Re: [U-Boot] [PATCH v3 1/6] x86: baytrail: Add fsp-header verification for secure boot FSP

2017-11-28 Thread Anatolij Gustschin 
Hi Bin,

On Tue, 21 Nov 2017 23:01:08 +0800
Bin Meng bmeng...@gmail.com wrote:
...
> > --- a/arch/x86/Kconfig
> > +++ b/arch/x86/Kconfig
> > @@ -350,7 +350,8 @@ config HAVE_FSP
> >  config FSP_FILE
> > string "Firmware Support Package binary filename"
> > depends on HAVE_FSP
> > -   default "fsp.bin"
> > +   default "fsp.bin" if !BAYTRAIL_SECURE_BOOT
> > +   default "fsp-sb.bin" if BAYTRAIL_SECURE_BOOT  
> 
> Since this Kconfig is generic to all x86, can we introduce a generic
> name here, something like:
> 
> default "fsp-sb.bin" if SECURE_BOOT
> 
> Then in the arch/x86/cpu/baytrail/Kconfig, we can have:
> 
> config BAYTRAIL_SECURE_BOOT
> depends on HAVE_FSP
> depends on SECURE_BOOT
> default y if SECURE_BOOT

Ok, will rework in v4.

> Does U-Boot have any generic Kconfig option for secure boot?

No, currently there is not such generic option. But CONFIG_SECURE_BOOT
is used in some powerpc and arm configs. I'll add the generic option
to the top level Kconfig.
 
...
> > @@ -130,6 +140,20 @@ void fsp_init(u32 stack_top, u32 boot_mode, void 
> > *nvs_buf)
> >
> > fsp_upd = _data.fsp_upd;
> >
> > +   /*
> > +* On some platforms there is no 'enable_secure_boot' field
> > +* in VPD region struct, so we have to use ifdef here.
> > +*/
> > +   #ifdef CONFIG_BAYTRAIL_SECURE_BOOT
> > +   /*
> > +* If the enable secure boot flag is not 1, secure boot has not
> > +* been activated in the FSP which results in the TXE-Engine not
> > +* getting loaded
> > +*/
> > +   printf("FSP: Secure Boot %sabled\n",
> > +  fsp_vpd->enable_secure_boot == 1 ? "en" : "dis");
> > +   #endif
> > +  
> 
> Can we introduce some APIs like fsp_secure_boot_check() and move the
> above 2 blocks into baytrail directory that implements the API?

this makes sense, thanks. I'll add it as fsp_verify_boot_image() API
function that is empty when SECURE_BOOT not enabled.

Thanks,
Anatolij
___
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot

Re: [U-Boot] [PATCH v3 1/6] x86: baytrail: Add fsp-header verification for secure boot FSP

2017-11-21 Thread Bin Meng 
Hi Anatolij,

On Fri, Nov 17, 2017 at 9:13 AM, Anatolij Gustschin  wrote:
> From: Markus Valentin 
>
> Introduce a new Kconfig variable for secure boot on Bay Trail based
> platforms. If this variable is set, the build process tries to use
> fsp-sb.bin instead of fsp.bin (-sb is the secure boot enabled FSP).
>
> Also check the two FSP headers against each other and print if secure
> boot is enabled or not.
>
> Signed-off-by: Markus Valentin 
> Signed-off-by: Anatolij Gustschin 
> ---
> Changes in v3:
>  - move BAYTRAIL_SECURE_BOOT to arch/x86/cpu/baytrail/Kconfig
>  - Kconfig help text improvements
>  - fix crownbay build breakage
>
> Changes in v2:
>  - use if (IS_ENABLED(CONFIG_*)) instead of #ifdef
>  - s/SB/Secure Boot/
>  - minor Kconfig help cleanup
>
>  arch/x86/Kconfig   |  3 ++-
>  arch/x86/cpu/baytrail/Kconfig  | 10 ++
>  arch/x86/include/asm/fsp/fsp_support.h |  2 ++
>  arch/x86/lib/fsp/fsp_support.c | 24 
>  4 files changed, 38 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 98c56ad7dc..6755e92748 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -350,7 +350,8 @@ config HAVE_FSP
>  config FSP_FILE
> string "Firmware Support Package binary filename"
> depends on HAVE_FSP
> -   default "fsp.bin"
> +   default "fsp.bin" if !BAYTRAIL_SECURE_BOOT
> +   default "fsp-sb.bin" if BAYTRAIL_SECURE_BOOT

