From: Eddie James <eajames@linux.ibm.com>
To: Andrew Jeffery <andrew@aj.id.au>, openbmc@lists.ozlabs.org
Subject: Re: [PATCH u-boot v2019.04-aspeed-openbmc 3/6] ARM: ast2600: Control FIT uImage signature verification at runtime
Date: Thu, 3 Feb 2022 11:25:16 -0600 [thread overview]
Message-ID: <8abeada8-e53d-4c77-310c-478733bf4891@linux.ibm.com> (raw)
In-Reply-To: <20220131012538.73021-4-andrew@aj.id.au>
On 1/30/22 19:25, Andrew Jeffery wrote:
> Implement support for disabling signature verification of FIT images at
> runtime by sampling the "bmc-secure-boot" GPIO. If the line name is not
> provided in the devicetree then secure-boot continues to be required as
> if the feature were not present.
Reviewed-by: Eddie James <eajames@linux.ibm.com>
>
> Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
> ---
> arch/arm/mach-aspeed/ast2600/Makefile | 1 +
> arch/arm/mach-aspeed/ast2600/secure-boot.c | 53 ++++++++++++++++++++++
> 2 files changed, 54 insertions(+)
> create mode 100644 arch/arm/mach-aspeed/ast2600/secure-boot.c
>
> diff --git a/arch/arm/mach-aspeed/ast2600/Makefile b/arch/arm/mach-aspeed/ast2600/Makefile
> index d07e8c737cfe..70b7ae11df56 100644
> --- a/arch/arm/mach-aspeed/ast2600/Makefile
> +++ b/arch/arm/mach-aspeed/ast2600/Makefile
> @@ -1,4 +1,5 @@
> obj-y += platform.o board_common.o scu_info.o utils.o cache.o
> +obj-$(CONFIG_FIT_RUNTIME_SIGNATURE) += secure-boot.o
> obj-$(CONFIG_ASPEED_SECURE_BOOT) += crypto.o aspeed_verify.o
> obj-$(CONFIG_ASPEED_LOADERS) += spl_boot.o
> obj-$(CONFIG_SPL_BUILD) += spl.o
> diff --git a/arch/arm/mach-aspeed/ast2600/secure-boot.c b/arch/arm/mach-aspeed/ast2600/secure-boot.c
> new file mode 100644
> index 000000000000..ced353686387
> --- /dev/null
> +++ b/arch/arm/mach-aspeed/ast2600/secure-boot.c
> @@ -0,0 +1,53 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +// (C) Copyright IBM Corp. 2022
> +
> +#include <common.h>
> +#include <asm-generic/gpio.h>
> +#include <dm.h>
> +
> +static int aspeed_get_chained_secboot_state(void)
> +{
> + struct gpio_desc desc;
> + struct udevice *dev;
> + int secboot;
> + int rc;
> +
> + rc = uclass_get_device_by_driver(UCLASS_GPIO,
> + DM_GET_DRIVER(gpio_aspeed),
> + &dev);
> + if (rc < 0) {
> + debug("Warning: GPIO initialization failure: %d\n", rc);
> + return rc;
> + }
> +
> + rc = gpio_request_by_line_name(dev, "bmc-secure-boot", &desc,
> + GPIOD_IS_IN);
> + if (rc < 0) {
> + debug("Failed to acquire secure-boot GPIO: %d\n", rc);
> + return rc;
> + }
> +
> + secboot = dm_gpio_get_value(&desc);
> + if (secboot < 0)
> + debug("Failed to read secure-boot GPIO value: %d\n", rc);
> +
> + rc = dm_gpio_free(dev, &desc);
> + if (rc < 0)
> + debug("Failed to free secure-boot GPIO: %d\n", rc);
> +
> + return secboot;
> +}
> +
> +int board_fit_image_require_verified(void)
> +{
> + int secboot;
> +
> + secboot = aspeed_get_chained_secboot_state();
> +
> + /*
> + * If secure-boot is enabled then require signature verification.
> + * Otherwise, if we fail to read the GPIO, enforce FIT signature
> + * verification
> + */
> + return secboot >= 0 ? secboot : 1;
> +}
next prev parent reply other threads:[~2022-02-03 17:26 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-31 1:25 [PATCH u-boot v2019.04-aspeed-openbmc 0/6] Runtime control of vboot via GPIO Andrew Jeffery
2022-01-31 1:25 ` [PATCH u-boot v2019.04-aspeed-openbmc 1/6] gpio: Add gpio_request_by_line_name() Andrew Jeffery
2022-02-03 17:23 ` Eddie James
2022-01-31 1:25 ` [PATCH u-boot v2019.04-aspeed-openbmc 2/6] image: Control FIT uImage signature verification at runtime Andrew Jeffery
2022-02-03 17:22 ` Eddie James
2022-02-08 6:03 ` Joel Stanley
2022-02-08 21:58 ` Andrew Jeffery
2022-01-31 1:25 ` [PATCH u-boot v2019.04-aspeed-openbmc 3/6] ARM: ast2600: " Andrew Jeffery
2022-02-03 17:25 ` Eddie James [this message]
2022-01-31 1:25 ` [PATCH u-boot v2019.04-aspeed-openbmc 4/6] configs: ast2600: Runtime control of FIT signature verification Andrew Jeffery
2022-02-03 17:27 ` Eddie James
2022-01-31 1:25 ` [PATCH u-boot v2019.04-aspeed-openbmc 5/6] ARM: dts: rainier: Add gpio-line-names property with bmc-secure-boot Andrew Jeffery
2022-02-03 17:28 ` Eddie James
2022-01-31 1:25 ` [PATCH u-boot v2019.04-aspeed-openbmc 6/6] image: Fix indentation of macros Andrew Jeffery
2022-02-03 17:29 ` Eddie James
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8abeada8-e53d-4c77-310c-478733bf4891@linux.ibm.com \
--to=eajames@linux.ibm.com \
--cc=andrew@aj.id.au \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).