>-----Original Message----- >From: AKASHI Takahiro <takahiro.aka...@linaro.org> >Sent: Tuesday, October 29, 2019 10:49 AM >To: Priyanka Jain <priyanka.j...@nxp.com>; Stefano Babic <sba...@denx.de> >Cc: Tom Rini <tr...@konsulko.com>; Udit Agarwal <udit.agar...@nxp.com>; >xypron.g...@gmx.de; ag...@csgraf.de; u-boot@lists.denx.de >Subject: Re: [U-Boot] [RFC 06/15] secure boot: rename CONFIG_SECURE_BOOT > >Priyanka, Stefano and Tom, > >On Wed, Sep 25, 2019 at 04:19:43AM +0000, Priyanka Jain wrote: >> >> >> >-----Original Message----- >> >From: Stefano Babic <sba...@denx.de> >> >Sent: Thursday, September 19, 2019 8:40 PM >> >To: Tom Rini <tr...@konsulko.com>; AKASHI Takahiro >> ><takahiro.aka...@linaro.org>; Priyanka Jain <priyanka.j...@nxp.com>; >> >Stefano Babic <sba...@denx.de> >> >Cc: xypron.g...@gmx.de; ag...@csgraf.de; u-boot@lists.denx.de >> >Subject: Re: [U-Boot] [RFC 06/15] secure boot: rename >> >CONFIG_SECURE_BOOT >> > >> >On 19/09/19 17:02, Tom Rini wrote: >> >> On Wed, Sep 18, 2019 at 10:26:34AM +0900, AKASHI Takahiro wrote: >> >> >> >>> The configuration, CONFIG_SECURE_BOOT, was scattered among >> >>> different architecture directories for different implementation. >> >>> This will prevent UEFI secure boot from being added later. >> >>> >> >>> So let's rename them, giving each implementation to different >> >>> configuration option. CONFIG_SECURE_BOOT still remains not to >> >>> break existing implicit dependency. >> >>> >> >>> Signed-off-by: AKASHI Takahiro <takahiro.aka...@linaro.org> >> >>> --- >> >>> Kconfig | 7 +++++++ >> >>> arch/arm/cpu/armv7/ls102xa/Kconfig | 3 ++- >> >>> arch/arm/cpu/armv8/fsl-layerscape/Kconfig | 3 ++- >> >>> arch/arm/mach-imx/Kconfig | 3 ++- >> >>> arch/powerpc/cpu/mpc85xx/Kconfig | 3 ++- >> >>> 5 files changed, 15 insertions(+), 4 deletions(-) >> >>> >> >>> diff --git a/Kconfig b/Kconfig >> >>> index 1f0904f7045e..c11fc102a7d4 100644 >> >>> --- a/Kconfig >> >>> +++ b/Kconfig >> >>> @@ -282,6 +282,13 @@ config SYS_LDSCRIPT >> >>> >> >>> endmenu # General setup >> >>> >> >>> +config SECURE_BOOT >> >>> + bool "Secure Boot" >> >>> + imply SHA256 >> >>> + help >> >>> + Enable Secure Boot feature. The actual behavior may vary >> >>> + from architecture to architecture. >> >>> + >> >>> menu "Boot images" >> >>> >> >>> config ANDROID_BOOT_IMAGE >> >>> diff --git a/arch/arm/cpu/armv7/ls102xa/Kconfig >> >>> b/arch/arm/cpu/armv7/ls102xa/Kconfig >> >>> index 94fa68250ddf..ce1bc580d23d 100644 >> >>> --- a/arch/arm/cpu/armv7/ls102xa/Kconfig >> >>> +++ b/arch/arm/cpu/armv7/ls102xa/Kconfig >> >>> @@ -50,8 +50,9 @@ config MAX_CPUS >> >>> cores, count the reserved ports. This will allocate enough >> >>> memory >> >>> in spin table to properly handle all cores. >> >>> >> >>> -config SECURE_BOOT >> >>> +config FSL_ARMV7_ENABLE_SECURE_BOOT >> >>> bool "Secure Boot" >> >>> + depends on SECURE_BOOT >> >>> help >> >>> Enable Freescale Secure Boot feature. Normally selected >> >>> by defconfig. If unsure, do not change. >> >>> diff --git a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig >> >>> b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig >> >>> index 42d31fdab0a0..d4cfe31f8ebf 100644 >> >>> --- a/arch/arm/cpu/armv8/fsl-layerscape/Kconfig >> >>> +++ b/arch/arm/cpu/armv8/fsl-layerscape/Kconfig >> >>> @@ -383,8 +383,9 @@ config EMC2305 >> >>> Enable the EMC2305 fan controller for configuration of fan >> >>> speed. >> >>> >> >>> -config SECURE_BOOT >> >>> +config FSI_ARMV8_ENABLE_SECURE_BOOT >> >>> bool "Secure Boot" >> >>> + depends on SECURE_BOOT >> >>> help >> >>> Enable Freescale Secure Boot feature >> >>> >> >>> diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig >> >>> index aeb54934888d..e1602fd5f0e8 100644 >> >>> --- a/arch/arm/mach-imx/Kconfig >> >>> +++ b/arch/arm/mach-imx/Kconfig >> >>> @@ -34,8 +34,9 @@ config USE_IMXIMG_PLUGIN >> >>> i.MX6/7 supports DCD and Plugin. Enable this configuration >> >>> to use Plugin, otherwise DCD will be used. >> >>> >> >>> -config SECURE_BOOT >> >>> +config FSL_IMX_ENABLE_SECURE_BOOT >> >>> bool "Support i.MX HAB features" >> >>> + depends on SECURE_BOOT >> >>> depends on ARCH_MX7 || ARCH_MX6 || ARCH_MX5 >> >>> select FSL_CAAM if HAS_CAAM >> >>> imply CMD_DEKBLOB >> >>> diff --git a/arch/powerpc/cpu/mpc85xx/Kconfig >> >>> b/arch/powerpc/cpu/mpc85xx/Kconfig >> >>> index c038a6ddb0f4..9cf6ebbfe3ce 100644 >> >>> --- a/arch/powerpc/cpu/mpc85xx/Kconfig >> >>> +++ b/arch/powerpc/cpu/mpc85xx/Kconfig >> >>> @@ -1208,8 +1208,9 @@ config FSL_LAW >> >>> help >> >>> Use Freescale common code for Local Access Window >> >>> >> >>> -config SECURE_BOOT >> >>> +config FSL_MPC_ENABLE_SECURE_BOOT >> >>> bool "Secure Boot" >> >>> + depends on SECURE_BOOT >> >>> help >> >>> Enable Freescale Secure Boot feature. Normally selected >> >>> by defconfig. If unsure, do not change. >> >> >> >> I've added Priyanka Jain to the thread as the custodian for PowerPC >> >> and NXP stuff and Stefano Babic as the custodian for i.MX stuff. I >> >> don't want to see "CONFIG_SECURE_BOOT" continue on as a config >> >> option, it's too broad. Can we please rename and update the >> >> existing NXP CONFIG option (and I assume split it into a few ones >> >> to reflect better where things really changed fundamentally from >> >> one SoC/arch to the >> >> next) and update the help text? Thanks! >> > >> >Sure - SECURE_BOOT for NXP means enabling HAB, a config can be rename >> >to identify the component itself (CONFIG_HAB for example). >> > >> >Regards, >> >Stefano >> > >> Sure, We will look into this and update NXP CONFIG_SECURE_BOOT option. >> Priyanka > >Can we expect this re-work on NXP/Freescal platforms to be done in the >current release cycle, that is v2020.01? > Yes, we are working on the changes for NXP ARM and mpc85xx platforms.
Regards Priyanka >If not, can I continue to use my match[1] as part of my UEFI secure boot patch >set for the time being? > > [1] >https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.de >nx.de%2Fpipermail%2Fu-boot%2F2019- >September%2F383908.html&data=02%7C01%7Cpriyanka.jain%40nxp.com >%7C00a34480e43c4950cb0808d75c2f836b%7C686ea1d3bc2b4c6fa92cd99c5c30 >1635%7C0%7C0%7C637079231443969244&sdata=gvOKFn6Rt7sgbmrbMo >Vq2cawyetW5z6H50Qhv0aX0rA%3D&reserved=0 > >Thanks, >-Takahiro Akashi > > >> > >> >-- >> >>================================================================ >> >===== >> >DENX Software Engineering GmbH, Managing Director: Wolfgang Denk >> >HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany >> >Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sba...@denx.de >> >>================================================================ >> >===== _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
