> -----Original Message-----
> From: York Sun
> Sent: Friday, September 01, 2017 4:38 AM
> To: Sumit Garg <sumit.g...@nxp.com>; u-boot@lists.denx.de
> Cc: Ruchika Gupta <ruchika.gu...@nxp.com>; Prabhakar Kushwaha
> <prabhakar.kushw...@nxp.com>; Mingkai Hu <mingkai...@nxp.com>;
> Shengzhou Liu <shengzhou....@nxp.com>
> Subject: Re: [PATCH] arm64: ls1043ardb: Add distro secure boot support
>
> On 06/04/2017 11:54 PM, Sumit Garg wrote:
> > Enable validation of boot.scr script prior to its execution dependent
> > on "secureboot" flag in environment. Disable fall back option to
> > nor/qspi boot in case of secure boot. Also enable "secureboot=y"
> > flag in environment for ARM based platforms instead of bootcmd.
> >
> > Signed-off-by: Sumit Garg <sumit.g...@nxp.com>
> > Tested-by: Vinitha Pillai <vinitha.pil...@nxp.com>
> > ---
> > board/freescale/common/fsl_chain_of_trust.c | 6 ++++++
> > configs/ls1043ardb_SECURE_BOOT_defconfig | 1 +
> > configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig | 1 +
> > include/configs/ls1043a_common.h | 23
> > +++++++++++++++++++++-
> -
> > 4 files changed, 29 insertions(+), 2 deletions(-)
> >
> > diff --git a/board/freescale/common/fsl_chain_of_trust.c
> > b/board/freescale/common/fsl_chain_of_trust.c
> > index 438e781..609e2b2 100644
> > --- a/board/freescale/common/fsl_chain_of_trust.c
> > +++ b/board/freescale/common/fsl_chain_of_trust.c
> > @@ -80,7 +80,13 @@ int fsl_setenv_chain_of_trust(void)
> > * bootcmd = CONFIG_CHAIN_BOOT_CMD (Validate and execute Boot
> script)
> > */
> > setenv("bootdelay", "0");
> > +
> > +#ifdef CONFIG_ARM
> > + setenv("secureboot", "y");
> > +#else
> > setenv("bootcmd", CONFIG_CHAIN_BOOT_CMD);
> > +#endif
> > +
> > return 0;
> > }
> > #endif
> > diff --git a/configs/ls1043ardb_SECURE_BOOT_defconfig
> > b/configs/ls1043ardb_SECURE_BOOT_defconfig
> > index 861d49b..3f535cc 100644
> > --- a/configs/ls1043ardb_SECURE_BOOT_defconfig
> > +++ b/configs/ls1043ardb_SECURE_BOOT_defconfig
> > @@ -40,3 +40,4 @@ CONFIG_USB_STORAGE=y
> > CONFIG_RSA=y
> > CONFIG_SPL_RSA=y
> > CONFIG_RSA_SOFTWARE_EXP=y
> > +CONFIG_DISTRO_DEFAULTS=y
> > diff --git a/configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig
> > b/configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig
> > index 5f9b21d..2d57e79 100644
> > --- a/configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig
> > +++ b/configs/ls1043ardb_sdcard_SECURE_BOOT_defconfig
> > @@ -56,3 +56,4 @@ CONFIG_RSA=y
> > CONFIG_SPL_RSA=y
> > CONFIG_SPL_CRYPTO_SUPPORT=y
> > CONFIG_SPL_HASH_SUPPORT=y
> > +CONFIG_DISTRO_DEFAULTS=y
> > diff --git a/include/configs/ls1043a_common.h
> > b/include/configs/ls1043a_common.h
> > index e8a756f..6e30427 100644
> > --- a/include/configs/ls1043a_common.h
> > +++ b/include/configs/ls1043a_common.h
> > @@ -282,6 +282,7 @@
> > "fdt_addr=0x64f00000\0" \
> > "kernel_addr=0x65000000\0" \
> > "scriptaddr=0x80000000\0" \
> > + "scripthdraddr=0x80080000\0" \
> > "fdtheader_addr_r=0x80100000\0" \
> > "kernelheader_addr_r=0x80200000\0" \
> > "kernel_addr_r=0x81000000\0" \
> > @@ -292,6 +293,7 @@
> > "mtdparts=" MTDPARTS_DEFAULT "\0" \
> > BOOTENV \
> > "boot_scripts=ls1043ardb_boot.scr\0" \
> > + "boot_script_hdr=hdr_ls1043ardb_bs.out\0" \
> > "scan_dev_for_boot_part=" \
> > "part list ${devtype} ${devnum} devplist; " \
> > "env exists devplist || setenv devplist 1; " \ @@ -302,6
> > +304,21 @@
> > "run scan_dev_for_boot; " \
> > "fi; " \
> > "done\0" \
> > + "scan_dev_for_boot=" \
> > + "echo Scanning ${devtype} " \
> > + "${devnum}:${distro_bootpart}...; " \
> > + "for prefix in ${boot_prefixes}; do " \
> > + "run scan_dev_for_scripts; " \
> > + "done;" \
> > + "\0" \
> > + "boot_a_script=" \
> > + "load ${devtype} ${devnum}:${distro_bootpart} " \
> > + "${scriptaddr} ${prefix}${script}; " \
> > + "env exists secureboot && load ${devtype} " \
> > + "${devnum}:${distro_bootpart} " \
> > + "${scripthdraddr} ${prefix}${boot_script_hdr} " \
> > + "&& esbc_validate ${scripthdraddr};" \
> > + "source ${scriptaddr}\0" \
> > "installer=load mmc 0:2 $load_addr " \
> > "/flex_installer_arm64.itb; " \
> > "bootm $load_addr#ls1043ardb\0" \
> > @@ -315,9 +332,11 @@
> >
> > #undef CONFIG_BOOTCOMMAND
> > #if defined(CONFIG_QSPI_BOOT) || defined(CONFIG_SD_BOOT_QSPI)
> > -#define CONFIG_BOOTCOMMAND "run distro_bootcmd;run
> qspi_bootcmd"
> > +#define CONFIG_BOOTCOMMAND "run distro_bootcmd; env exists
> secureboot" \
> > + "&& esbc_halt; run qspi_bootcmd;"
> > #else
> > -#define CONFIG_BOOTCOMMAND "run distro_bootcmd;run nor_bootcmd"
> > +#define CONFIG_BOOTCOMMAND "run distro_bootcmd; env exists
> secureboot" \
> > + "&& esbc_halt; run nor_bootcmd;"
> > #endif
> >
> > #define CONFIG_BOOTARGS "console=ttyS0,115200
> root=/dev/ram0 " \
> >
>
> Sumit,
>
> I found an issue in a recent test. If distro boot is not setup, do you expect
> it to
> fail? Don't you want it to fall back to CONFIG_CHAIN_BOOT_CMD?
>
> York
You are correct about the issue. Actually I have to send a patch upstream to
enable fallback
option in case of LS1043, LS1046 and LS1021. But if you see on LS2088 and
LS1088, fallback option is
already there in upstream.
Sumit
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot
