There are two phases in Secure Boot 1. ISBC: In BootROM, validate the BootLoader (U-Boot). 2. ESBC: In U-Boot, continuing the Chain of Trust by validating and booting LINUX.
For ESBC phase, there is no difference in SoC's based on ARM or PowerPC cores.
But the exit conditions after ISBC phase i.e. entry conditions for U-Boot are different for ARM and PowerPC. PowerPC: ======== If Secure Boot is executed, a separate U-Boot target is required which must be compiled with a diffrent Text Base as compared to Non-Secure Boot. There are some LAW and TLB settings which are required specifically for Secure Boot scenario.
ARM: ==== ARM based SoC's have a fixed memory map and exit conditions from BootROM are same irrespective of boot mode (Secure or Non-Secure).
This patchset is aimed at removing the requirement for a separate Secure Boot target for ARM based SoC's.
Another Security Requirement for running CHAIN_OF_TRUST is that U-Boot environemnt must not be picked from flash/external memory. This cannot be done based on bootmode at run time in current U-Boot architecture. Once this dependency is resolved, no separate SECURE_BOOT target will be required for ARM based SoC's.
Currently, the only code under CONFIG_SECURE_BOOT for ARM SoC's is defining CONFIG_ENV_IS_NOWHERE
The patches have been tested on LS1043, LS1021, P3041 and T1024.
The patch set is dependent on following: http://patchwork.ozlabs.org/patch/553826/
Aneesh Bansal (7): include/configs: make secure boot header file include uniform include/configs: move definition of CONFIG_CMD_BLOB SECURE_BOOT: split the secure boot functionality in two parts create function to determine boot mode enable chain of trust for ARM platforms enable chain of trust for PowerPC platforms SECURE_BOOT: change error handler for esbc_validate
arch/arm/cpu/armv8/fsl-layerscape/soc.c | 4 + .../include/asm/arch-fsl-layerscape/immap_lsch2.h | 3 + arch/arm/include/asm/arch-ls102xa/immap_ls102xa.h | 2 + arch/arm/include/asm/fsl_secure_boot.h | 20 +++- arch/powerpc/cpu/mpc85xx/cpu_init.c | 12 +++ arch/powerpc/include/asm/fsl_secure_boot.h | 47 ++++++--- arch/powerpc/include/asm/immap_85xx.h | 3 + board/freescale/common/Makefile | 1 + board/freescale/common/cmd_esbc_validate.c | 7 +- board/freescale/common/fsl_chain_of_trust.c | 70 +++++++++++++ board/freescale/common/fsl_validate.c | 7 ++ board/freescale/ls1021aqds/ls1021aqds.c | 4 + board/freescale/ls1021atwr/ls1021atwr.c | 4 + include/config_fsl_chain_trust.h | 101 ++++++++++++++++++ include/config_fsl_secboot.h | 116 --------------------- include/configs/B4860QDS.h | 4 - include/configs/BSC9132QDS.h | 4 - include/configs/P1010RDB.h | 4 - include/configs/P2041RDB.h | 4 - include/configs/T102xQDS.h | 10 +- include/configs/T102xRDB.h | 10 +- include/configs/T1040QDS.h | 3 - include/configs/T104xRDB.h | 3 - include/configs/T208xQDS.h | 4 - include/configs/T208xRDB.h | 4 - include/configs/T4240QDS.h | 4 - include/configs/T4240RDB.h | 9 -- include/configs/corenet_ds.h | 4 - include/configs/ls1021aqds.h | 5 +- include/configs/ls1021atwr.h | 5 +- include/configs/ls1043a_common.h | 8 ++ include/configs/ls1043aqds.h | 2 + include/configs/ls1043ardb.h | 8 -- include/fsl_validate.h | 2 + 34 files changed, 295 insertions(+), 203 deletions(-) create mode 100644 board/freescale/common/fsl_chain_of_trust.c create mode 100644 include/config_fsl_chain_trust.h delete mode 100644 include/config_fsl_secboot.h