On Wed, Dec 13, 2017 at 9:08 PM, Maxime Ripard <[email protected]> wrote: > Hi, > > On Wed, Dec 13, 2017 at 11:33:04AM +0530, Jagan Teki wrote: >> Add verified-boot documentation for sunxi a64 platform. >> >> Signed-off-by: Jagan Teki <[email protected]> >> --- >> Changes for v3: >> - Create separate document file >> Changes for v2: >> - New patch >> >> doc/README.sunxi | 193 >> +++++++++++++++++++++++++++++++++++++++++++++++++++++++ >> 1 file changed, 193 insertions(+) >> create mode 100644 doc/README.sunxi >> >> diff --git a/doc/README.sunxi b/doc/README.sunxi >> new file mode 100644 >> index 0000000..ef4f735 >> --- /dev/null >> +++ b/doc/README.sunxi >> @@ -0,0 +1,193 @@ >> +# >> +# Copyright (C) 2017 Amarula Solutions >> +# >> +# SPDX-License-Identifier: GPL-2.0+ >> +# >> + >> +U-Boot on SunXi >> +============== >> + >> +Tutorial describe all details relevant for U-Boot on Allwinner SunXi >> platform. >> + >> + 1. Verified Boot >> + >> +1. Verified Boot >> +================ >> + >> +U-Boot supports an image verification method called "Verified Boot". >> +This is a brief tutorial to utilize this feature for the Sunxi A64 platform. >> +You will find details documents in the doc/uImage.FIT directory. >> + >> +Here, we take Orangepi Win board for example, but it should work for any >> +other boards including 32 bit SoCs. >> + >> +1. Generate RSA key to sign >> + >> + $ mkdir keys >> + $ openssl genpkey -algorithm RSA -out keys/dev.key \ >> + -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 >> + $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt >> + >> +Two files "dev.key" and "dev.crt" will be created. The base name is >> arbitrary, >> +but need to match to the "key-name-hint" property described below. > > I really think that the very first thing you must talk about in that > documentation is that it will not protect the SPL itself and that this > is not a secure setup.
Based on my experience with U-boot, verified-boot here doesn't relate to protect SPL or U-Boot. it's generally for kernel and followed stages. I don't think we can think here too-much. some reference doc/README.uniphier You're true if we protect boot stages, then it becomes secure boot(from BROM) like HABv4 in i.MX6, but verified boot in U-Boot is different. thanks! -- Jagan Teki Free Software Engineer | www.openedev.com U-Boot, Linux | Upstream Maintainer Hyderabad, India. -- You received this message because you are subscribed to the Google Groups "linux-sunxi" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
