On Thu, 7 Jan 2021 at 03:03, Siew Chin Lim <elly.siew.chin....@intel.com> wrote: > > Vendor Authorized Boot is a security feature for authenticating > the images such as U-Boot, ARM trusted Firmware, Linux kernel, > device tree blob and etc loaded from FIT. After those images are > loaded from FIT, the VAB certificate and signature block appended > at the end of each image are sent to Secure Device Manager (SDM) > for authentication. U-Boot will validate the SHA384 of the image > against the SHA384 hash stored in the VAB certificate before > sending the image to SDM for authentication. > > Signed-off-by: Siew Chin Lim <elly.siew.chin....@intel.com> > > --- > v2 > --- > - Renamed SECURE_VAB_AUTH* to SOCFPGA_SECURE_VAB_AUTH* > - Changes in secure_vab.c > - Changed to use SZ_1K for 1024 > - Updated comment in secure_vab.c of "... the certificate for T" > - The code will report error before end of the function if reach > maximum retry. > - In board_prep_linux function, only execute linux_qspi_enable > command if it exists in enviroment variable. It is optional. > --- > arch/arm/mach-socfpga/Kconfig | 15 ++ > arch/arm/mach-socfpga/Makefile | 2 + > arch/arm/mach-socfpga/include/mach/mailbox_s10.h | 1 + > arch/arm/mach-socfpga/include/mach/secure_vab.h | 63 ++++++++ > arch/arm/mach-socfpga/secure_vab.c | 193 > +++++++++++++++++++++++ > common/Kconfig.boot | 2 +- > 6 files changed, 275 insertions(+), 1 deletion(-) > create mode 100644 arch/arm/mach-socfpga/include/mach/secure_vab.h > create mode 100644 arch/arm/mach-socfpga/secure_vab.c
I think this could use a few more function comments. Also try to use if() instead of #if Regards, Simon