Since this Kconfig is generic to all x86, can we introduce a generic
name here, something like:

default "fsp-sb.bin" if SECURE_BOOT

Then in the arch/x86/cpu/baytrail/Kconfig, we can have:

config BAYTRAIL_SECURE_BOOT
depends on HAVE_FSP
depends on SECURE_BOOT
default y if SECURE_BOOT

Does U-Boot have any generic Kconfig option for secure boot?

> help
>   The filename of the file to use as Firmware Support Package binary
>   in the board directory.
> diff --git a/arch/x86/cpu/baytrail/Kconfig b/arch/x86/cpu/baytrail/Kconfig
> index 1d876b1927..ff244fcd68 100644
> --- a/arch/x86/cpu/baytrail/Kconfig
> +++ b/arch/x86/cpu/baytrail/Kconfig
> @@ -39,4 +39,14 @@ config DEBUG_UART
> bool
> select DEBUG_UART_BOARD_INIT
>
> +config BAYTRAIL_SECURE_BOOT
> +   bool "Enable Secure Boot on Bay Trail"
> +   depends on HAVE_FSP
> +   default n
> +   help
> + Use the secure boot feature of the Bay Trail platform. This switch
> + enables the usage of the secure-boot enabled fsp.bin (fsp-sb.bin).
> + For your board you need to provide this yourself. You can 
> reconfigure
> + your FSP with the Intel BCT tool to enable secure boot.
> +
>  endif
> diff --git a/arch/x86/include/asm/fsp/fsp_support.h 
> b/arch/x86/include/asm/fsp/fsp_support.h
> index df3add008c..124a4148a0 100644
> --- a/arch/x86/include/asm/fsp/fsp_support.h
> +++ b/arch/x86/include/asm/fsp/fsp_support.h
> @@ -22,6 +22,8 @@
>  #define FSP_LOWMEM_BASE0x10UL
>  #define FSP_HIGHMEM_BASE   0x1ULL
>  #define UPD_TERMINATOR 0x55AA
> +#define FSP_FIRST_HEADER_OFFSET0x94
> +#define FSP_SECOND_HEADER_OFFSET   0x20494
>
>
>  /**
> diff --git a/arch/x86/lib/fsp/fsp_support.c b/arch/x86/lib/fsp/fsp_support.c
> index e0c49be635..d79a6e900a 100644
> --- a/arch/x86/lib/fsp/fsp_support.c
> +++ b/arch/x86/lib/fsp/fsp_support.c
> @@ -97,6 +97,8 @@ void fsp_continue(u32 status, void *hob_list)
> fsp_init_done(hob_list);
>  }
>
> +#define SB_PRFX"Secure Boot:"
> +
>  void fsp_init(u32 stack_top, u32 boot_mode, void *nvs_buf)
>  {
> struct fsp_config_data config_data;
> @@ -116,6 +118,14 @@ void fsp_init(u32 stack_top, u32 boot_mode, void 
> *nvs_buf)
> panic("Invalid FSP header");
> }
>
> +   if (IS_ENABLED(CONFIG_BAYTRAIL_SECURE_BOOT)) {
> +   /* Compare primary and secondary header */
> +   if (memcmp((void *)(CONFIG_FSP_ADDR + 
> FSP_FIRST_HEADER_OFFSET),
> +  (void *)(CONFIG_FSP_ADDR + 
> FSP_SECOND_HEADER_OFFSET),
> +  fsp_hdr->hdr_len))
> +   panic("%s 1st & 2nd FSP headers don't match", 
> SB_PRFX);
> +   }
> +
> config_data.common.fsp_hdr = fsp_hdr;
> config_data.common.stack_top = stack_top;
> config_data.common.boot_mode = boot_mode;
> @@ -130,6 +140,20 @@ void fsp_init(u32 stack_top, u32 boot_mode, void 
> *nvs_buf)
>
> fsp_upd = _data.fsp_upd;
>
> +   /*
> +* On some platforms there is no 'enable_secure_boot' field
> +* in VPD region struct, so we have to use ifdef here.
> +*/
> +   #ifdef CONFIG_BAYTRAIL_SECURE_BOOT
> +   /*
> +* If the enable secure boot flag is not 1, secure boot has not
> +* been activated in the FSP which results in the TXE-Engine

