Hi On Fri, Sep 13, 2013 at 4:57 PM, bin4ry <0xbin...@gmail.com> wrote: > Hi everyone, > > I want to implement a minimal secure boot architecture into u-boot by > letting the u-boot.img be decrypted during SPL execution. Thus, the > u-boot.img is present on the MMC in an encrypted version. I already > implemented a basic AES-128 en-/decryption algorithm into the SPL. > > Everything will be implement on a PandaBoard (OMAP4460). Now my > questions are: > > 1.) What would be the general architecture? u-boot.img is loaded into > external memory (DRAM)at address 0x80100000. To decrypt it, the whole > file needs to be processed by SPL, which will not be able to load the > data since the SPL can not exceed a certain size (~49 kByte I guess). > > -> Thus, would it be somehow possible to implement the algorithm in > the SPL but let the u-boot.img data be stored in DRAM for processing? > > 2.) Furthermore, where could be a good place to put the actual algorithm > in? I figured that in my situation the function call flow is something > like this: > > ... > omap_boot_device() > boot_device() > spl_mmc_load_image() > > mmc_load_image_fat > file_fat_read() > do_fat_read()
... > omap_boot_device() > boot_device() > spl_mmc_load_image() >file_fat_read() > do_fat_read() I don't understand you can decrypt it after load. Why just verify the signature? Michael >>_jump_to_image_noargs() where u-boot.img is eventually called using the > image_entry() function. > > > Thanks a lot, > -b > > > _______________________________________________ > U-Boot mailing list > U-Boot@lists.denx.de > http://lists.denx.de/mailman/listinfo/u-boot _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
