From: Markus Valentin
Add short summary describing preparations for enabling secure boot
feature on Bay Trail SoC.
Signed-off-by: Markus Valentin
Signed-off-by: Anatolij Gustschin
---
Changes in v3:
- add commit message
- use 'U-Boot' consistently
- reword and improve text since binman is now used for image signing
doc/README.x86 | 49 +
1 file changed, 49 insertions(+)
diff --git a/doc/README.x86 b/doc/README.x86
index 772e8d2a86..b64158816b 100644
--- a/doc/README.x86
+++ b/doc/README.x86
@@ -1141,6 +1141,53 @@ provides the same EFI run-time services) is not
currently supported on x86.
See README.efi for details of EFI support in U-Boot.
+Secure Boot for Bay Trail
+-
+U-Boot for Bay Trail based platforms supports booting in a verified manner
using
+the Trusted Execution Enginge (TXE). To enable secure boot you need to enable
+the Kconfig option CONFIG_BAYTRAIL_SECURE_BOOT.
+
+The verification of U-Boot happens by a public key appended to the so called
+Secure Boot Manifest. The manifest will be created by binman after building
+the u-boot.rom image (by tools/binman/signing/baytrail.py script). binman
+will generate "u-boot-verified.rom" image containing the manifest. This
+image can be installed in SPI-NOR flash.
+
+To be able to perform a verified boot with U-Boot you need:
+ * A secure-boot-enabled FSP[18] which we can assemble with the BCT Tool[19]
+ (the secure-boot-enabled FSP should be placed as fsp-sb.bin in the
+ board directory)
+ * A OEM-keypair which we use to sign U-Boot. Create this yourself in the
+ build output directory like below:
+ mkdir keydir && \
+ openssl req -batch -x509 -nodes -newkey rsa:2048 \
+-keyout 'keydir/oemkey.pem' -out 'keydir/pub_oemkey.pem'
+ When secure boot option is enabled, the signing script expects
+ the keys to be in the 'keydir' subdir in the build output directory.
+ * fpf_config.txt file in the build output directory.
+ Copy the original FpfConfigFile.txt file from the TXE Firmware Kit to
+ fpf_config.txt. When fpf_config.txt file is present, the binman will
+ update its fuse file entry with the actual hash of the public part of
+ the OEM signing key (FUSE_FILE_OEM_KEY_HASH_1:). The secure-boot-enable
+ fuse file entry (FUSE_FILE_SECURE_BOOT_EN:) will also be enabled.
+ The modified fuse register configuration file can be used by the Intel
+ FPT tool to write fuses (the FPT tool is provided in the TXE Firmware
+ Kit. To burn fuses run "FPT -writebatch fpf_config.txt" on the target).
+
+If these prerequisites are met, you can enable CONFIG_BAYTRAIL_SECURE_BOOT
+option and build U-Boot. The following commands give an example flow for the
+Congatec conga-QA3 SoM on QEVAL 2.0 evalboard:
+ make conga-qeval20-qa3-e3845-internal-uart-secure-boot_defconfig
+ make all
+ make u-boot.rom
+
+This creates "u-boot-verified.rom" image. It can be used as the normal
+u-boot.rom. For enabling the verification you need to configure the OTP fuses
+either by burning them by FPT tool or by using the FPF-Mirroring feature
+for testing while development (see TXE Firmware Kit documentation for more
+details). Further authentication (Kernel/DTB) can be done with the FIT image
+mechanism.
+
64-bit Support
--
U-Boot supports booting a 64-bit kernel directly and is able to change to
@@ -1183,3 +1230,5 @@ References
[15] doc/device-tree-bindings/misc/intel,irq-router.txt
[16] http://www.acpi.info
[17] https://www.acpica.org/downloads
+[18] https://github.com/IntelFsp/FSP.git
+[19] https://github.com/IntelFsp/BCT.git
--
2.11.0
___
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot
