This is an RFC for a method that uses a "weak" post-process function call that's injected into the SPL FIT loading process after each blob has been extracted (U-Boot firmware, selected DTB) which is populated with a platform specific function. In case of TI high-security (HS) device variants a ROM API call is performed (via SMC) that transparently handles authentication and optional decryption. This essentially allows authenticating (and optionally decrypting) U-Boot from SPL. The post-processing injection is implemented such to enable a more universal use of this feature by other platforms or for other purposes.
Furthermore the build process has been modified to automatically invoke a TI blob signing/encryption tool through the $TI_SECURE_DEV_PKG env variable already introduced into U-Boot. This singing/encryption step happens for each artifact that gets bundled into the final u-boot.img FIT blob. Why do we need this for our platforms if some generic form of verified boot already exists in U-Boot? The approach proposed here provides support for decryption which is currently not available in U-Boot (and may not be easily implementable generically for example due to the need for keeping symmetric keys secure). Furthermore it allows for a consistent build as well as runtime flow no matter authentication and/or decryption is used (as opposed to using existing U-Boot verified boot for authentication and an additional TI-specific ROM API call for decryption for example). It also allows for a faster and more efficient boot process (auth and decryption can be performed in a single step by the ROM APIs also utilizing crypto HW accelerators in a completely transparent fashion). However anyone can still use the standard U-Boot verified boot scheme from U-Boot onwards if they so chose and only need authentication. The patch series has been tested on DRA7 HS, DRA72 HS, and AM57 HS device variants. The AM43 HS support is still missing some Makefile changes but the principle in the final implementation will be similar what's implemented for the other devices. Regards, Andreas Dannenberg PS: This patch series depends on a few recent patches sent by Lokesh, Madan, and myself that enable SPL FIT support for various high-secure ICs. However it should not be necessary to look up those patches for purposes of digesting this RFC. Daniel Allred (7): spl: fit: add support for post-processing of images arm: cache: add missing dummy functions for when dcache disabled arm: omap-common: add secure smc entry arm: omap-common: add secure rom call API for secure devices arm: omap5: add secure ROM signature verify API arm: omap5: add FIT image post process function ti: omap-common: Update to generate secure FIT Madan Srinivas (2): arm: am4x: add secure ROM signature verify API arm: am4x: add FIT image post process function arch/arm/cpu/armv7/am33xx/Makefile | 2 + arch/arm/cpu/armv7/am33xx/sec_fxns.c | 90 +++++++++++++++++++++++++ arch/arm/cpu/armv7/cache_v7.c | 8 +++ arch/arm/cpu/armv7/omap-common/Makefile | 4 ++ arch/arm/cpu/armv7/omap-common/config_secure.mk | 57 +++++++++++++++- arch/arm/cpu/armv7/omap-common/lowlevel_init.S | 47 +++++++++++-- arch/arm/cpu/armv7/omap-common/sec_bridge.c | 47 +++++++++++++ arch/arm/cpu/armv7/omap5/Makefile | 1 + arch/arm/cpu/armv7/omap5/config.mk | 3 + arch/arm/cpu/armv7/omap5/sec_fxns.c | 70 +++++++++++++++++++ arch/arm/include/asm/arch-am33xx/sys_proto.h | 6 +- arch/arm/include/asm/arch-omap5/sys_proto.h | 4 ++ arch/arm/include/asm/omap_common.h | 6 ++ board/ti/am43xx/board.c | 7 ++ board/ti/am57xx/board.c | 7 ++ board/ti/dra7xx/evm.c | 7 ++ common/spl/spl_fit.c | 21 ++++-- include/configs/ti_omap5_common.h | 4 ++ include/image.h | 15 +++++ 19 files changed, 391 insertions(+), 15 deletions(-) create mode 100644 arch/arm/cpu/armv7/am33xx/sec_fxns.c create mode 100644 arch/arm/cpu/armv7/omap-common/sec_bridge.c create mode 100644 arch/arm/cpu/armv7/omap5/sec_fxns.c -- 2.6.4 _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot