Hi everyone,
I want to implement a minimal secure boot architecture into u-boot by letting the u-boot.img be decrypted during SPL execution. Thus, the u-boot.img is present on the MMC in an encrypted version. I already implemented a basic AES-128 en-/decryption algorithm into the SPL.
Everything will be implement on a PandaBoard (OMAP4460). Now my questions are:
1.) What would be the general architecture? u-boot.img is loaded into external memory (DRAM)at address 0x80100000. To decrypt it, the whole file needs to be processed by SPL, which will not be able to load the data since the SPL can not exceed a certain size (~49 kByte I guess).
-> Thus, would it be somehow possible to implement the algorithm in the SPL but let the u-boot.img data be stored in DRAM for processing?
2.) Furthermore, where could be a good place to put the actual algorithm in? I figured that in my situation the function call flow is something like this:
... > omap_boot_device() > boot_device() > spl_mmc_load_image() > mmc_load_image_fat > file_fat_read() > do_fat_read()
_jump_to_image_noargs() where u-boot.img is eventually called using the
image_entry() function.
Thanks a lot, -b