config ANDROID_BOOT_IMAGE diff --git a/arch/arm/cpu/armv7/ls102xa/Kconfig b/arch/arm/cpu/armv7/ls102xa/Kconfig index 94fa68250ddf..ce1bc580d23d 100644 --- a/arch/arm/cpu/armv7/ls102xa/Kconfig +++ b/arch/arm/cpu/armv7/ls102xa/Kconfig @@ -50,8 +50,9 @@ config MAX_CPUS cores, count the reserved ports. This will allocate enough memory in spin table to properly handle all cores. -config SECURE_BOOT +config FSL_ARMV7_ENABLE_SECURE_BOOT bool "Secure Boot" + depends on SECURE_BOOT help Enable Freescale Secure Boot feature. Normally selected by defconfig. If unsure, do not change. diff --git a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig index 42d31fdab0a0..d4cfe31f8ebf 100644 --- a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig +++ b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig @@ -383,8 +383,9 @@ config EMC2305 Enable the EMC2305 fan controller for configuration of fan speed. -config SECURE_BOOT +config FSI_ARMV8_ENABLE_SECURE_BOOT bool "Secure Boot" + depends on SECURE_BOOT help Enable Freescale Secure Boot feature diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig index aeb54934888d..e1602fd5f0e8 100644 --- a/arch/arm/mach-imx/Kconfig +++ b/arch/arm/mach-imx/Kconfig @@ -34,8 +34,9 @@ config USE_IMXIMG_PLUGIN i.MX6/7 supports DCD and Plugin. Enable this configuration to use Plugin, otherwise DCD will be used. -config SECURE_BOOT +config FSL_IMX_ENABLE_SECURE_BOOT bool "Support i.MX HAB features" + depends on SECURE_BOOT depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5 select FSL_CAAM if HAS_CAAM imply CMD_DEKBLOB diff --git a/arch/powerpc/cpu/mpc85xx/Kconfig b/arch/powerpc/cpu/mpc85xx/Kconfig index c038a6ddb0f4..9cf6ebbfe3ce 100644 --- a/arch/powerpc/cpu/mpc85xx/Kconfig +++ b/arch/powerpc/cpu/mpc85xx/Kconfig @@ -1208,8 +1208,9 @@ config FSL_LAW help Use Freescale common code for Local Access Window -config SECURE_BOOT +config FSL_MPC_ENABLE_SECURE_BOOT bool "Secure Boot" + depends on SECURE_BOOT help Enable Freescale Secure Boot feature. Normally selected by defconfig. If unsure, do not change.
The configuration, CONFIG_SECURE_BOOT, was scattered among different architecture directories for different implementation. This will prevent UEFI secure boot from being added later. So let's rename them, giving each implementation to different configuration option. CONFIG_SECURE_BOOT still remains not to break existing implicit dependency. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> --- Kconfig | 7 +++++++ arch/arm/cpu/armv7/ls102xa/Kconfig | 3 ++- arch/arm/cpu/armv8/fsl-layerscape/Kconfig | 3 ++- arch/arm/mach-imx/Kconfig | 3 ++- arch/powerpc/cpu/mpc85xx/Kconfig | 3 ++- 5 files changed, 15 insertions(+), 4 deletions(-)