Re: [U-Boot] [PATCH v3 1/6] x86: baytrail: Add fsp-header verification for secure boot FSP

2017-11-20 Thread Simon Glass 
On 16 November 2017 at 18:13, Anatolij Gustschin  wrote:
> From: Markus Valentin 
>
> Introduce a new Kconfig variable for secure boot on Bay Trail based
> platforms. If this variable is set, the build process tries to use
> fsp-sb.bin instead of fsp.bin (-sb is the secure boot enabled FSP).
>
> Also check the two FSP headers against each other and print if secure
> boot is enabled or not.
>
> Signed-off-by: Markus Valentin 
> Signed-off-by: Anatolij Gustschin 
> ---
> Changes in v3:
>  - move BAYTRAIL_SECURE_BOOT to arch/x86/cpu/baytrail/Kconfig
>  - Kconfig help text improvements
>  - fix crownbay build breakage
>
> Changes in v2:
>  - use if (IS_ENABLED(CONFIG_*)) instead of #ifdef
>  - s/SB/Secure Boot/
>  - minor Kconfig help cleanup
>
>  arch/x86/Kconfig   |  3 ++-
>  arch/x86/cpu/baytrail/Kconfig  | 10 ++
>  arch/x86/include/asm/fsp/fsp_support.h |  2 ++
>  arch/x86/lib/fsp/fsp_support.c | 24 
>  4 files changed, 38 insertions(+), 1 deletion(-)

Reviewed-by: Simon Glass 
___
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot

[U-Boot] [PATCH v3 1/6] x86: baytrail: Add fsp-header verification for secure boot FSP

2017-11-16 Thread Anatolij Gustschin 
From: Markus Valentin 

Introduce a new Kconfig variable for secure boot on Bay Trail based
platforms. If this variable is set, the build process tries to use
fsp-sb.bin instead of fsp.bin (-sb is the secure boot enabled FSP).

Also check the two FSP headers against each other and print if secure
boot is enabled or not.

Signed-off-by: Markus Valentin 
Signed-off-by: Anatolij Gustschin 
---
Changes in v3:
 - move BAYTRAIL_SECURE_BOOT to arch/x86/cpu/baytrail/Kconfig
 - Kconfig help text improvements
 - fix crownbay build breakage

Changes in v2:
 - use if (IS_ENABLED(CONFIG_*)) instead of #ifdef
 - s/SB/Secure Boot/
 - minor Kconfig help cleanup

 arch/x86/Kconfig   |  3 ++-
 arch/x86/cpu/baytrail/Kconfig  | 10 ++
 arch/x86/include/asm/fsp/fsp_support.h |  2 ++
 arch/x86/lib/fsp/fsp_support.c | 24 
 4 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 98c56ad7dc..6755e92748 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -350,7 +350,8 @@ config HAVE_FSP
 config FSP_FILE
string "Firmware Support Package binary filename"
depends on HAVE_FSP
-   default "fsp.bin"
+   default "fsp.bin" if !BAYTRAIL_SECURE_BOOT
+   default "fsp-sb.bin" if BAYTRAIL_SECURE_BOOT
help
  The filename of the file to use as Firmware Support Package binary
  in the board directory.
diff --git a/arch/x86/cpu/baytrail/Kconfig b/arch/x86/cpu/baytrail/Kconfig
index 1d876b1927..ff244fcd68 100644
--- a/arch/x86/cpu/baytrail/Kconfig
+++ b/arch/x86/cpu/baytrail/Kconfig
@@ -39,4 +39,14 @@ config DEBUG_UART
bool
select DEBUG_UART_BOARD_INIT
 
