Hi Sean, On Fri, 11 Aug 2023 at 18:28, <seanedm...@linux.microsoft.com> wrote: > > From: Sean Edmond <seanedm...@microsoft.com> > > Adds Add anti-rollback version protection. Images with an anti-rollback > counter > value "arbvn" declared in the FDT will be compared against the current device > anti-rollback counter value, and older images will not pass signature > validation. If the image is newer, the device anti-rollback counter value will > be updated. > > The "arbvn" value is stored/retrieved using the newly added security driver. > A "TPM backed" and "sandbox backed" security driver have been provided as > examples. > > Adds new configs: > - CONFIG_DM_SECURITY : enable security device support > - CONFIG_SECURITY_SANDBOX : enables "sandbox_security" driver > - CONFIG_SECURITY_TPM : Enables "tpm_security" driver > - CONFIG_ARBP : enable enforcement of OS anti-rollback counter during image > loading > - CONFIG_FIT_ARBVP_GRACE : adds a one unit grace period to OS anti-rollback > protection > > Sean Edmond (1): > dm: test: Add a test for security driver > > Stephen Carlson (4): > drivers: security: Add security devices to driver model > drivers: security: Add TPM2 implementation of security devices > common: Add OS anti-rollback validation using security devices > common: Add OS anti-rollback grace period > > MAINTAINERS | 9 ++ > arch/sandbox/dts/test.dts | 8 ++ > boot/Kconfig | 19 +++ > boot/image-fit-sig.c | 94 +++++++++++++++ > boot/image-fit.c | 23 ++++ > configs/sandbox_defconfig | 3 + > drivers/Kconfig | 2 + > drivers/Makefile | 1 + > drivers/security/Kconfig | 25 ++++ > drivers/security/Makefile | 7 ++ > drivers/security/sandbox_security.c | 65 +++++++++++ > drivers/security/security-tpm.c | 173 ++++++++++++++++++++++++++++ > drivers/security/security-uclass.c | 30 +++++ > include/dm-security.h | 44 +++++++ > include/dm/uclass-id.h | 1 + > include/image.h | 4 + > include/tpm-v2.h | 1 + > test/dm/Makefile | 1 + > test/dm/security.c | 78 +++++++++++++ > 19 files changed, 588 insertions(+) > create mode 100644 drivers/security/Kconfig > create mode 100644 drivers/security/Makefile > create mode 100644 drivers/security/sandbox_security.c > create mode 100644 drivers/security/security-tpm.c > create mode 100644 drivers/security/security-uclass.c > create mode 100644 include/dm-security.h > create mode 100644 test/dm/security.c
Can you please add something to doc/ about this? Regards, Simon