Hi,
On Fri, 2017-02-17 at 19:58 +0800, Bin Meng wrote:
On Fri, Feb 17, 2017 at 5:26 PM, Markus Valentin mv@denx.de wrote:
Hi,
i'm implementing Secure Boot with U-Boot on a Intel Atom E3800 Series (Bay Trail) based Plattform.
I did manage to get the first boot stage (Initial Boot Block) verified by the Trusted Execution Engine, next i need to verify the "ramstage" as they call it.
How did you implement the first boot stage? Is it U-Boot SPL?
No, i'm not using SPL, but maybe i should?
Currently i follow the instructions from document #558081 "Enabling Secure Boot with Intel FSP and coreboot" for Intel ® Atom TM Processor E3800 Product Family". There they state that i should extract a IBB(Initial Boot Block) which is the last 127Kib from the u-boot.rom/coreboot.rom file. IBB plus a secure boot "manifest" is the 1st stage that gets properly authenticated, copied to ram and executed(128Kib).
Intel provides a manual on how to enable Secure Boot with coreboot in this manual they extract the "ramstage" from the coreboot.rom file via cbfs.
Which manual is this?
#558081 "Enabling Secure Boot with Intel FSP and coreboot" for Intel ® Atom TM Processor E3800 Product Family"
How can i get the equivalent for the coreboot-ramstage from U-Boot?
My understanding is that since you already managed to have the hardware (TXE) successfully verify the first boot stage, the next step is all yours, which means you don't need anything like coreboot-ramstage. You can implement whatever loading/authenticating mechanism you put in the first boot stage to boot the 2nd stage.
Thats a good point, thanks. I already implemented verification in U-Boot for verification of the fit-image public-key, so i could easily adopt it.
best regards
Markus