Message ID | 20231214162543.1200276-2-tharvey@gateworks.com |
---|---|
State | Changes Requested |
Delegated to: | Fabio Estevam |
Headers | show |
Series | [1/2] configs: imx8m{m, n, p}_venice_defconfig: add arch_misc_init | expand |
Hi Tim, On Thu, Dec 14, 2023 at 1:25 PM Tim Harvey <tharvey@gateworks.com> wrote: > > Prepare for DEK blob encapsulation support through "dek_blob" command. > On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob > for encrypted boot. > > The DEK blob is encapsulated by OP-TEE through a trusted application > call. U-boot sends and receives the DEK and the DEK blob binaries > through OP-TEE dynamic shared memory. > > To enable the DEK blob encapsulation, add to the defconfig: > CONFIG_SECURE_BOOT=y This option does not exist. Do you mean CONFIG_IMX_HAB=y?
On Thu, Dec 14, 2023 at 8:30 AM Fabio Estevam <festevam@gmail.com> wrote: > > Hi Tim, > > On Thu, Dec 14, 2023 at 1:25 PM Tim Harvey <tharvey@gateworks.com> wrote: > > > > Prepare for DEK blob encapsulation support through "dek_blob" command. > > On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob > > for encrypted boot. > > > > The DEK blob is encapsulated by OP-TEE through a trusted application > > call. U-boot sends and receives the DEK and the DEK blob binaries > > through OP-TEE dynamic shared memory. > > > > To enable the DEK blob encapsulation, add to the defconfig: > > CONFIG_SECURE_BOOT=y > > This option does not exist. > > Do you mean CONFIG_IMX_HAB=y? Fabio, The commit log details are not valid for upstream. I was basing this off of 8d060e4a66d6884341fbb3d8ab1d837a3f173d47 which made it upstream with the same message. I can submit a v2 if necessary. Best Regards, Tim
Hi Tim, On Fri, Dec 15, 2023 at 3:34 PM Tim Harvey <tharvey@gateworks.com> wrote: > Fabio, > > The commit log details are not valid for upstream. I was basing this > off of 8d060e4a66d6884341fbb3d8ab1d837a3f173d47 which made it upstream > with the same message. > > I can submit a v2 if necessary. Yes, please submit a v2 and I will queue this series and the TPM one to u-boot-imx next. Regards, Fabio Estevam
On Fri, Dec 15, 2023 at 12:41 PM Fabio Estevam <festevam@gmail.com> wrote: > > Hi Tim, > > On Fri, Dec 15, 2023 at 3:34 PM Tim Harvey <tharvey@gateworks.com> wrote: > > > Fabio, > > > > The commit log details are not valid for upstream. I was basing this > > off of 8d060e4a66d6884341fbb3d8ab1d837a3f173d47 which made it upstream > > with the same message. > > > > I can submit a v2 if necessary. > > Yes, please submit a v2 and I will queue this series and the TPM one > to u-boot-imx next. This node appears to already be in the imx8mm-u-boot.dtsi encapsulated by an #ifdef looking for optee. Can this ifdef be expanded to include CONFIG_SECURE_BOOT? adam > Regards, > > Fabio Estevam
On Fri, Dec 15, 2023 at 11:06 AM Adam Ford <aford173@gmail.com> wrote: > > On Fri, Dec 15, 2023 at 12:41 PM Fabio Estevam <festevam@gmail.com> wrote: > > > > Hi Tim, > > > > On Fri, Dec 15, 2023 at 3:34 PM Tim Harvey <tharvey@gateworks.com> wrote: > > > > > Fabio, > > > > > > The commit log details are not valid for upstream. I was basing this > > > off of 8d060e4a66d6884341fbb3d8ab1d837a3f173d47 which made it upstream > > > with the same message. > > > > > > I can submit a v2 if necessary. > > > > Yes, please submit a v2 and I will queue this series and the TPM one > > to u-boot-imx next. > > This node appears to already be in the imx8mm-u-boot.dtsi encapsulated > by an #ifdef looking for optee. Can this ifdef be expanded to include > CONFIG_SECURE_BOOT? > Adam, Thanks for reminding me of that... that was my submission. This patch just needs to be dropped... it was a remnant from before bb6a4c55363c3 "(arm: dts: imx8mm: move firmware/optee node to common imx8mm-u-boot.dtsi") I think it makes sense that the firmware/optee node is protected within a CONFIG_OPTEE Best Regards, Tim
diff --git a/arch/arm/dts/imx8mm-venice-u-boot.dtsi b/arch/arm/dts/imx8mm-venice-u-boot.dtsi index 8337c4aea807..b232002b8937 100644 --- a/arch/arm/dts/imx8mm-venice-u-boot.dtsi +++ b/arch/arm/dts/imx8mm-venice-u-boot.dtsi @@ -11,6 +11,13 @@ wdt = <&wdog1>; bootph-pre-ram; }; + + firmware { + optee { + compatible = "linaro,optee-tz"; + method = "smc"; + }; + }; }; &gpio1 {
Prepare for DEK blob encapsulation support through "dek_blob" command. On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob for encrypted boot. The DEK blob is encapsulated by OP-TEE through a trusted application call. U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE dynamic shared memory. To enable the DEK blob encapsulation, add to the defconfig: CONFIG_SECURE_BOOT=y CONFIG_FAT_WRITE=y CONFIG_CMD_DEKBLOB=y Taken from NXP's commit 56d2050f4028 ("imx8m: Add DEK blob encapsulation for imx8m"). Signed-off-by: Tim Harvey <tharvey@gateworks.com> --- arch/arm/dts/imx8mm-venice-u-boot.dtsi | 7 +++++++ 1 file changed, 7 insertions(+)