Thanks Stefano,
On 07/11/2013 06:06 AM, Stefano Babic wrote:
(header for Freescale's i.MX processors) to allow the usage of Freescale's tools to sign the u-boot image and provide a secure boot.
This has nothing to do with the Secure Boot extensions implemented by Simon Glass, that can be in any case used to boot later a secure image. Freescale's secure boot ensures that a signed bootloader is started only if it is verified with a key that is burned into the iMX fuses. Documentation about the Freescale's secure process can be read from the AN4591, available on the Freescale's Website.
The patchset allows to add to the imx Header the CSF (command Sequence File) generated by the tools provided by Freescale. The CSF is then simply concatenated to the u-boot image, making a signed bootloader, that the processor can verify if the fuses for the keys are burned. The processor (i.MX53 / i.MX6x) will not start a bootloader that cannot be verified - further infos how to configure the SOC to verify the bootloader can be found in the User Manual of the specific SOC.
Next step is to verify the kernel, that can be still done using Simon's patches for verified boot (CONFIG_OF_CONTROL must be set in the board configuarion file).
I compile-tested the series against all of our boards (boundary/boundary/* and board/freescale/mx6qsabrelite).
Run-time tests (without signing) against nitrogen6s (solo) and nitrogen6q (quad). Both ran without a hitch.
Now we need to get configured for signing and burn some fuses!