| Message ID | 20210226161105.2303-1-elly.siew.chin.lim@intel.com |
|---|---|
| Headers | show |
| Series | Add Vendor Authorized Boot (VAB) support | expand |
Hi All, Please ignore this series, I accidentally create this series based on older master branch which causes patch [v4 2/7] conflict with latest master branch due to new commit about asm/global_data.h. I have rebased to latest master branch and resend the VAB series with prefix " [RESEND,v4,1/7] ...". Thanks, Siew Chin > -----Original Message----- > From: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com> > Sent: Saturday, February 27, 2021 12:11 AM > To: u-boot@lists.denx.de > Cc: Marek Vasut <marex@denx.de>; Tan, Ley Foon > <ley.foon.tan@intel.com>; See, Chin Liang <chin.liang.see@intel.com>; > Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong > <tien.fong.chee@intel.com>; Westergreen, Dalon > <dalon.westergreen@intel.com>; Simon Glass <sjg@chromium.org>; Gan, > Yau Wai <yau.wai.gan@intel.com>; Lim, Elly Siew Chin > <elly.siew.chin.lim@intel.com> > Subject: [v4 0/7] Add Vendor Authorized Boot (VAB) support > > This is the 4th version of patchset to add Vendor Authorized Boot (VAB) > support for Intel Agilex SoC device. > > Vendor Authorized Boot is a security feature for authenticating the images > such as U-Boot, ARM trusted Firmware, Linux kernel, device tree blob and > etc loaded from FIT. After those images are loaded from FIT, the VAB > certificate and signature block appended at the end of each image are sent > to Secure Device Manager (SDM) for authentication. U-Boot will validate the > SHA384 of the image against the SHA384 hash stored in the VAB certificate > before sending the image to SDM for authentication. > > Patch status: > Have changes: Patch 2, 7 > Other patches unchanged. > > Detail changelog can find in commit message. > > v3->v4: > -------- > Patch 2: > - Move function 'board_fit_image_post_process' and 'board_prep_linux' > from > secure_vab.c to board.c > > Patch 7: > - Replace CONFIG_TARGET_SOCFPGA_STRATIX10/AGILEX with > CONFIG_TARGET_SOCFPGA_SOC64. > - Add this patch into 'VAB' series because it is depending on > CONFIG_TARGET_SOCFPGA_SOC64 patch. > > History: > -------- > [v1]: > https://patchwork.ozlabs.org/project/uboot/cover/20201110070505.26935- > 1-elly.siew.chin.lim@intel.com/ > [v2]: > https://patchwork.ozlabs.org/project/uboot/cover/20210107100337.45293- > 1-elly.siew.chin.lim@intel.com/ > [v3]: > https://patchwork.ozlabs.org/project/uboot/cover/20210205105212.16510- > 1-elly.siew.chin.lim@intel.com/ > > > Dalon Westergreen (1): > Makefile: socfpga: Add target to generate hex output for combined spl > and dtb > > Siew Chin Lim (6): > arm: socfpga: Move Stratix10 and Agilex to use TARGET_SOCFPGA_SOC64 > arm: socfpga: soc64: Support Vendor Authorized Boot (VAB) > arm: socfpga: cmd: Support 'vab' command > arm: socfpga: dts: soc64: Update filename in binman node of FIT image > with VAB support > configs: socfpga: soc64: Move CONFIG_BOOTCOMMAND to defconfig > configs: socfpga: Add defconfig for Agilex with VAB support > > Makefile | 11 +- > arch/arm/Kconfig | 6 +- > arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi | 22 +++ > arch/arm/mach-socfpga/Kconfig | 20 +++ > arch/arm/mach-socfpga/Makefile | 3 + > arch/arm/mach-socfpga/board.c | 43 ++++- > arch/arm/mach-socfpga/include/mach/mailbox_s10.h | 1 + > arch/arm/mach-socfpga/include/mach/reset_manager.h | 3 +- > arch/arm/mach-socfpga/include/mach/secure_vab.h | 63 +++++++ > .../arm/mach-socfpga/include/mach/system_manager.h | 3 +- > arch/arm/mach-socfpga/secure_vab.c | 186 > +++++++++++++++++++++ > arch/arm/mach-socfpga/vab.c | 34 ++++ > common/Kconfig.boot | 2 +- > configs/socfpga_agilex_atf_defconfig | 2 + > configs/socfpga_agilex_defconfig | 2 + > ..._atf_defconfig => socfpga_agilex_vab_defconfig} | 4 + > configs/socfpga_stratix10_atf_defconfig | 2 + > configs/socfpga_stratix10_defconfig | 2 + > drivers/ddr/altera/Kconfig | 6 +- > drivers/fpga/Kconfig | 2 +- > drivers/sysreset/Kconfig | 2 +- > include/configs/socfpga_soc64_common.h | 10 +- > scripts/Makefile.spl | 7 + > 23 files changed, 406 insertions(+), 30 deletions(-) create mode 100644 > arch/arm/mach-socfpga/include/mach/secure_vab.h > create mode 100644 arch/arm/mach-socfpga/secure_vab.c > create mode 100644 arch/arm/mach-socfpga/vab.c copy > configs/{socfpga_agilex_atf_defconfig => socfpga_agilex_vab_defconfig} > (91%) > > -- > 2.13.0
This is the 4th version of patchset to add Vendor Authorized Boot (VAB) support for Intel Agilex SoC device. Vendor Authorized Boot is a security feature for authenticating the images such as U-Boot, ARM trusted Firmware, Linux kernel, device tree blob and etc loaded from FIT. After those images are loaded from FIT, the VAB certificate and signature block appended at the end of each image are sent to Secure Device Manager (SDM) for authentication. U-Boot will validate the SHA384 of the image against the SHA384 hash stored in the VAB certificate before sending the image to SDM for authentication. Patch status: Have changes: Patch 2, 7 Other patches unchanged. Detail changelog can find in commit message. v3->v4: -------- Patch 2: - Move function 'board_fit_image_post_process' and 'board_prep_linux' from secure_vab.c to board.c Patch 7: - Replace CONFIG_TARGET_SOCFPGA_STRATIX10/AGILEX with CONFIG_TARGET_SOCFPGA_SOC64. - Add this patch into 'VAB' series because it is depending on CONFIG_TARGET_SOCFPGA_SOC64 patch. History: -------- [v1]: https://patchwork.ozlabs.org/project/uboot/cover/20201110070505.26935-1-elly.siew.chin.lim@intel.com/ [v2]: https://patchwork.ozlabs.org/project/uboot/cover/20210107100337.45293-1-elly.siew.chin.lim@intel.com/ [v3]: https://patchwork.ozlabs.org/project/uboot/cover/20210205105212.16510-1-elly.siew.chin.lim@intel.com/ Dalon Westergreen (1): Makefile: socfpga: Add target to generate hex output for combined spl and dtb Siew Chin Lim (6): arm: socfpga: Move Stratix10 and Agilex to use TARGET_SOCFPGA_SOC64 arm: socfpga: soc64: Support Vendor Authorized Boot (VAB) arm: socfpga: cmd: Support 'vab' command arm: socfpga: dts: soc64: Update filename in binman node of FIT image with VAB support configs: socfpga: soc64: Move CONFIG_BOOTCOMMAND to defconfig configs: socfpga: Add defconfig for Agilex with VAB support Makefile | 11 +- arch/arm/Kconfig | 6 +- arch/arm/dts/socfpga_soc64_fit-u-boot.dtsi | 22 +++ arch/arm/mach-socfpga/Kconfig | 20 +++ arch/arm/mach-socfpga/Makefile | 3 + arch/arm/mach-socfpga/board.c | 43 ++++- arch/arm/mach-socfpga/include/mach/mailbox_s10.h | 1 + arch/arm/mach-socfpga/include/mach/reset_manager.h | 3 +- arch/arm/mach-socfpga/include/mach/secure_vab.h | 63 +++++++ .../arm/mach-socfpga/include/mach/system_manager.h | 3 +- arch/arm/mach-socfpga/secure_vab.c | 186 +++++++++++++++++++++ arch/arm/mach-socfpga/vab.c | 34 ++++ common/Kconfig.boot | 2 +- configs/socfpga_agilex_atf_defconfig | 2 + configs/socfpga_agilex_defconfig | 2 + ..._atf_defconfig => socfpga_agilex_vab_defconfig} | 4 + configs/socfpga_stratix10_atf_defconfig | 2 + configs/socfpga_stratix10_defconfig | 2 + drivers/ddr/altera/Kconfig | 6 +- drivers/fpga/Kconfig | 2 +- drivers/sysreset/Kconfig | 2 +- include/configs/socfpga_soc64_common.h | 10 +- scripts/Makefile.spl | 7 + 23 files changed, 406 insertions(+), 30 deletions(-) create mode 100644 arch/arm/mach-socfpga/include/mach/secure_vab.h create mode 100644 arch/arm/mach-socfpga/secure_vab.c create mode 100644 arch/arm/mach-socfpga/vab.c copy configs/{socfpga_agilex_atf_defconfig => socfpga_agilex_vab_defconfig} (91%)