On Thu, Jul 11, 2013 at 10:06 AM, Stefano Babic sbabic@denx.de wrote:
(header for Freescale's i.MX processors) to allow the usage of Freescale's tools to sign the u-boot image and provide a secure boot.
This has nothing to do with the Secure Boot extensions implemented by Simon Glass, that can be in any case used to boot later a secure image. Freescale's secure boot ensures that a signed bootloader is started only if it is verified with a key that is burned into the iMX fuses. Documentation about the Freescale's secure process can be read from the AN4591, available on the Freescale's Website.
The patchset allows to add to the imx Header the CSF (command Sequence File) generated by the tools provided by Freescale. The CSF is then simply concatenated to the u-boot image, making a signed bootloader, that the processor can verify if the fuses for the keys are burned. The processor (i.MX53 / i.MX6x) will not start a bootloader that cannot be verified - further infos how to configure the SOC to verify the bootloader can be found in the User Manual of the specific SOC.
Next step is to verify the kernel, that can be still done using Simon's patches for verified boot (CONFIG_OF_CONTROL must be set in the board configuarion file).
I didn't yet test or reviewed the patchset (will do) but I must to say a big Thank you :-) Awesome!
-- Otavio Salvador O.S. Systems http://www.ossystems.com.br http://projetos.ossystems.com.br Mobile: +55 (53) 9981-7854 Mobile: +1 (347) 903-9750