Skip to content

mediatek: Add BPi R3 Secure Boot support

Piotr Kubik requested to merge pkubik-mtk-secure-boot into iop-mediatek-20220630

Waits for merge !21 (merged) - Add iopsys changes on top of uplifted mtk u-boot to have less commits here.

Changes:

  • Updated BPi-R3, mtk-panther defconfigs for U-Boot 2022.07-rc5
  • Add BPi-R3 SB config
  • Disable legacy image format, enable separate DTS (needed for PKEY insert to FIP)
  • Enable env UBI storage in defconfig - temporary for ENV handling
  • Allow ENVs to be stored in UBI and override DTS - temporary for ENV handling

Config changes regarding secure boot different from non-secure config:

+CONFIG_CHAIN_OF_TRUST=y
-# CONFIG_MTK_SECURE_BOOT is not set
+CONFIG_MTK_SECURE_BOOT=y
+# CONFIG_MTK_ANTI_ROLLBACK is not set
-# CONFIG_IMAGE_FORCED_VERIFY is not set
+CONFIG_IMAGE_FORCED_VERIFY=y
-# CONFIG_FIT_SIGNATURE is not set
+CONFIG_FIT_SIGNATURE=y
+CONFIG_FIT_SIGNATURE_MAX_SIZE=0x10000000
+# CONFIG_FIT_RSASSA_PSS is not set
-CONFIG_LEGACY_IMAGE_FORMAT=y
+# CONFIG_LEGACY_IMAGE_FORMAT is not set
-CONFIG_DEFAULT_FDT_FILE="mediatek/mt7986a-bpi-r3-emmc.dtb"
+CONFIG_DEFAULT_FDT_FILE="mt7986a-bpi-r3-emmc"
+CONFIG_IMAGE_SIGN_INFO=y
-# CONFIG_OF_SEPARATE is not set
-CONFIG_OF_EMBED=y
+CONFIG_OF_SEPARATE=y
+# CONFIG_OF_EMBED is not set
-# CONFIG_ENV_IS_NOWHERE is not set
-# CONFIG_ENV_IS_IN_EEPROM is not set
-# CONFIG_ENV_IS_IN_FAT is not set
-# CONFIG_ENV_IS_IN_EXT4 is not set
-# CONFIG_ENV_IS_IN_FLASH is not set
-# CONFIG_ENV_IS_IN_MMC is not set
-# CONFIG_ENV_IS_IN_MTD is not set
-# CONFIG_ENV_IS_IN_NAND is not set
-# CONFIG_ENV_IS_IN_NVRAM is not set
-# CONFIG_ENV_IS_IN_ONENAND is not set
-# CONFIG_ENV_IS_IN_REMOTE is not set
-# CONFIG_ENV_IS_IN_SPI_FLASH is not set
-# CONFIG_ENV_UBI_VOLUME_CREATE is not set
-CONFIG_BOOTDEV_ETH=y
+# CONFIG_BOOTDEV_ETH is not set
-# CONFIG_RSA is not set
+CONFIG_RSA=y
+# CONFIG_SPL_RSA is not set
+CONFIG_RSA_VERIFY=y
+# CONFIG_RSA_VERIFY_WITH_PKEY is not set
+CONFIG_RSA_SOFTWARE_EXP=y
+# CONFIG_ASYMMETRIC_KEY_TYPE is not set

Anti-rollback feature needs to be enabled later for full secure-boot support.

Edited by Piotr Kubik

Merge request reports