> -----Original Message----- > From: York Sun > Sent: Friday, September 01, 2017 4:38 AM > To: Sumit Garg <sumit.g...@nxp.com>; u-boot@lists.denx.de > Cc: Ruchika Gupta <ruchika.gu...@nxp.com>; Prabhakar Kushwaha > <prabhakar.kushw...@nxp.com>; Mingkai Hu <mingkai...@nxp.com>; > Shengzhou Liu <shengzhou....@nxp.com> > Subject: Re: [PATCH] arm64: ls1043ardb: Add distro secure boot support > > On 06/04/2017 11:54 PM, Sumit Garg wrote: > > Enable validation of boot.scr script prior to its execution dependent > > on "secureboot" flag in environment. Disable fall back option to > > nor/qspi boot in case of secure boot. Also enable "secureboot=y" > > flag in environment for ARM based platforms instead of bootcmd. > > > > Signed-off-by: Sumit Garg <sumit.g...@nxp.com> > > Tested-by: Vinitha Pillai <vinitha.pil...@nxp.com> > > --- > > board/freescale/common/fsl_chain_of_trust.c | 6 ++++++ > > configs/ls1043ardb_SECURE_BOOT_defconfig | 1 + > > configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig | 1 + > > include/configs/ls1043a_common.h | 23 > > +++++++++++++++++++++- > - > > 4 files changed, 29 insertions(+), 2 deletions(-) > > > > diff --git a/board/freescale/common/fsl_chain_of_trust.c > > b/board/freescale/common/fsl_chain_of_trust.c > > index 438e781..609e2b2 100644 > > --- a/board/freescale/common/fsl_chain_of_trust.c > > +++ b/board/freescale/common/fsl_chain_of_trust.c > > @@ -80,7 +80,13 @@ int fsl_setenv_chain_of_trust(void) > > * bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot > script) > > */ > > setenv("bootdelay", "0"); > > + > > +#ifdef CONFIG_ARM > > + setenv("secureboot", "y"); > > +#else > > setenv("bootcmd", CONFIG_CHAIN_BOOT_CMD); > > +#endif > > + > > return 0; > > } > > #endif > > diff --git a/configs/ls1043ardb_SECURE_BOOT_defconfig > > b/configs/ls1043ardb_SECURE_BOOT_defconfig > > index 861d49b..3f535cc 100644 > > --- a/configs/ls1043ardb_SECURE_BOOT_defconfig > > +++ b/configs/ls1043ardb_SECURE_BOOT_defconfig > > @@ -40,3 +40,4 @@ CONFIG_USB_STORAGE=y > > CONFIG_RSA=y > > CONFIG_SPL_RSA=y > > CONFIG_RSA_SOFTWARE_EXP=y > > +CONFIG_DISTRO_DEFAULTS=y > > diff --git a/configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig > > b/configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig > > index 5f9b21d..2d57e79 100644 > > --- a/configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig > > +++ b/configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig > > @@ -56,3 +56,4 @@ CONFIG_RSA=y > > CONFIG_SPL_RSA=y > > CONFIG_SPL_CRYPTO_SUPPORT=y > > CONFIG_SPL_HASH_SUPPORT=y > > +CONFIG_DISTRO_DEFAULTS=y > > diff --git a/include/configs/ls1043a_common.h > > b/include/configs/ls1043a_common.h > > index e8a756f..6e30427 100644 > > --- a/include/configs/ls1043a_common.h > > +++ b/include/configs/ls1043a_common.h > > @@ -282,6 +282,7 @@ > > "fdt_addr=0x64f00000\0" \ > > "kernel_addr=0x65000000\0" \ > > "scriptaddr=0x80000000\0" \ > > + "scripthdraddr=0x80080000\0" \ > > "fdtheader_addr_r=0x80100000\0" \ > > "kernelheader_addr_r=0x80200000\0" \ > > "kernel_addr_r=0x81000000\0" \ > > @@ -292,6 +293,7 @@ > > "mtdparts=" MTDPARTS_DEFAULT "\0" \ > > BOOTENV \ > > "boot_scripts=ls1043ardb_boot.scr\0" \ > > + "boot_script_hdr=hdr_ls1043ardb_bs.out\0" \ > > "scan_dev_for_boot_part=" \ > > "part list ${devtype} ${devnum} devplist; " \ > > "env exists devplist || setenv devplist 1; " \ @@ -302,6 > > +304,21 @@ > > "run scan_dev_for_boot; " \ > > "fi; " \ > > "done\0" \ > > + "scan_dev_for_boot=" \ > > + "echo Scanning ${devtype} " \ > > + "${devnum}:${distro_bootpart}...; " \ > > + "for prefix in ${boot_prefixes}; do " \ > > + "run scan_dev_for_scripts; " \ > > + "done;" \ > > + "\0" \ > > + "boot_a_script=" \ > > + "load ${devtype} ${devnum}:${distro_bootpart} " \ > > + "${scriptaddr} ${prefix}${script}; " \ > > + "env exists secureboot && load ${devtype} " \ > > + "${devnum}:${distro_bootpart} " \ > > + "${scripthdraddr} ${prefix}${boot_script_hdr} " \ > > + "&& esbc_validate ${scripthdraddr};" \ > > + "source ${scriptaddr}\0" \ > > "installer=load mmc 0:2 $load_addr " \ > > "/flex_installer_arm64.itb; " \ > > "bootm $load_addr#ls1043ardb\0" \ > > @@ -315,9 +332,11 @@ > > > > #undef CONFIG_BOOTCOMMAND > > #if defined(CONFIG_QSPI_BOOT) || defined(CONFIG_SD_BOOT_QSPI) > > -#define CONFIG_BOOTCOMMAND "run distro_bootcmd;run > qspi_bootcmd" > > +#define CONFIG_BOOTCOMMAND "run distro_bootcmd; env exists > secureboot" \ > > + "&& esbc_halt; run qspi_bootcmd;" > > #else > > -#define CONFIG_BOOTCOMMAND "run distro_bootcmd;run nor_bootcmd" > > +#define CONFIG_BOOTCOMMAND "run distro_bootcmd; env exists > secureboot" \ > > + "&& esbc_halt; run nor_bootcmd;" > > #endif > > > > #define CONFIG_BOOTARGS "console=ttyS0,115200 > root=/dev/ram0 " \ > > > > Sumit, > > I found an issue in a recent test. If distro boot is not setup, do you expect > it to > fail? Don't you want it to fall back to CONFIG_CHAIN_BOOT_CMD? > > York
You are correct about the issue. Actually I have to send a patch upstream to enable fallback option in case of LS1043, LS1046 and LS1021. But if you see on LS2088 and LS1088, fallback option is already there in upstream. Sumit _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot