mirror of
https://github.com/AsahiLinux/u-boot
synced 2024-11-14 08:57:58 +00:00
857e313a3d
Fman microcode is executable code (AFAICT) loaded into a
coprocessor. As such, if verified boot is enabled, it must be verified
like other executable code. However, this is not currently done.
This commit adds verified boot functionality by encapsulating the
microcode in a FIT, which can then be signed/verified as normal. By
default we allow fallback to unencapsulated firmware, but if
CONFIG_FIT_SIGNATURE is enabled, then we make it mandatory. Because
existing Layerscape do not use this config (instead enabling
CONFIG_CHAIN_OF_TRUST), this should not break any existing boards.
An example (mildly-abbreviated) its is provided below:
/ {
#address-cells = <1>;
images {
firmware {
data = /incbin/(/path/to/firmware);
type = "firmware";
arch = "arm64";
compression = "none";
signature {
algo = "sha256,rsa2048";
key-name-hint = "your key name";
};
};
};
configurations {
default = "conf";
conf {
description = "Load FMAN microcode";
fman = "firmware";
};
};
};
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
|
||
|---|---|---|
| .. | ||
| b4860.c | ||
| dtsec.c | ||
| eth.c | ||
| fdt.c | ||
| fm.c | ||
| fm.h | ||
| init.c | ||
| ls1043.c | ||
| ls1046.c | ||
| Makefile | ||
| memac.c | ||
| memac_phy.c | ||
| p1023.c | ||
| p4080.c | ||
| p5020.c | ||
| p5040.c | ||
| t1024.c | ||
| t1040.c | ||
| t2080.c | ||
| t4240.c | ||
| tgec.c | ||
| tgec_phy.c | ||