From a313abf4cb9e2c5b67458ac8ca3510441ad4dc2d Mon Sep 17 00:00:00 2001 From: Sanrio Alvares Date: Thu, 2 Jun 2016 11:03:19 -0700 Subject: edison: Authenticate u-boot-edison.bin during POS For Verified Boot, during provisioning the OSIP attribute has to be "signed" for POS. If this is not enabled, the u-boot.bin that is loaded will not be authenticated, hence breaking root of trust. Change-Id: I3c5ea88ec1eee567f8db02b89f04c881a6b3434a Signed-off-by: Sanrio Alvares Reviewed-on: https://android.intel.com/512311 Reviewed-by: Timohi, Alexandru Reviewed-by: Beare, Bruce J --- board/intel/edison/Kconfig | 8 ++++++++ board/intel/edison/edison.c | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/board/intel/edison/Kconfig b/board/intel/edison/Kconfig index 5c084015b5..69b9df5808 100644 --- a/board/intel/edison/Kconfig +++ b/board/intel/edison/Kconfig @@ -46,6 +46,14 @@ config EDISON_ENABLE_EMMC_PWR_ON_WP the device. Release the RM button once fastboot logs appeared in the serial console or more than 5 seconds passed since power on. +config OSIP_SIGNED_ATTRIBUTE + bool "Authenticate u-boot.bin signature" + default "edison" + help + For Verified Boot, during provisioning the OSIP attribute has to + be "signed" for POS. If this is not enabled, the u-boot.bin that + is loaded will not be authenticated, hence breaking root of trust. + config BOARD_SPECIFIC_OPTIONS # dummy def_bool y select INTEL_SCU diff --git a/board/intel/edison/edison.c b/board/intel/edison/edison.c index 55e22b5b77..e1bf93dd29 100644 --- a/board/intel/edison/edison.c +++ b/board/intel/edison/edison.c @@ -225,7 +225,11 @@ int board_populate_mbr_boot_code(legacy_mbr *mbr) osip->osii[0].load_address = 0x01100000; osip->osii[0].start_address = 0x01101000; osip->osii[0].image_size_blocks = 0x00002800; /* 5 MiB */ +#ifdef CONFIG_OSIP_SIGNED_ATTRIBUTE + osip->osii[0].attribute = 0x0000000e; +#else osip->osii[0].attribute = 0x0000000f; +#endif for (i = (uint8_t*)osip; i < ((uint8_t*)osip) + osip->header_size; i++) checksum ^= *i; -- cgit v1.2.3