On Wed, 2015-03-11 at 10:50 -0700, York Sun wrote: > > On 03/11/2015 03:39 AM, Gupta Ruchika-R66431 wrote: > > Hi York, > > > >> -----Original Message----- > >> From: Sun York-R58495 > >> Sent: Tuesday, March 10, 2015 10:03 PM > >> To: Gupta Ruchika-R66431; Rana Gaurav-B46163; u-boot@lists.denx.de > >> Cc: Wood Scott-B07421; Bansal Aneesh-B39320 > >> Subject: Re: [PATCH] Add bootscript support to esbc_validate. > >> > >> On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote: > >>> Hi York, > >>> > >>>> -----Original Message----- > >>>> From: Sun York-R58495 > >>>> Sent: Tuesday, March 10, 2015 9:45 PM > >>>> To: Rana Gaurav-B46163; u-boot@lists.denx.de > >>>> Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320 > >>>> Subject: Re: [PATCH] Add bootscript support to esbc_validate. > >>>> > >>>> > >>>> > >>>> On 03/10/2015 01:38 AM, Gaurav Rana wrote: > >>>>> 1. Default environment will be used for secure boot flow which > >>>>> can't be edited or saved. > >>>>> 2. Command for secure boot is predefined in the default environment > >>>>> which will run on autoboot (and autoboot is the only option allowed > >>>>> in case of secure boot) and it looks like this: > >>>>> #define CONFIG_SECBOOT \ > >>>>> "setenv bs_hdraddr 0xe8e00000;" \ > >>>>> "esbc_validate $bs_hdraddr;" \ > >>>>> "source $img_addr;" \ > >>>>> "esbc_halt;" > >>>>> #endif > >>>>> 3. Boot Script can contain esbc_validate commands and bootm command. > >>>>> Uboot source command used in default secure boot command will run > >>>>> the bootscript. > >>>>> 4. Command esbc_halt added to ensure either bootm executes after > >>>>> validation of images or core should just spin. > >>>>> > >>>> What's the purpose of "esbc_halt"? Once it enters the spin, how to > >>>> get it out? > >>> The purpose of bootscript is to validate the next level images and then > >> pass control to it, so bootscript must contain a bootm command. We don't > >> expect control to return back to u-boot. Hence a command esbc_halt is > >> introduced which would make the core spin and not provide uboot prompt in > >> case bootscript doesn't pass control to next level image. > >>> For secure chain of trust, only validated bootscript should be allowed to > >> execute and be responsible for passing control to next level image. > >>> > >> > >> Ruchika, > >> > >> Do you expect secure boot to run automatically once u-boot reaches the > >> prompt > >> and the "source $img_addr" to actually boot the OS? You put "esbc_halt" as > >> a > >> fall-back to catch failure above? It doesn't sounds very secure to me. > > > > The bootscript is first validated. Only an authenticated user, who has the > > private key can sign the bootscript. Thus validating bootscript is > > important in secure boot chain of trust. > > > > You are right regarding fallback as esbc_halt. In the esbc_halt > > implementation, we will add code to clear security secrets on the chip, and > > issue a reset. We will send a separate patch for that. > > > > Wouldn't it be possible to call a reset/hang/panic when the validation fails, > before "source $img_addr"?
I'd assume it already has that, but it's still good to have something to deal with the case where the script returns due to some failure. -Scott _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
