From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Lear Date: Wed, 24 Jun 2009 15:16:05 +0100 Subject: [U-Boot] U-book and GPLv3? (fwd) In-Reply-To: References: <20090618145128.69F27832E416@gemini.denx.de> <20090623192634.GB23560@b07421-ec1.am.freescale.net> <200906231541.54291.vapier@gentoo.org> <20090623211459.GL23512@game.jcrosoft.org> Message-ID: <12fb2e608911e671661778990f2f793e.squirrel@webmail.plus.net> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Hi Detlev, > What exactly is secure boot? Jean-Christophe - if I may interject... Embedded systems using core soc silicon from a number of manufacturers have started to use what is known as 'secure boot'. This is typically the case in applications which utilise conditional access system software to protect content. The emphasis on using secure boot is largely driven by the conditional access industry itself. Secure boot basically means that internally in the soc, fuses are blown that provide some semblance of a low-level hw signature. This signature is combined with additional information from a conditional access / security vendor who may provide tools/utilities for 'signing' bootloader and/or application software binary code images. Consider the case where the soc is boot-strapped by low-level 'secure boot' code. Even before the bootloader's main() is entered, the boot code validates the image using secure features such as private keys. If validation succeeds the platform bootstrap continues to main(). If the licensing of U-Boot changed and U-Boot contained secure boot code and/or features such as these in its low-level bootstrap code, it is feasible that the secure features would have to be made public, thus there would be a rather large security flaw. > Don't you mistake "security" for "authenticity"? In this context, I believe both terms are interchangeable and effectively mean the same thing. It is secure because only authenticated code is allowed to be executed, thus another step to avoid piracy, hacking of conditional access systems etc. Hope that helps. Cheers, -- Matt