This patch series makes the hardware mechanisms for verified boot on Bay Trail based platforms usable in/for U-Boot. The series brings in binman extension which allows to easily create and assemble a Secure Boot Manifest in the U-Boot ROM image. The manifest gets utilized by the Trusted Execution Engine on the SoC.

Anatolij Gustschin (2): binman: add optional support for U-Boot image signing binman: add ROM image signing for Bay Trail SoC

Markus Valentin (4): x86: baytrail: Add fsp-header verification for secure boot FSP x86: baytrail: secureboot: Add functions for verification of U-Boot x86: congatec: add secureboot enabled defconfig for conga-qeval20-qa3-e3845 doc: x86: Add section about secure boot on Bay Trail

arch/x86/Kconfig | 3 +- arch/x86/cpu/baytrail/Kconfig | 10 + arch/x86/cpu/baytrail/Makefile | 1 + arch/x86/cpu/baytrail/secure_boot.c | 117 ++++++++ arch/x86/dts/u-boot.dtsi | 7 + .../include/asm/arch-baytrail/fsp/fsp_configs.h | 24 ++ arch/x86/include/asm/fsp/fsp_support.h | 2 + arch/x86/lib/fsp/fsp_support.c | 42 +++ ...0-qa3-e3845-internal-uart-secure-boot_defconfig | 60 ++++ doc/README.x86 | 49 ++++ tools/binman/binman.py | 3 + tools/binman/cmdline.py | 2 + tools/binman/control.py | 1 + tools/binman/image.py | 23 ++ tools/binman/signing/baytrail.py | 313 +++++++++++++++++++++ tools/binman/signing/signer.py | 24 ++ 16 files changed, 680 insertions(+), 1 deletion(-) create mode 100644 arch/x86/cpu/baytrail/secure_boot.c create mode 100644 configs/conga-qeval20-qa3-e3845-internal-uart-secure-boot_defconfig create mode 100644 tools/binman/signing/baytrail.py create mode 100644 tools/binman/signing/signer.py