[Skiboot] [PATCH 01/15] doc/device-tree: Add ibm, secureboot.txt

Fri Sep 2 14:02:34 AEST 2016

On 09/01/2016 08:41 PM, Balbir Singh wrote:
> 
> 
> On 11/08/16 15:23, Claudio Carvalho wrote:
>> This adds a documentation for the ibm,secureboot device tree node.
>>
>> Signed-off-by: Claudio Carvalho <cclaudio at linux.vnet.ibm.com>
>> ---
>>  doc/device-tree/ibm,secureboot.txt | 42 ++++++++++++++++++++++++++++++++++++++
>>  1 file changed, 42 insertions(+)
>>  create mode 100644 doc/device-tree/ibm,secureboot.txt
>>
>> diff --git a/doc/device-tree/ibm,secureboot.txt b/doc/device-tree/ibm,secureboot.txt
>> new file mode 100644
>> index 0000000..387cb25
>> --- /dev/null
>> +++ b/doc/device-tree/ibm,secureboot.txt
>> @@ -0,0 +1,42 @@
>> +Device tree bindings for ibm,secureboot
>> +=======================================
>> +
>> +This node represents the presence of the ROM verification code in the
>> +platform. It has properties related to secure boot and trusted boot.
>> +
>> +Required properties
>> +-------------------
>> +
>> +- compatible :  ibm,secureboot version. It is related to the ROM verification
>> +		code version.
>> +
>> +- hash-algo : 	hash algorithm used for the hw-key-hash. Aspects such as the
>> +		size of the hw-key-hash can be infered from this property.
>> +
>> +- secure-enabled : this property exists whether the system is booting on
>> +		   secure mode.
> 
> I think the enabled explains that it is booted with enabled. May be the
> documentation should first introduce what issecure boot ad then 
> explain the enabled property

Secure boot and trusted boot are documented in a separate file, which is
added by the patch:

"[PATCH 03/15]doc: Add initial secure and trusted boot documentation"

Stewart also asked some questions about this patch. I've just answered
his questions and also proposed a few paragraphs to replace the first one.

> 
>> +
>> +- trusted-enabled : this property exists whether the system is booting on
>> +		    trusted mode.
> 
> 
> Ditto
> 
>> +
>> +- hw-key-hash : hash of three concatenated hardware public key. This is
>> +		required by the ROM verification code to verify images.
>> +
>> +Example
>> +-------
>> +
>> +For the first version "ibm,secureboot-v1", the ROM verification code expects the
>> +hw-key-hash to be a sha512 hash.
>> +
>> +ibm,secureboot {
>> +	compatible = "ibm,secureboot-v1";
>> +	hash-algo = "sha512";
>> +	secure-enabled;
>> +	trusted-enabled;
>> +	hw-key-hash = <0x40d487ff 0x7380ed6a 0xd54775d5 0x795fea0d 0xe2f541fe
>> +0xa9db06b8 0x466a42a3 0x20e65f75 0xb4866546 0x17d907 0x515dc2a5 0xf9fc5095
>> +0x4d6ee0c9 0xb67d219d 0xfb708535 0x1d01d6d1>;
>> +	phandle = <0x100000fd>;
>> +	linux,phandle = <0x100000fd>;
>> +};
>> +
>>
> 
> 