Priyanka, Stefano and Tom, On Wed, Sep 25, 2019 at 04:19:43AM +0000, Priyanka Jain wrote: > > > >-----Original Message----- > >From: Stefano Babic <sba...@denx.de> > >Sent: Thursday, September 19, 2019 8:40 PM > >To: Tom Rini <tr...@konsulko.com>; AKASHI Takahiro > ><takahiro.aka...@linaro.org>; Priyanka Jain <priyanka.j...@nxp.com>; > >Stefano Babic <sba...@denx.de> > >Cc: xypron.g...@gmx.de; ag...@csgraf.de; u-boot@lists.denx.de > >Subject: Re: [U-Boot] [RFC 06/15] secure boot: rename CONFIG_SECURE_BOOT > > > >On 19/09/19 17:02, Tom Rini wrote: > >> On Wed, Sep 18, 2019 at 10:26:34AM +0900, AKASHI Takahiro wrote: > >> > >>> The configuration, CONFIG_SECURE_BOOT, was scattered among different > >>> architecture directories for different implementation. This will > >>> prevent UEFI secure boot from being added later. > >>> > >>> So let's rename them, giving each implementation to different > >>> configuration option. CONFIG_SECURE_BOOT still remains not to break > >>> existing implicit dependency. > >>> > >>> Signed-off-by: AKASHI Takahiro <takahiro.aka...@linaro.org> > >>> --- > >>> Kconfig | 7 +++++++ > >>> arch/arm/cpu/armv7/ls102xa/Kconfig | 3 ++- > >>> arch/arm/cpu/armv8/fsl-layerscape/Kconfig | 3 ++- > >>> arch/arm/mach-imx/Kconfig | 3 ++- > >>> arch/powerpc/cpu/mpc85xx/Kconfig | 3 ++- > >>> 5 files changed, 15 insertions(+), 4 deletions(-) > >>> > >>> diff --git a/Kconfig b/Kconfig > >>> index 1f0904f7045e..c11fc102a7d4 100644 > >>> --- a/Kconfig > >>> +++ b/Kconfig > >>> @@ -282,6 +282,13 @@ config SYS_LDSCRIPT > >>> > >>> endmenu # General setup > >>> > >>> +config SECURE_BOOT > >>> + bool "Secure Boot" > >>> + imply SHA256 > >>> + help > >>> + Enable Secure Boot feature. The actual behavior may vary > >>> + from architecture to architecture. > >>> + > >>> menu "Boot images" > >>> > >>> config ANDROID_BOOT_IMAGE > >>> diff --git a/arch/arm/cpu/armv7/ls102xa/Kconfig > >>> b/arch/arm/cpu/armv7/ls102xa/Kconfig > >>> index 94fa68250ddf..ce1bc580d23d 100644 > >>> --- a/arch/arm/cpu/armv7/ls102xa/Kconfig > >>> +++ b/arch/arm/cpu/armv7/ls102xa/Kconfig > >>> @@ -50,8 +50,9 @@ config MAX_CPUS > >>> cores, count the reserved ports. This will allocate enough memory > >>> in spin table to properly handle all cores. > >>> > >>> -config SECURE_BOOT > >>> +config FSL_ARMV7_ENABLE_SECURE_BOOT > >>> bool "Secure Boot" > >>> + depends on SECURE_BOOT > >>> help > >>> Enable Freescale Secure Boot feature. Normally selected > >>> by defconfig. If unsure, do not change. > >>> diff --git a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig > >>> b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig > >>> index 42d31fdab0a0..d4cfe31f8ebf 100644 > >>> --- a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig > >>> +++ b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig > >>> @@ -383,8 +383,9 @@ config EMC2305 > >>> Enable the EMC2305 fan controller for configuration of fan > >>> speed. > >>> > >>> -config SECURE_BOOT > >>> +config FSI_ARMV8_ENABLE_SECURE_BOOT > >>> bool "Secure Boot" > >>> + depends on SECURE_BOOT > >>> help > >>> Enable Freescale Secure Boot feature > >>> > >>> diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig > >>> index aeb54934888d..e1602fd5f0e8 100644 > >>> --- a/arch/arm/mach-imx/Kconfig > >>> +++ b/arch/arm/mach-imx/Kconfig > >>> @@ -34,8 +34,9 @@ config USE_IMXIMG_PLUGIN > >>> i.MX6/7 supports DCD and Plugin. Enable this configuration > >>> to use Plugin, otherwise DCD will be used. > >>> > >>> -config SECURE_BOOT > >>> +config FSL_IMX_ENABLE_SECURE_BOOT > >>> bool "Support i.MX HAB features" > >>> + depends on SECURE_BOOT > >>> depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5 > >>> select FSL_CAAM if HAS_CAAM > >>> imply CMD_DEKBLOB > >>> diff --git a/arch/powerpc/cpu/mpc85xx/Kconfig > >>> b/arch/powerpc/cpu/mpc85xx/Kconfig > >>> index c038a6ddb0f4..9cf6ebbfe3ce 100644 > >>> --- a/arch/powerpc/cpu/mpc85xx/Kconfig > >>> +++ b/arch/powerpc/cpu/mpc85xx/Kconfig > >>> @@ -1208,8 +1208,9 @@ config FSL_LAW > >>> help > >>> Use Freescale common code for Local Access Window > >>> > >>> -config SECURE_BOOT > >>> +config FSL_MPC_ENABLE_SECURE_BOOT > >>> bool "Secure Boot" > >>> + depends on SECURE_BOOT > >>> help > >>> Enable Freescale Secure Boot feature. Normally selected > >>> by defconfig. If unsure, do not change. > >> > >> I've added Priyanka Jain to the thread as the custodian for PowerPC > >> and NXP stuff and Stefano Babic as the custodian for i.MX stuff. I > >> don't want to see "CONFIG_SECURE_BOOT" continue on as a config option, > >> it's too broad. Can we please rename and update the existing NXP > >> CONFIG option (and I assume split it into a few ones to reflect better > >> where things really changed fundamentally from one SoC/arch to the > >> next) and update the help text? Thanks! > > > >Sure - SECURE_BOOT for NXP means enabling HAB, a config can be rename to > >identify the component itself (CONFIG_HAB for example). > > > >Regards, > >Stefano > > > Sure, We will look into this and update NXP CONFIG_SECURE_BOOT option. > Priyanka
Can we expect this re-work on NXP/Freescal platforms to be done in the current release cycle, that is v2020.01? If not, can I continue to use my match[1] as part of my UEFI secure boot patch set for the time being? [1] https://lists.denx.de/pipermail/u-boot/2019-September/383908.html Thanks, -Takahiro Akashi > > > >-- > >================================================================ > >===== > >DENX Software Engineering GmbH, Managing Director: Wolfgang Denk > >HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany > >Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sba...@denx.de > >================================================================ > >===== _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
