diff options
| author | Mario Six <mario.six@gdsys.cc> | 2017-01-11 15:01:00 (GMT) |
|---|---|---|
| committer | Stefan Roese <sr@denx.de> | 2017-02-01 08:04:18 (GMT) |
| commit | a1b6b0a9c1f91756b93e6d804837dc178d79d39e (patch) | |
| tree | e66ce37c0d31f8ce1dac414cb470e1d2037a77f9 /tools/kwbimage.h | |
| parent | 4991b4f7f1e55fed161462cefca7fe483fd3e477 (diff) | |
| download | u-boot-fsl-qoriq-a1b6b0a9c1f91756b93e6d804837dc178d79d39e.tar.xz | |
arm: mvebu: Implement secure boot
The patch implements secure booting for the mvebu architecture.
This includes:
- The addition of secure headers and all needed signatures and keys in
mkimage
- Commands capable of writing the board's efuses to both write the
needed cryptographic data and enable the secure booting mechanism
- The creation of convenience text files containing the necessary
commands to write the efuses
The KAK and CSK keys are expected to reside in the files kwb_kak.key and
kwb_csk.key (OpenSSL 2048 bit private keys) in the top-level directory.
Signed-off-by: Reinhard Pfau <reinhard.pfau@gdsys.cc>
Signed-off-by: Mario Six <mario.six@gdsys.cc>
Reviewed-by: Stefan Roese <sr@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Stefan Roese <sr@denx.de>
Diffstat (limited to 'tools/kwbimage.h')
| -rw-r--r-- | tools/kwbimage.h | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/tools/kwbimage.h b/tools/kwbimage.h index 01c2f1f..20f4d0d 100644 --- a/tools/kwbimage.h +++ b/tools/kwbimage.h @@ -114,6 +114,43 @@ struct opt_hdr_v1 { }; /* + * Public Key data in DER format + */ +struct pubkey_der_v1 { + uint8_t key[524]; +}; + +/* + * Signature (RSA 2048) + */ +struct sig_v1 { + uint8_t sig[256]; +}; + +/* + * Structure of secure header (Armada 38x) + */ +struct secure_hdr_v1 { + uint8_t headertype; /* 0x0 */ + uint8_t headersz_msb; /* 0x1 */ + uint16_t headersz_lsb; /* 0x2 - 0x3 */ + uint32_t reserved1; /* 0x4 - 0x7 */ + struct pubkey_der_v1 kak; /* 0x8 - 0x213 */ + uint8_t jtag_delay; /* 0x214 */ + uint8_t reserved2; /* 0x215 */ + uint16_t reserved3; /* 0x216 - 0x217 */ + uint32_t boxid; /* 0x218 - 0x21B */ + uint32_t flashid; /* 0x21C - 0x21F */ + struct sig_v1 hdrsig; /* 0x220 - 0x31F */ + struct sig_v1 imgsig; /* 0x320 - 0x41F */ + struct pubkey_der_v1 csk[16]; /* 0x420 - 0x24DF */ + struct sig_v1 csksig; /* 0x24E0 - 0x25DF */ + uint8_t next; /* 0x25E0 */ + uint8_t reserved4; /* 0x25E1 */ + uint16_t reserved5; /* 0x25E2 - 0x25E3 */ +}; + +/* * Various values for the opt_hdr_v1->headertype field, describing the * different types of optional headers. The "secure" header contains * informations related to secure boot (encryption keys, etc.). The |