Re: [U-Boot] [PATCH] Add bootscript support to esbc_validate.
On 03/10/2015 01:38 AM, Gaurav Rana wrote: 1. Default environment will be used for secure boot flow which can't be edited or saved. 2. Command for secure boot is predefined in the default environment which will run on autoboot (and autoboot is the only option allowed in case of secure boot) and it looks like this: #define CONFIG_SECBOOT \ setenv bs_hdraddr 0xe8e0; \ esbc_validate $bs_hdraddr;\ source $img_addr; \ esbc_halt; #endif 3. Boot Script can contain esbc_validate commands and bootm command. Uboot source command used in default secure boot command will run the bootscript. 4. Command esbc_halt added to ensure either bootm executes after validation of images or core should just spin. Signed-off-by: Ruchika Gupta ruchika.gu...@freescale.com Signed-off-by: Gaurav Rana gaurav.r...@freescale.com --- Applied to fsl-qoriq master, awaiting upstream. York ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] [PATCH] Add bootscript support to esbc_validate.
On 03/11/2015 11:44 AM, Scott Wood wrote: On Wed, 2015-03-11 at 10:50 -0700, York Sun wrote: On 03/11/2015 03:39 AM, Gupta Ruchika-R66431 wrote: Hi York, -Original Message- From: Sun York-R58495 Sent: Tuesday, March 10, 2015 10:03 PM To: Gupta Ruchika-R66431; Rana Gaurav-B46163; u-boot@lists.denx.de Cc: Wood Scott-B07421; Bansal Aneesh-B39320 Subject: Re: [PATCH] Add bootscript support to esbc_validate. On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote: Hi York, -Original Message- From: Sun York-R58495 Sent: Tuesday, March 10, 2015 9:45 PM To: Rana Gaurav-B46163; u-boot@lists.denx.de Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320 Subject: Re: [PATCH] Add bootscript support to esbc_validate. On 03/10/2015 01:38 AM, Gaurav Rana wrote: 1. Default environment will be used for secure boot flow which can't be edited or saved. 2. Command for secure boot is predefined in the default environment which will run on autoboot (and autoboot is the only option allowed in case of secure boot) and it looks like this: #define CONFIG_SECBOOT \ setenv bs_hdraddr 0xe8e0; \ esbc_validate $bs_hdraddr;\ source $img_addr; \ esbc_halt; #endif 3. Boot Script can contain esbc_validate commands and bootm command. Uboot source command used in default secure boot command will run the bootscript. 4. Command esbc_halt added to ensure either bootm executes after validation of images or core should just spin. What's the purpose of esbc_halt? Once it enters the spin, how to get it out? The purpose of bootscript is to validate the next level images and then pass control to it, so bootscript must contain a bootm command. We don't expect control to return back to u-boot. Hence a command esbc_halt is introduced which would make the core spin and not provide uboot prompt in case bootscript doesn't pass control to next level image. For secure chain of trust, only validated bootscript should be allowed to execute and be responsible for passing control to next level image. Ruchika, Do you expect secure boot to run automatically once u-boot reaches the prompt and the source $img_addr to actually boot the OS? You put esbc_halt as a fall-back to catch failure above? It doesn't sounds very secure to me. The bootscript is first validated. Only an authenticated user, who has the private key can sign the bootscript. Thus validating bootscript is important in secure boot chain of trust. You are right regarding fallback as esbc_halt. In the esbc_halt implementation, we will add code to clear security secrets on the chip, and issue a reset. We will send a separate patch for that. Wouldn't it be possible to call a reset/hang/panic when the validation fails, before source $img_addr? I'd assume it already has that, but it's still good to have something to deal with the case where the script returns due to some failure. If that's the case, I am OK with the addition of esbc_halt command. York ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] [PATCH] Add bootscript support to esbc_validate.
On 03/11/2015 03:39 AM, Gupta Ruchika-R66431 wrote: Hi York, -Original Message- From: Sun York-R58495 Sent: Tuesday, March 10, 2015 10:03 PM To: Gupta Ruchika-R66431; Rana Gaurav-B46163; u-boot@lists.denx.de Cc: Wood Scott-B07421; Bansal Aneesh-B39320 Subject: Re: [PATCH] Add bootscript support to esbc_validate. On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote: Hi York, -Original Message- From: Sun York-R58495 Sent: Tuesday, March 10, 2015 9:45 PM To: Rana Gaurav-B46163; u-boot@lists.denx.de Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320 Subject: Re: [PATCH] Add bootscript support to esbc_validate. On 03/10/2015 01:38 AM, Gaurav Rana wrote: 1. Default environment will be used for secure boot flow which can't be edited or saved. 2. Command for secure boot is predefined in the default environment which will run on autoboot (and autoboot is the only option allowed in case of secure boot) and it looks like this: #define CONFIG_SECBOOT \ setenv bs_hdraddr 0xe8e0; \ esbc_validate $bs_hdraddr;\ source $img_addr; \ esbc_halt; #endif 3. Boot Script can contain esbc_validate commands and bootm command. Uboot source command used in default secure boot command will run the bootscript. 4. Command esbc_halt added to ensure either bootm executes after validation of images or core should just spin. What's the purpose of esbc_halt? Once it enters the spin, how to get it out? The purpose of bootscript is to validate the next level images and then pass control to it, so bootscript must contain a bootm command. We don't expect control to return back to u-boot. Hence a command esbc_halt is introduced which would make the core spin and not provide uboot prompt in case bootscript doesn't pass control to next level image. For secure chain of trust, only validated bootscript should be allowed to execute and be responsible for passing control to next level image. Ruchika, Do you expect secure boot to run automatically once u-boot reaches the prompt and the source $img_addr to actually boot the OS? You put esbc_halt as a fall-back to catch failure above? It doesn't sounds very secure to me. The bootscript is first validated. Only an authenticated user, who has the private key can sign the bootscript. Thus validating bootscript is important in secure boot chain of trust. You are right regarding fallback as esbc_halt. In the esbc_halt implementation, we will add code to clear security secrets on the chip, and issue a reset. We will send a separate patch for that. Wouldn't it be possible to call a reset/hang/panic when the validation fails, before source $img_addr? York ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] [PATCH] Add bootscript support to esbc_validate.
On Wed, 2015-03-11 at 10:50 -0700, York Sun wrote: On 03/11/2015 03:39 AM, Gupta Ruchika-R66431 wrote: Hi York, -Original Message- From: Sun York-R58495 Sent: Tuesday, March 10, 2015 10:03 PM To: Gupta Ruchika-R66431; Rana Gaurav-B46163; u-boot@lists.denx.de Cc: Wood Scott-B07421; Bansal Aneesh-B39320 Subject: Re: [PATCH] Add bootscript support to esbc_validate. On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote: Hi York, -Original Message- From: Sun York-R58495 Sent: Tuesday, March 10, 2015 9:45 PM To: Rana Gaurav-B46163; u-boot@lists.denx.de Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320 Subject: Re: [PATCH] Add bootscript support to esbc_validate. On 03/10/2015 01:38 AM, Gaurav Rana wrote: 1. Default environment will be used for secure boot flow which can't be edited or saved. 2. Command for secure boot is predefined in the default environment which will run on autoboot (and autoboot is the only option allowed in case of secure boot) and it looks like this: #define CONFIG_SECBOOT \ setenv bs_hdraddr 0xe8e0; \ esbc_validate $bs_hdraddr;\ source $img_addr; \ esbc_halt; #endif 3. Boot Script can contain esbc_validate commands and bootm command. Uboot source command used in default secure boot command will run the bootscript. 4. Command esbc_halt added to ensure either bootm executes after validation of images or core should just spin. What's the purpose of esbc_halt? Once it enters the spin, how to get it out? The purpose of bootscript is to validate the next level images and then pass control to it, so bootscript must contain a bootm command. We don't expect control to return back to u-boot. Hence a command esbc_halt is introduced which would make the core spin and not provide uboot prompt in case bootscript doesn't pass control to next level image. For secure chain of trust, only validated bootscript should be allowed to execute and be responsible for passing control to next level image. Ruchika, Do you expect secure boot to run automatically once u-boot reaches the prompt and the source $img_addr to actually boot the OS? You put esbc_halt as a fall-back to catch failure above? It doesn't sounds very secure to me. The bootscript is first validated. Only an authenticated user, who has the private key can sign the bootscript. Thus validating bootscript is important in secure boot chain of trust. You are right regarding fallback as esbc_halt. In the esbc_halt implementation, we will add code to clear security secrets on the chip, and issue a reset. We will send a separate patch for that. Wouldn't it be possible to call a reset/hang/panic when the validation fails, before source $img_addr? I'd assume it already has that, but it's still good to have something to deal with the case where the script returns due to some failure. -Scott ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] [PATCH] Add bootscript support to esbc_validate.
Hi York, -Original Message- From: Sun York-R58495 Sent: Tuesday, March 10, 2015 10:03 PM To: Gupta Ruchika-R66431; Rana Gaurav-B46163; u-boot@lists.denx.de Cc: Wood Scott-B07421; Bansal Aneesh-B39320 Subject: Re: [PATCH] Add bootscript support to esbc_validate. On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote: Hi York, -Original Message- From: Sun York-R58495 Sent: Tuesday, March 10, 2015 9:45 PM To: Rana Gaurav-B46163; u-boot@lists.denx.de Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320 Subject: Re: [PATCH] Add bootscript support to esbc_validate. On 03/10/2015 01:38 AM, Gaurav Rana wrote: 1. Default environment will be used for secure boot flow which can't be edited or saved. 2. Command for secure boot is predefined in the default environment which will run on autoboot (and autoboot is the only option allowed in case of secure boot) and it looks like this: #define CONFIG_SECBOOT \ setenv bs_hdraddr 0xe8e0; \ esbc_validate $bs_hdraddr;\ source $img_addr; \ esbc_halt; #endif 3. Boot Script can contain esbc_validate commands and bootm command. Uboot source command used in default secure boot command will run the bootscript. 4. Command esbc_halt added to ensure either bootm executes after validation of images or core should just spin. What's the purpose of esbc_halt? Once it enters the spin, how to get it out? The purpose of bootscript is to validate the next level images and then pass control to it, so bootscript must contain a bootm command. We don't expect control to return back to u-boot. Hence a command esbc_halt is introduced which would make the core spin and not provide uboot prompt in case bootscript doesn't pass control to next level image. For secure chain of trust, only validated bootscript should be allowed to execute and be responsible for passing control to next level image. Ruchika, Do you expect secure boot to run automatically once u-boot reaches the prompt and the source $img_addr to actually boot the OS? You put esbc_halt as a fall-back to catch failure above? It doesn't sounds very secure to me. The bootscript is first validated. Only an authenticated user, who has the private key can sign the bootscript. Thus validating bootscript is important in secure boot chain of trust. You are right regarding fallback as esbc_halt. In the esbc_halt implementation, we will add code to clear security secrets on the chip, and issue a reset. We will send a separate patch for that. Ruchika I am hoping other reviewers can chime in and give comments. York ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] [PATCH] Add bootscript support to esbc_validate.
On 03/10/2015 09:25 AM, Gupta Ruchika-R66431 wrote: Hi York, -Original Message- From: Sun York-R58495 Sent: Tuesday, March 10, 2015 9:45 PM To: Rana Gaurav-B46163; u-boot@lists.denx.de Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320 Subject: Re: [PATCH] Add bootscript support to esbc_validate. On 03/10/2015 01:38 AM, Gaurav Rana wrote: 1. Default environment will be used for secure boot flow which can't be edited or saved. 2. Command for secure boot is predefined in the default environment which will run on autoboot (and autoboot is the only option allowed in case of secure boot) and it looks like this: #define CONFIG_SECBOOT \ setenv bs_hdraddr 0xe8e0; \ esbc_validate $bs_hdraddr;\ source $img_addr; \ esbc_halt; #endif 3. Boot Script can contain esbc_validate commands and bootm command. Uboot source command used in default secure boot command will run the bootscript. 4. Command esbc_halt added to ensure either bootm executes after validation of images or core should just spin. What's the purpose of esbc_halt? Once it enters the spin, how to get it out? The purpose of bootscript is to validate the next level images and then pass control to it, so bootscript must contain a bootm command. We don't expect control to return back to u-boot. Hence a command esbc_halt is introduced which would make the core spin and not provide uboot prompt in case bootscript doesn't pass control to next level image. For secure chain of trust, only validated bootscript should be allowed to execute and be responsible for passing control to next level image. Ruchika, Do you expect secure boot to run automatically once u-boot reaches the prompt and the source $img_addr to actually boot the OS? You put esbc_halt as a fall-back to catch failure above? It doesn't sounds very secure to me. I am hoping other reviewers can chime in and give comments. York ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] [PATCH] Add bootscript support to esbc_validate.
