Re: Layerscape secure boot

From: Sascha Hauer <sha@pengutronix.de>
To: "Barbier, Renaud" <renaud.barbier@abaco.com>
Cc: "barebox@lists.infradead.org" <barebox@lists.infradead.org>
Subject: Re: Layerscape secure boot
Date: Mon, 1 Feb 2021 10:46:02 +0100	[thread overview]
Message-ID: <20210201094602.GP19583@pengutronix.de> (raw)
In-Reply-To: <MN2PR16MB31357A9BB6E7D4B2B31274A591B99@MN2PR16MB3135.namprd16.prod.outlook.com>

Hi Renaud,

On Fri, Jan 29, 2021 at 05:59:02PM +0000, Barbier, Renaud wrote:
> Is secure boot supported or planned to be supported on Layerscape
> (LS1046A)?  This will be our first board supporting secure boot.

We have no plans adding that.

> 
> If not supported yet we intend to support it (pending having the
> documentation/SDK...) and would like to do in a way that could be
> accepted upstream.

Nice :)

> 
> Are other boards like the IMX6/8 in barebox supporting secure boot a
> reference to do secure boot for other boards?  I guess it quite
> hardware specific.

It seems that NXP reused parts of the secure boot concept from i.MX. The
overall concept on i.MX is known as "High Assurance Boot" (HAB), I
haven't found that on Layerscape. However, just like the i.MX the
Layerscape also has "Command Sequence Files" (CSF), the Code signing
Tool (CST) also works on Layerscape, and on Layerscape there are also
"Super Root Key hashes". I suspect the overall process is quite similar
to i.MX, so the HAB code could probably be used as a stone quarry.

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox