Re: [PATCH u-boot v2019.04-aspeed-openbmc v2 00/10] Use HACE to accelerate sha512

From: Joel Stanley <joel@jms.id.au>
To: Sandhya Koteshwara <Sandhya.Koteshwara@ibm.com>,
	OpenBMC Maillist <openbmc@lists.ozlabs.org>
Cc: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Subject: Re: [PATCH u-boot v2019.04-aspeed-openbmc v2 00/10] Use HACE to accelerate sha512
Date: Wed, 21 Apr 2021 02:02:56 +0000	[thread overview]
Message-ID: <CACPK8XenOTqEs96mOpEsH2rvs=1Fn88d8ATSR6Tjio2Bmj1N9w@mail.gmail.com> (raw)
In-Reply-To: <OF2C524D29.DA2BBB20-ON002586BD.00695579-002586BD.006F66D8@notes.na.collabserv.com>

On Tue, 20 Apr 2021 at 20:16, Sandhya Koteshwara
<Sandhya.Koteshwara@ibm.com> wrote:
>
> Hi Joel,
>
> I am looking at the patches and confused by this: This is only applicable for MMC booting, as the HACE cannot be used to hash directly from the memory mapped SPI NOR.
>
> From my understanding, when secure boot is enabled in AST2600, the secure boot microprocessor & ROM code copy the RoT image (either from SPI or eMMC) to SRAM before integrity check is performed. Subsequent CoT images are copied to DRAM before integrity check. Why is the same process not applicable here and why is there a need to hash directly from SPI?

Your understanding is correct, for Aspeed's secure boot solution.
However we are not using that in this case (except for the initial
image; the SPL). Once we have the SPL loaded we instead use the
verification features in u-boot. This means we use the generic FIT
loader code in common/.

If someone has a use case where they want to use the u-boot boot
infrastructure to boot from NOR, then they could submit patches to
modify the infrastructure to first copy the FIT to DRAM, and then
perform verification.

Cheers,

Joel

>
> Thanks,
> Sandhya
>
>
> ----- Original message -----
> From: Joel Stanley <joel@jms.id.au>
> Sent by: "openbmc" <openbmc-bounces+sandhya.koteshwara=ibm.com@lists.ozlabs.org>
> To: openbmc@lists.ozlabs.org, Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>, Andrew Jeffery <andrew@aj.id.au>
> Cc: "Cédric Le Goater" <clg@kaod.org>
> Subject: [EXTERNAL] [PATCH u-boot v2019.04-aspeed-openbmc v2 00/10] Use HACE to accelerate sha512
> Date: Tue, Apr 20, 2021 2:47 AM
>
> This series adds support to u-boot to using the HACE hardware in the
> AST2600 to perform SHA hashing during boot, and enable the SPL features
> to load u-boot as a signed FIT.
>
> This is only applicable for MMC booting, as the HACE cannot be used to
> hash directly from the memory mapped SPI NOR.
>
> These have been tested with Cédric's aspeed-6.0 Qemu tree. You can
> reproduce using the script in this repository:
>
>  https://github.com/shenki/qemu-boot-test
>
> Joel Stanley (10):
>   configs/ast2600: Make early malloc pool larger
>   crypto: Add driver for Aspeed HACE
>   ast2600: Enable HACE probing in SPL
>   ast2600: Add HACE to device tree
>   ast2600: spl: Remove SECBOOT BL2 kconfig option
>   ast2600: spl: Add ASPEED_LOADERS option
>   ast2600: spl: Support common boot loader features
>   config: ast2600: Configure common MMC SPL loader
>   configs: ast2600: Enable FIT SHA512 support
>   config: ast2600: Disable SPL raw image support
>
>  arch/arm/dts/ast2600-rainier.dts           |   5 +
>  arch/arm/dts/ast2600-tacoma.dts            |   5 +
>  arch/arm/dts/ast2600.dtsi                  |   9 +
>  arch/arm/dts/ast2600a1-evb.dts             |   4 +
>  arch/arm/mach-aspeed/Kconfig               |  15 ++
>  arch/arm/mach-aspeed/ast2600/Kconfig       |  12 -
>  arch/arm/mach-aspeed/ast2600/Makefile      |   6 +-
>  arch/arm/mach-aspeed/ast2600/spl.c         |  30 +++
>  arch/arm/mach-aspeed/ast2600/spl_boot.c    |  17 +-
>  configs/ast2600_openbmc_spl_emmc_defconfig |  24 +-
>  drivers/crypto/Kconfig                     |  19 ++
>  drivers/crypto/Makefile                    |   1 +
>  drivers/crypto/aspeed_hace.c               | 266 +++++++++++++++++++++
>  13 files changed, 375 insertions(+), 38 deletions(-)
>  create mode 100644 drivers/crypto/aspeed_hace.c
>
> --
> 2.30.2
>
>
>
>