edison: Authenticate u-boot-edison.bin during POS

For Verified Boot, during provisioning the OSIP attribute has to
be "signed" for POS. If this is not enabled, the u-boot.bin that
is loaded will not be authenticated, hence breaking root of trust.

Change-Id: I3c5ea88ec1eee567f8db02b89f04c881a6b3434a
Signed-off-by: Sanrio Alvares <sanrio.alvares@intel.com>
Reviewed-on: https://android.intel.com/512311
Reviewed-by: Timohi, Alexandru <alexandru.timohi@intel.com>
Reviewed-by: Beare, Bruce J <bruce.j.beare@intel.com>

2 files changed, 12 insertions, 0 deletions

diff --git a/board/intel/edison/Kconfig b/board/intel/edison/Kconfig
index 5c084015b5..69b9df5808 100644
--- a/board/intel/edison/Kconfig
+++ b/board/intel/edison/Kconfig
@@ -46,6 +46,14 @@ config EDISON_ENABLE_EMMC_PWR_ON_WP
 	  the device. Release the RM button once fastboot logs appeared
 	  in the serial console or more than 5 seconds passed since power on.
 
+config OSIP_SIGNED_ATTRIBUTE
+        bool "Authenticate u-boot.bin signature"
+	default "edison"
+	help
+	  For Verified Boot, during provisioning the OSIP attribute has to
+          be "signed" for POS. If this is not enabled, the u-boot.bin that
+          is loaded will not be authenticated, hence breaking root of trust.
+
 config BOARD_SPECIFIC_OPTIONS # dummy
 	def_bool y
 	select INTEL_SCU
diff --git a/board/intel/edison/edison.c b/board/intel/edison/edison.c
index 55e22b5b77..e1bf93dd29 100644
--- a/board/intel/edison/edison.c
+++ b/board/intel/edison/edison.c
@@ -225,7 +225,11 @@ int board_populate_mbr_boot_code(legacy_mbr *mbr)
 	osip->osii[0].load_address      = 0x01100000;
 	osip->osii[0].start_address     = 0x01101000;
 	osip->osii[0].image_size_blocks = 0x00002800; /* 5 MiB */
+#ifdef CONFIG_OSIP_SIGNED_ATTRIBUTE
+	osip->osii[0].attribute         = 0x0000000e;
+#else
 	osip->osii[0].attribute         = 0x0000000f;
+#endif
 
 	for (i = (uint8_t*)osip; i < ((uint8_t*)osip) + osip->header_size; i++)
 		checksum ^= *i;