From: Markus Valentin <m...@denx.de> Signed-off-by: Markus Valentin <m...@denx.de> [agust: slightly reworded and fixed alignment] Signed-off-by: Anatolij Gustschin <ag...@denx.de> --- doc/README.x86 | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+)
diff --git a/doc/README.x86 b/doc/README.x86 index a38cc1b..8ba64b3 100644 --- a/doc/README.x86 +++ b/doc/README.x86 @@ -1056,6 +1056,45 @@ provides the same EFI run-time services) is not currently supported on x86. See README.efi for details of EFI support in U-Boot. +Secure Boot for BayTrail +------------------------ +U-Boot for BayTrail based platforms supports to boot in a verified manner using +the Trusted Execution Enginge(TXE). To enable secure boot you need to enable + the Kconfig parameter CONFIG_BAYTRAIL_SECURE_BOOT. + +The verification of U-Boot happens by a public key appended to the so called +secure boot manifest. The manifest gets created by the secure_boot_helper.py +script which is located in the tools directory. + +To be able to perform a verified boot with U-Boot you need: + * A OEM-keypair which we use to sign U-Boot. Create this yourself like below: + mkdir mykeys && \ + openssl req -batch -x509 -nodes -newkey rsa:2048 \ + -keyout 'mykeys/oemkey.pem' -out 'mykeys/pub_oemkey.pem' + * fpf_config.txt gets created by the helper script. It stores the fuse + register configuration to a text file which can be used by the Intel + FPT tool to write fuses (the FPT is provided in the TXE Firmware Kit). + It contains a hash over the public part of the OEM-keypair. + (To burn fuses run "FPT -writebatch fpf_config.txt" on the target) + * A secure boot enabled FSP[18] which we can assemble with the BCT Tool[19] + (the secure boot enabled fsp should be placed as fsp-sb.bin in the + board directory) + +If these prerequisites are met, you can build u-boot and call the helper script. +The following commands give an example flow for the congatec conga-QA3 SoM: + make conga-qeval20-qa3-e3845-internal-uart-secure-boot_defconfig + make all + make u-boot.rom + python3 ./tools/secure_boot_helper.py \ + -I board/congatec/conga-qeval20-qa3-e3845 \ + -c fpf_config.txt \ + --lock-fuses + +This creates a "u-boot-verified.rom", this file can be used as the normal +u-boot.rom. For enabling the verification you need to configure the fuses +either by burning them or by using the FPF-Mirroring feature for development. +Further authentication can be done with the fit-image mechanism. + 64-bit Support -------------- U-Boot supports booting a 64-bit kernel directly and is able to change to @@ -1098,3 +1137,5 @@ References [15] doc/device-tree-bindings/misc/intel,irq-router.txt [16] http://www.acpi.info [17] https://www.acpica.org/downloads +[18] https://github.com/IntelFsp/FSP.git +[19] https://github.com/IntelFsp/BCT.git -- 2.7.4 _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
