Commit ff8ab3ff76e0da08e7253ed6446ba8d79e51c0ec
Committed by
Ye Li
Ye Li
1 parent
415efc9358
Exists in
smarc-imx_v2017.03_o8.1.0_1.3.0_8m
and in
1 other branch
Convert CONFIG_CMD_BLOB to Kconfig
This converts the following to Kconfig: CONFIG_CMD_BLOB Signed-off-by: Simon Glass <sjg@chromium.org> [trini: Add imply CMD_BLOB under CHAIN_OF_TRUST] Signed-off-by: Tom Rini <trini@konsulko.com> [Breno: Backported to v2017.03] Signed-off-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Ye Li <ye.li@nxp.com> (cherry picked from commit 921eb14d54c612680c3e73d9ddf9e1b9f526905f)
Showing 6 changed files with 47 additions and 4 deletions Side-by-side Diff
arch/arm/include/asm/fsl_secure_boot.h
arch/powerpc/include/asm/fsl_secure_boot.h
board/freescale/common/Kconfig
cmd/Kconfig
| ... | ... | @@ -740,6 +740,51 @@ |
| 740 | 740 | endmenu |
| 741 | 741 | |
| 742 | 742 | menu "Security commands" |
| 743 | + | |
| 744 | +config CMD_BLOB | |
| 745 | + bool "Enable the 'blob' command" | |
| 746 | + help | |
| 747 | + This is used with the Freescale secure boot mechanism. | |
| 748 | + | |
| 749 | + Freescale's SEC block has built-in Blob Protocol which provides | |
| 750 | + a method for protecting user-defined data across system power | |
| 751 | + cycles. SEC block protects data in a data structure called a Blob, | |
| 752 | + which provides both confidentiality and integrity protection. | |
| 753 | + | |
| 754 | + Encapsulating data as a blob | |
| 755 | + Each time that the Blob Protocol is used to protect data, a | |
| 756 | + different randomly generated key is used to encrypt the data. | |
| 757 | + This random key is itself encrypted using a key which is derived | |
| 758 | + from SoC's non-volatile secret key and a 16 bit Key identifier. | |
| 759 | + The resulting encrypted key along with encrypted data is called a | |
| 760 | + blob. The non-volatile secure key is available for use only during | |
| 761 | + secure boot. | |
| 762 | + | |
| 763 | + During decapsulation, the reverse process is performed to get back | |
| 764 | + the original data. | |
| 765 | + | |
| 766 | + Sub-commands: | |
| 767 | + blob enc - encapsulating data as a cryptgraphic blob | |
| 768 | + blob dec - decapsulating cryptgraphic blob to get the data | |
| 769 | + | |
| 770 | + Syntax: | |
| 771 | + | |
| 772 | + blob enc src dst len km | |
| 773 | + | |
| 774 | + Encapsulate and create blob of data $len bytes long | |
| 775 | + at address $src and store the result at address $dst. | |
| 776 | + $km is the 16 byte key modifier is also required for | |
| 777 | + generation/use as key for cryptographic operation. Key | |
| 778 | + modifier should be 16 byte long. | |
| 779 | + | |
| 780 | + blob dec src dst len km | |
| 781 | + | |
| 782 | + Decapsulate the blob of data at address $src and | |
| 783 | + store result of $len byte at addr $dst. | |
| 784 | + $km is the 16 byte key modifier is also required for | |
| 785 | + generation/use as key for cryptographic operation. Key | |
| 786 | + modifier should be 16 byte long. | |
| 787 | + | |
| 743 | 788 | config CMD_TPM |
| 744 | 789 | bool "Enable the 'tpm' command" |
| 745 | 790 | depends on TPM |
cmd/Makefile
| ... | ... | @@ -158,9 +158,9 @@ |
| 158 | 158 | # Power |
| 159 | 159 | obj-$(CONFIG_CMD_PMIC) += pmic.o |
| 160 | 160 | obj-$(CONFIG_CMD_REGULATOR) += regulator.o |
| 161 | -endif # !CONFIG_SPL_BUILD | |
| 162 | 161 | |
| 163 | 162 | obj-$(CONFIG_CMD_BLOB) += blob.o |
| 163 | +endif # !CONFIG_SPL_BUILD | |
| 164 | 164 | |
| 165 | 165 | # core command |
| 166 | 166 | obj-y += nvedit.o |