On 03/11/2015 11:44 AM, Scott Wood wrote: > On Wed, 2015-03-11 at 10:50 -0700, York Sun wrote: >> >> On 03/11/2015 03:39 AM, Gupta Ruchika-R66431 wrote: >>> Hi York, >>> >>>> -----Original Message----- >>>> From: Sun York-R58495 >>>> Sent: Tuesday, March 10, 2015 10:03 PM >>>> To: Gupta Ruchika-R66431; Rana Gaurav-B46163; u-boot@lists.denx.de >>>> Cc: Wood Scott-B07421; Bansal Aneesh-B39320 >>>> Subject: Re: [PATCH] Add bootscript support to esbc_validate. >>>> >>>> On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote: >>>>> Hi York, >>>>> >>>>>> -----Original Message----- >>>>>> From: Sun York-R58495 >>>>>> Sent: Tuesday, March 10, 2015 9:45 PM >>>>>> To: Rana Gaurav-B46163; u-boot@lists.denx.de >>>>>> Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320 >>>>>> Subject: Re: [PATCH] Add bootscript support to esbc_validate. >>>>>> >>>>>> >>>>>> >>>>>> On 03/10/2015 01:38 AM, Gaurav Rana wrote: >>>>>>> 1. Default environment will be used for secure boot flow which >>>>>>> can't be edited or saved. >>>>>>> 2. Command for secure boot is predefined in the default environment >>>>>>> which will run on autoboot (and autoboot is the only option allowed >>>>>>> in case of secure boot) and it looks like this: >>>>>>> #define CONFIG_SECBOOT \ >>>>>>> "setenv bs_hdraddr 0xe8e00000;" \ >>>>>>> "esbc_validate $bs_hdraddr;" \ >>>>>>> "source $img_addr;" \ >>>>>>> "esbc_halt;" >>>>>>> #endif >>>>>>> 3. Boot Script can contain esbc_validate commands and bootm command. >>>>>>> Uboot source command used in default secure boot command will run >>>>>>> the bootscript. >>>>>>> 4. Command esbc_halt added to ensure either bootm executes after >>>>>>> validation of images or core should just spin. >>>>>>> >>>>>> What's the purpose of "esbc_halt"? Once it enters the spin, how to >>>>>> get it out? >>>>> The purpose of bootscript is to validate the next level images and then >>>> pass control to it, so bootscript must contain a bootm command. We don't >>>> expect control to return back to u-boot. Hence a command esbc_halt is >>>> introduced which would make the core spin and not provide uboot prompt in >>>> case bootscript doesn't pass control to next level image. >>>>> For secure chain of trust, only validated bootscript should be allowed to >>>> execute and be responsible for passing control to next level image. >>>>> >>>> >>>> Ruchika, >>>> >>>> Do you expect secure boot to run automatically once u-boot reaches the >>>> prompt >>>> and the "source $img_addr" to actually boot the OS? You put "esbc_halt" as >>>> a >>>> fall-back to catch failure above? It doesn't sounds very secure to me. >>> >>> The bootscript is first validated. Only an authenticated user, who has the >>> private key can sign the bootscript. Thus validating bootscript is >>> important in secure boot chain of trust. >>> >>> You are right regarding fallback as esbc_halt. In the esbc_halt >>> implementation, we will add code to clear security secrets on the chip, and >>> issue a reset. We will send a separate patch for that. >>> >> >> Wouldn't it be possible to call a reset/hang/panic when the validation fails, >> before "source $img_addr"? > > I'd assume it already has that, but it's still good to have something to > deal with the case where the script returns due to some failure. >
If that's the case, I am OK with the addition of "esbc_halt" command. York _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
