All of lore.kernel.org
 help / color / mirror / Atom feed
From: Tan, Ley Foon <ley.foon.tan@intel.com>
To: u-boot@lists.denx.de
Subject: [v5 2/7] arm: socfpga: soc64: Support Vendor Authorized Boot (VAB)
Date: Fri, 5 Mar 2021 09:09:52 +0000	[thread overview]
Message-ID: <BY5PR11MB3893C4BB56243E976020F810CC969@BY5PR11MB3893.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20210301120416.46453-3-elly.siew.chin.lim@intel.com>



> -----Original Message-----
> From: Lim, Elly Siew Chin <elly.siew.chin.lim@intel.com>
> Sent: Monday, March 1, 2021 8:04 PM
> To: u-boot at lists.denx.de
> Cc: Marek Vasut <marex@denx.de>; Tan, Ley Foon
> <ley.foon.tan@intel.com>; See, Chin Liang <chin.liang.see@intel.com>;
> Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>; Chee, Tien Fong
> <tien.fong.chee@intel.com>; Westergreen, Dalon
> <dalon.westergreen@intel.com>; Simon Glass <sjg@chromium.org>; Gan,
> Yau Wai <yau.wai.gan@intel.com>; Lim, Elly Siew Chin
> <elly.siew.chin.lim@intel.com>
> Subject: [v5 2/7] arm: socfpga: soc64: Support Vendor Authorized Boot (VAB)
> 
> Vendor Authorized Boot is a security feature for authenticating the images
> such as U-Boot, ARM trusted Firmware, Linux kernel, device tree blob and
> etc loaded from FIT. After those images are loaded from FIT, the VAB
> certificate and signature block appended at the end of each image are sent
> to Secure Device Manager (SDM) for authentication. U-Boot will validate the
> SHA384 of the image against the SHA384 hash stored in the VAB certificate
> before sending the image to SDM for authentication.
> 
> Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com>
> 
> ---
> v5:
> - In arch/arm/mach-socfpga/board.c
>   - Move '#if IS_ENABLED(CONFIG_SOCFPGA_SECURE_VAB_AUTH)' inside
> board_fit_image_post_process function.
>   - Move '#if IS_ENABLED(CONFIG_SPL_BUID)' outside board_prep_linux
> function.
> 
> v4:
> - Move function 'board_fit_image_post_process' and 'board_prep_linux'
>   from secure_vab.c to board.c.
> ---
>  arch/arm/mach-socfpga/Kconfig                    |  15 ++
>  arch/arm/mach-socfpga/Makefile                   |   2 +
>  arch/arm/mach-socfpga/board.c                    |  45 +++++-
>  arch/arm/mach-socfpga/include/mach/mailbox_s10.h |   1 +
>  arch/arm/mach-socfpga/include/mach/secure_vab.h  |  63 ++++++++
>  arch/arm/mach-socfpga/secure_vab.c               | 186
> +++++++++++++++++++++++
>  common/Kconfig.boot                              |   2 +-
>  7 files changed, 309 insertions(+), 5 deletions(-)  create mode 100644
> arch/arm/mach-socfpga/include/mach/secure_vab.h
>  create mode 100644 arch/arm/mach-socfpga/secure_vab.c
> 

Reviewed-by: Ley Foon Tan <ley.foon.tan@intel.com>

  reply	other threads:[~2021-03-05  9:09 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-01 12:04 [v5 0/7] Add Vendor Authorized Boot (VAB) support Siew Chin Lim
2021-03-01 12:04 ` [v5 1/7] arm: socfpga: Move Stratix10 and Agilex to use TARGET_SOCFPGA_SOC64 Siew Chin Lim
2021-03-01 12:04 ` [v5 2/7] arm: socfpga: soc64: Support Vendor Authorized Boot (VAB) Siew Chin Lim
2021-03-05  9:09   ` Tan, Ley Foon [this message]
2021-03-01 12:04 ` [v5 3/7] arm: socfpga: cmd: Support 'vab' command Siew Chin Lim
2021-03-01 12:04 ` [v5 4/7] arm: socfpga: dts: soc64: Update filename in binman node of FIT image with VAB support Siew Chin Lim
2021-03-01 12:04 ` [v5 5/7] configs: socfpga: soc64: Move CONFIG_BOOTCOMMAND to defconfig Siew Chin Lim
2021-03-01 12:04 ` [v5 6/7] configs: socfpga: Add defconfig for Agilex with VAB support Siew Chin Lim
2021-03-01 12:04 ` [v5 7/7] Makefile: socfpga: Add target to generate hex output for combined spl and dtb Siew Chin Lim

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=BY5PR11MB3893C4BB56243E976020F810CC969@BY5PR11MB3893.namprd11.prod.outlook.com \
    --to=ley.foon.tan@intel.com \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.