+config BAYTRAIL_SECURE_BOOT
+   bool "Enable Secure Boot on Bay Trail"
+   depends on HAVE_FSP
+   default n
+   help
+ Use the secure boot feature of the Bay Trail platform. This switch
+ enables the usage of the secure-boot enabled fsp.bin (fsp-sb.bin).
+ For your board you need to provide this yourself. You can reconfigure
+ your FSP with the Intel BCT tool to enable secure boot.
+
 endif
diff --git a/arch/x86/include/asm/fsp/fsp_support.h 
b/arch/x86/include/asm/fsp/fsp_support.h
index df3add008c..124a4148a0 100644
--- a/arch/x86/include/asm/fsp/fsp_support.h
+++ b/arch/x86/include/asm/fsp/fsp_support.h
@@ -22,6 +22,8 @@
 #define FSP_LOWMEM_BASE0x10UL
 #define FSP_HIGHMEM_BASE   0x1ULL
 #define UPD_TERMINATOR 0x55AA
+#define FSP_FIRST_HEADER_OFFSET0x94
+#define FSP_SECOND_HEADER_OFFSET   0x20494
 
 
 /**
diff --git a/arch/x86/lib/fsp/fsp_support.c b/arch/x86/lib/fsp/fsp_support.c
index e0c49be635..d79a6e900a 100644
--- a/arch/x86/lib/fsp/fsp_support.c
+++ b/arch/x86/lib/fsp/fsp_support.c
@@ -97,6 +97,8 @@ void fsp_continue(u32 status, void *hob_list)
fsp_init_done(hob_list);
 }
 
+#define SB_PRFX"Secure Boot:"
+
 void fsp_init(u32 stack_top, u32 boot_mode, void *nvs_buf)
 {
struct fsp_config_data config_data;
@@ -116,6 +118,14 @@ void fsp_init(u32 stack_top, u32 boot_mode, void *nvs_buf)
panic("Invalid FSP header");
}
 
+   if (IS_ENABLED(CONFIG_BAYTRAIL_SECURE_BOOT)) {
+   /* Compare primary and secondary header */
+   if (memcmp((void *)(CONFIG_FSP_ADDR + FSP_FIRST_HEADER_OFFSET),
+  (void *)(CONFIG_FSP_ADDR + FSP_SECOND_HEADER_OFFSET),
+  fsp_hdr->hdr_len))
+   panic("%s 1st & 2nd FSP headers don't match", SB_PRFX);
+   }
+
config_data.common.fsp_hdr = fsp_hdr;
config_data.common.stack_top = stack_top;
config_data.common.boot_mode = boot_mode;
@@ -130,6 +140,20 @@ void fsp_init(u32 stack_top, u32 boot_mode, void *nvs_buf)
 
fsp_upd = _data.fsp_upd;
 
+   /*
+* On some platforms there is no 'enable_secure_boot' field
+* in VPD region struct, so we have to use ifdef here.
+*/
+   #ifdef CONFIG_BAYTRAIL_SECURE_BOOT
+   /*
+* If the enable secure boot flag is not 1, secure boot has not
+* been activated in the FSP which results in the TXE-Engine not
+* getting loaded
+*/
+   printf("FSP: Secure Boot %sabled\n",
+  fsp_vpd->enable_secure_boot == 1 ? "en" : "dis");
+   #endif
+
/* Copy default data from Flash */
memcpy(fsp_upd, (void *)(fsp_hdr->img_base + fsp_vpd->upd_offset),
   sizeof(struct upd_region));
-- 
2.11.0

___
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot