From: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
To: barebox@lists.infradead.org
Subject: [PATCH 04/13] boot: invert the secure boot forcing support
Date: Sun, 26 Mar 2017 04:44:55 +0200 [thread overview]
Message-ID: <1490496304-30850-4-git-send-email-plagnioj@jcrosoft.com> (raw)
In-Reply-To: <1490496304-30850-1-git-send-email-plagnioj@jcrosoft.com>
Add HAS_SECURE_BOOT as we will add other image format that support secure boot
Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
---
common/Kconfig | 12 ++++++++----
common/bootm.c | 6 +++---
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/common/Kconfig b/common/Kconfig
index f7ff04664..895814ee9 100644
--- a/common/Kconfig
+++ b/common/Kconfig
@@ -21,6 +21,9 @@ config HAS_KALLSYMS
config HAS_MODULES
bool
+config HAS_SECURE_BOOT
+ bool
+
config HAS_CACHE
bool
help
@@ -624,6 +627,7 @@ config BOOTM_FITIMAGE_SIGNATURE
prompt "support verifying signed FIT images"
depends on BOOTM_FITIMAGE
select FITIMAGE_SIGNATURE
+ select HAS_SECURE_BOOT
help
Support verifying signed FIT images. This requires FIT images
as described in:
@@ -631,14 +635,14 @@ config BOOTM_FITIMAGE_SIGNATURE
Additionally the barebox device tree needs a /signature node with the
public key with which the image has been signed.
-config BOOTM_FORCE_SIGNED_IMAGES
+config BOOT_FORCE_SIGNED_IMAGES
bool
prompt "Force booting of signed images"
- depends on BOOTM_FITIMAGE_SIGNATURE
+ depends on HAS_SECURE_BOOT
help
With this option enabled only signed images can be booted, unsigned images
- are refused to boot. Effectively this means only FIT images can be booted
- since they are the only supported image type that support signing.
+ are refused to boot. Effectively this means only Signed images can
+ be booted.
config BLSPEC
depends on BLOCK
diff --git a/common/bootm.c b/common/bootm.c
index 53311ab1c..885b09f81 100644
--- a/common/bootm.c
+++ b/common/bootm.c
@@ -82,7 +82,7 @@ enum bootm_verify bootm_get_verify_mode(void)
}
static const char * const bootm_verify_names[] = {
-#ifndef CONFIG_BOOTM_FORCE_SIGNED_IMAGES
+#ifndef CONFIG_BOOT_FORCE_SIGNED_IMAGES
[BOOTM_VERIFY_NONE] = "none",
[BOOTM_VERIFY_HASH] = "hash",
[BOOTM_VERIFY_AVAILABLE] = "available",
@@ -531,7 +531,7 @@ int bootm_boot(struct bootm_data *bootm_data)
goto err_out;
}
- if (IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES)) {
+ if (IS_ENABLED(CONFIG_BOOT_FORCE_SIGNED_IMAGES)) {
data->verify = BOOTM_VERIFY_SIGNATURE;
/*
@@ -635,7 +635,7 @@ static int bootm_init(void)
globalvar_add_simple("bootm.initrd.loadaddr", NULL);
}
- if (IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES))
+ if (IS_ENABLED(CONFIG_BOOT_FORCE_SIGNED_IMAGES))
bootm_verify_mode = BOOTM_VERIFY_SIGNATURE;
globalvar_add_simple_int("bootm.verbose", &bootm_verbosity, "%u");
--
2.11.0
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next prev parent reply other threads:[~2017-03-26 2:39 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-25 8:31 [PATCH 00/13] add efi secure boot support Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:44 ` [PATCH 01/13] bootm: move open to image_handler Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:44 ` [PATCH 02/13] boot_verify: use a new error ESECVIOLATION Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 7:59 ` Michael Olbrich
2017-03-26 2:44 ` [PATCH 03/13] bootm: make security generic Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:44 ` Jean-Christophe PLAGNIOL-VILLARD [this message]
2017-03-26 2:44 ` [PATCH 05/13] move boot verify to generic code Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:44 ` [PATCH 06/13] boot_verify: make it modifiable at start time Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 8:16 ` Michael Olbrich
2017-03-26 2:44 ` [PATCH 07/13] go: only use it if boot signature is not required Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 8:23 ` Michael Olbrich
2017-03-27 11:50 ` Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:44 ` [PATCH 08/13] boot_verify: allow to force unsigned image to boot Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 8:25 ` Michael Olbrich
2017-03-26 2:45 ` [PATCH 09/13] boot_verify: add password request support Jean-Christophe PLAGNIOL-VILLARD
2017-03-27 6:11 ` Sascha Hauer
2017-03-26 2:45 ` [PATCH 10/13] efi: add more security related guid for the efivars Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:45 ` [PATCH 11/13] efi: fix lds for secure boot support Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 8:30 ` Michael Olbrich
2017-03-26 2:45 ` [PATCH 12/13] efi: fix secure and setup mode report Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 2:45 ` [PATCH 13/13] efi: enable sercure boot support Jean-Christophe PLAGNIOL-VILLARD
2017-03-26 7:57 ` [PATCH 01/13] bootm: move open to image_handler Michael Olbrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1490496304-30850-4-git-send-email-plagnioj@jcrosoft.com \
--to=plagnioj@jcrosoft.com \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox