Sumit Garg of NXY has submitted a 4-part patch to U-Boot to add Secure Boot support to U-Boot’s SPL framework. Sumit’s patch announcements follow.
(No, I didn’t edit out step 2 in next paragraph, there were only two steps, 1 and 3.)
The patch-set does the following :
1. Enable chain of trust in SPL framework for ARM based platforms.
3. Add SD secure boot target for ls1021atwr platform.
Sumit Garg (4):
DM: crypto/fsl: Enable rsa DM driver usage before relocation
SECURE_BOOT: Enable chain of trust in SPL framework
SECURE_BOOT: Enable SD as a source for bootscript
arm: ls1021atwr: Add SD secure boot target
[PATCH 1/4] DM: crypto/fsl: Enable rsa DM driver usage before relocation
Enable rsa signature verification in SPL framework before relocation for verification of main u-boot.
[PATCH 2/4] SECURE_BOOT: Enable chain of trust in SPL framework
Override jump_to_image_no_args function to include validation of u-boot image using spl_validate_uboot before jumping to u-boot image.
Also define macros in SPL framework to enable crypto operations.
[PATCH 3/4] SECURE_BOOT: Enable SD as a source for bootscript
Add support for reading bootscript and bootscript header from SD. Also renamed macros *_FLASH to *_DEVICE to represent SD alongwith NAND and NOR flash.
[PATCH 4/4] arm: ls1021atwr: Add SD secure boot target
Add SD secure boot target for ls1021atwr.
Implement board specific spl_board_init() to setup CAAM stream ID and corresponding stream ID in SMMU. Change the u-boot size defined by a macro for copying the main U-Boot by SPL to also include the u-boot Secure Boot header size as header is appended to u-boot image. So header will also be copied from SD to DDR.
For more information, see the full patch on the list:
http://lists.denx.de/mailman/listinfo/u-boot
Firmware Security 