Hi York, -Original Message- From: Sun York-R58495 Sent: Tuesday, March 10, 2015 9:45 PM To: Rana Gaurav-B46163; u-boot@lists.denx.de Cc: Wood Scott-B07421; Gupta Ruchika-R66431; Bansal Aneesh-B39320 Subject: Re: [PATCH] Add bootscript support to esbc_validate. On 03/10/2015 01:38 AM, Gaurav Rana wrote: 1. Default environment will be used for secure boot flow which can't be edited or saved. 2. Command for secure boot is predefined in the default environment which will run on autoboot (and autoboot is the only option allowed in case of secure boot) and it looks like this: #define CONFIG_SECBOOT \ setenv bs_hdraddr 0xe8e0; \ esbc_validate $bs_hdraddr;\ source $img_addr; \ esbc_halt; #endif 3. Boot Script can contain esbc_validate commands and bootm command. Uboot source command used in default secure boot command will run the bootscript. 4. Command esbc_halt added to ensure either bootm executes after validation of images or core should just spin. What's the purpose of esbc_halt? Once it enters the spin, how to get it out? The purpose of bootscript is to validate the next level images and then pass control to it, so bootscript must contain a bootm command. We don't expect control to return back to u-boot. Hence a command esbc_halt is introduced which would make the core spin and not provide uboot prompt in case bootscript doesn't pass control to next level image. For secure chain of trust, only validated bootscript should be allowed to execute and be responsible for passing control to next level image. Ruchika York ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] [PATCH] Add bootscript support to esbc_validate.
On 03/10/2015 01:38 AM, Gaurav Rana wrote: 1. Default environment will be used for secure boot flow which can't be edited or saved. 2. Command for secure boot is predefined in the default environment which will run on autoboot (and autoboot is the only option allowed in case of secure boot) and it looks like this: #define CONFIG_SECBOOT \ setenv bs_hdraddr 0xe8e0; \ esbc_validate $bs_hdraddr;\ source $img_addr; \ esbc_halt; #endif 3. Boot Script can contain esbc_validate commands and bootm command. Uboot source command used in default secure boot command will run the bootscript. 4. Command esbc_halt added to ensure either bootm executes after validation of images or core should just spin. What's the purpose of esbc_halt? Once it enters the spin, how to get it out? York ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
[U-Boot] [PATCH] Add bootscript support to esbc_validate.
1. Default environment will be used for secure boot flow
which can't be edited or saved.
2. Command for secure boot is predefined in the default
environment which will run on autoboot (and autoboot is
the only option allowed in case of secure boot) and it
looks like this:
#define CONFIG_SECBOOT \
setenv bs_hdraddr 0xe8e0; \
esbc_validate $bs_hdraddr;\
source $img_addr; \
esbc_halt;
#endif
3. Boot Script can contain esbc_validate commands and bootm command.
Uboot source command used in default secure boot command will
run the bootscript.
4. Command esbc_halt added to ensure either bootm executes
after validation of images or core should just spin.
Signed-off-by: Ruchika Gupta ruchika.gu...@freescale.com
Signed-off-by: Gaurav Rana gaurav.r...@freescale.com
---
arch/arm/include/asm/fsl_secure_boot.h | 25 +
arch/powerpc/include/asm/fsl_secure_boot.h | 19 +++
board/freescale/common/cmd_esbc_validate.c | 16 ++
include/config_fsl_secboot.h | 89 ++
include/configs/ls1021aqds.h | 1 +
5 files changed, 150 insertions(+)
create mode 100644 arch/arm/include/asm/fsl_secure_boot.h
create mode 100644 include/config_fsl_secboot.h
diff --git a/arch/arm/include/asm/fsl_secure_boot.h
b/arch/arm/include/asm/fsl_secure_boot.h
new file mode 100644
index 000..f097c81
--- /dev/null
+++ b/arch/arm/include/asm/fsl_secure_boot.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright 2015 Freescale Semiconductor, Inc.
