On Wed, Dec 13, 2017 at 9:08 PM, Maxime Ripard maxime.ripard@free-electrons.com wrote:
Hi,
On Wed, Dec 13, 2017 at 11:33:04AM +0530, Jagan Teki wrote:
Add verified-boot documentation for sunxi a64 platform.
Signed-off-by: Jagan Teki jagan@amarulasolutions.com
Changes for v3:
- Create separate document file
Changes for v2:
- New patch
doc/README.sunxi | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 193 insertions(+) create mode 100644 doc/README.sunxi
diff --git a/doc/README.sunxi b/doc/README.sunxi new file mode 100644 index 0000000..ef4f735 --- /dev/null +++ b/doc/README.sunxi @@ -0,0 +1,193 @@ +# +# Copyright (C) 2017 Amarula Solutions +# +# SPDX-License-Identifier: GPL-2.0+ +#
+U-Boot on SunXi +==============
+Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform.
1. Verified Boot+1. Verified Boot +================
+U-Boot supports an image verification method called "Verified Boot". +This is a brief tutorial to utilize this feature for the Sunxi A64 platform. +You will find details documents in the doc/uImage.FIT directory.
+Here, we take Orangepi Win board for example, but it should work for any +other boards including 32 bit SoCs.
+1. Generate RSA key to sign
- $ mkdir keys
- $ openssl genpkey -algorithm RSA -out keys/dev.key \
- -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
- $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
+Two files "dev.key" and "dev.crt" will be created. The base name is arbitrary, +but need to match to the "key-name-hint" property described below.
I really think that the very first thing you must talk about in that documentation is that it will not protect the SPL itself and that this is not a secure setup.
Based on my experience with U-boot, verified-boot here doesn't relate to protect SPL or U-Boot. it's generally for kernel and followed stages. I don't think we can think here too-much. some reference doc/README.uniphier
You're true if we protect boot stages, then it becomes secure boot(from BROM) like HABv4 in i.MX6, but verified boot in U-Boot is different.
thanks!