verified-boot: Minimal support for booting U-Boot proper from SPL
This allows a board to configure verified boot within the SPL using a FIT or FIT with external data. It also allows the SPL to perform signature verification without needing relocation. The board configuration will need to add the following feature defines: CONFIG_SPL_CRYPTO_SUPPORT CONFIG_SPL_HASH_SUPPORT CONFIG_SPL_SHA256 In this example, SHA256 is the only selected hashing algorithm. And the following booleans: CONFIG_SPL=y CONFIG_SPL_DM=y CONFIG_SPL_LOAD_FIT=y CONFIG_SPL_FIT=y CONFIG_SPL_OF_CONTROL=y CONFIG_SPL_OF_LIBFDT=y CONFIG_SPL_FIT_SIGNATURE=y Signed-off-by: Teddy Reed <teddy.reed@gmail.com> Acked-by: Simon Glass <sjg@chromium.org> Acked-by: Andreas Dannenberg <dannenberg@ti.com> Acked-by: Sumit Garg <sumit.garg@nxp.com>
This commit is contained in:
Teddy Reed
@@ -183,6 +183,11 @@ config FIT
|
||||
verified boot (secure boot using RSA). This option enables that
|
||||
feature.
|
||||
|
||||
config SPL_FIT
|
||||
bool "Support Flattened Image Tree within SPL"
|
||||
depends on FIT
|
||||
depends on SPL
|
||||
|
||||
config FIT_VERBOSE
|
||||
bool "Display verbose messages on FIT boot"
|
||||
depends on FIT
|
||||
@@ -205,6 +210,12 @@ config FIT_SIGNATURE
|
||||
format support in this case, enable it using
|
||||
CONFIG_IMAGE_FORMAT_LEGACY.
|
||||
|
||||
config SPL_FIT_SIGNATURE
|
||||
bool "Enable signature verification of FIT firmware within SPL"
|
||||
depends on SPL_FIT
|
||||
depends on SPL_DM
|
||||
select SPL_RSA
|
||||
|
||||
config FIT_BEST_MATCH
|
||||
bool "Select the best match for the kernel device tree"
|
||||
depends on FIT
|
||||
|
||||
Reference in New Issue
Block a user