Thanks Stefano,
On 07/11/2013 06:06 AM, Stefano Babic wrote:
(header for Freescale's i.MX processors) to allow the usage of
Freescale's tools to sign the u-boot image and provide a secure boot.
This has nothing to do with the Secure Boot extensions implemented by
Simon Glass, that can be in any case used to boot later a secure image.
Freescale's secure boot ensures that a signed bootloader
is started only if it is verified with a key that is burned into the iMX fuses.
Documentation about the Freescale's secure process can be read from the
AN4591, available on the Freescale's Website.
The patchset allows to add to the imx Header the CSF (command Sequence File)
generated by the tools provided by Freescale. The CSF is then simply
concatenated
to the u-boot image, making a signed bootloader, that the processor can verify
if the fuses for the keys are burned. The processor (i.MX53 / i.MX6x) will not
start a bootloader that cannot be verified - further infos how to configure
the SOC to verify the bootloader can be found in the User Manual of the specific
SOC.
Next step is to verify the kernel, that can be still done using Simon's patches
for
verified boot (CONFIG_OF_CONTROL must be set in the board configuarion file).
I compile-tested the series against all of our boards
(boundary/boundary/* and board/freescale/mx6qsabrelite).
Run-time tests (without signing) against nitrogen6s (solo)
and nitrogen6q (quad). Both ran without a hitch.
Now we need to get configured for signing and burn some fuses!
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
http://lists.denx.de/mailman/listinfo/u-boot