+ *
+ * SPDX-License-Identifier:GPL-2.0+
+ */
+
+#ifndef __FSL_SECURE_BOOT_H
+#define __FSL_SECURE_BOOT_H
+
+#ifdef CONFIG_SECURE_BOOT
+#ifndef CONFIG_FIT_SIGNATURE
+
+#define CONFIG_EXTRA_ENV \
+ setenv fdt_high 0xcfff; \
+ setenv initrd_high 0xcfff;\
+ setenv hwconfig \'fsl_ddr:ctlr_intlv=null,bank_intlv=null\';
+
+/* The address needs to be modified according to NOR memory map */
+#define CONFIG_BOOTSCRIPT_HDR_ADDR 0x600a
+
+#include config_fsl_secboot.h
+#endif
+#endif
+
+#endif
diff --git a/arch/powerpc/include/asm/fsl_secure_boot.h
b/arch/powerpc/include/asm/fsl_secure_boot.h
index 49f6814..8f794ef 100644
--- a/arch/powerpc/include/asm/fsl_secure_boot.h
+++ b/arch/powerpc/include/asm/fsl_secure_boot.h
@@ -67,5 +67,24 @@
#define CONFIG_FSL_ISBC_KEY_EXT
#endif
+#ifndef CONFIG_FIT_SIGNATURE
+/* The bootscript header address is different for B4860 because the NOR
+ * mapping is different on B4 due to reduced NOR size.
+ */
+#if defined(CONFIG_B4860QDS)
+#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xecc0
+#elif defined(CONFIG_FSL_CORENET)
+#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xe8e0
+#elif defined(CONFIG_BSC9132QDS)
+#define CONFIG_BOOTSCRIPT_HDR_ADDR 0x8802
+#elif defined(CONFIG_C29XPCIE)
+#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xec02
+#else
+#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xee02
+#endif
+
+#include config_fsl_secboot.h
+#endif
+
#endif
#endif
diff --git a/board/freescale/common/cmd_esbc_validate.c
b/board/freescale/common/cmd_esbc_validate.c
index 8500ba5..8bbe85b 100644
--- a/board/freescale/common/cmd_esbc_validate.c
+++ b/board/freescale/common/cmd_esbc_validate.c
@@ -8,6 +8,16 @@
#include command.h
#include fsl_validate.h
+static int do_esbc_halt(cmd_tbl_t *cmdtp, int flag, int argc,
+ char * const argv[])
+{
+ printf(Core is entering spin loop.\n);
+loop:
+ goto loop;
+
+ return 0;
+}
+
static int do_esbc_validate(cmd_tbl_t *cmdtp, int flag, int argc,
char * const argv[])
{
@@ -32,3 +42,9 @@ U_BOOT_CMD(
Validates signature on a given image using RSA verification,
esbc_validate_help_text
);
+
+U_BOOT_CMD(
+ esbc_halt, 1, 0, do_esbc_halt,
+ Put the core in spin loop ,
+
+);
diff --git a/include/config_fsl_secboot.h b/include/config_fsl_secboot.h
new file mode 100644
index 000..050b157
--- /dev/null
+++ b/include/config_fsl_secboot.h
@@ -0,0 +1,89 @@
+/*
+ * Copyright 2015 Freescale Semiconductor, Inc.
+ *
+ * SPDX-License-Identifier:GPL-2.0+
+ */
+
+#ifndef __CONFIG_FSL_SECBOOT_H
+#define __CONFIG_FSL_SECBOOT_H
+
+#ifdef CONFIG_SECURE_BOOT
+
+#ifndef CONFIG_CMD_ESBC_VALIDATE
+#define CONFIG_CMD_ESBC_VALIDATE
+#endif
+
+#ifndef CONFIG_EXTRA_ENV
+#define CONFIG_EXTRA_ENV
+#endif
+
+/*
+ * Control should not reach back to uboot after validation of images
+ * for secure boot flow and therefore bootscript should have
+ * the bootm command. If control reaches back to uboot anyhow
+ * after validating images, core should just spin.
+ */
+
+/*
+ * Define the key hash for boot script here if public/private key pair used to
+ * sign bootscript are different from the SRK hash put in the fuse
+ * Example of defining KEY_HASH is
+ * #define CONFIG_BOOTSCRIPT_KEY_HASH \
+ * 41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b
+
