[Skiboot] [PATCH 01/15] doc/device-tree: Add ibm, secureboot.txt

Stewart Smith stewart at linux.vnet.ibm.com
Tue Sep 6 17:15:29 AEST 2016 

Claudio Carvalho <cclaudio at linux.vnet.ibm.com> writes:
> On 09/01/2016 05:46 AM, Stewart Smith wrote:
>> Claudio Carvalho <cclaudio at linux.vnet.ibm.com> writes:
>>> This adds a documentation for the ibm,secureboot device tree node.
>>>
>>> Signed-off-by: Claudio Carvalho <cclaudio at linux.vnet.ibm.com>
>>> ---
>>>  doc/device-tree/ibm,secureboot.txt | 42 ++++++++++++++++++++++++++++++++++++++
>>>  1 file changed, 42 insertions(+)
>>>  create mode 100644 doc/device-tree/ibm,secureboot.txt
>>>
>>> diff --git a/doc/device-tree/ibm,secureboot.txt b/doc/device-tree/ibm,secureboot.txt
>>> new file mode 100644
>>> index 0000000..387cb25
>>> --- /dev/null
>>> +++ b/doc/device-tree/ibm,secureboot.txt
>> 
>> (minor point, but we recently switched to rst formatted docs. I'm not
>> too fussed if you move it over to .rst or not, I can do that with merge)
>> 
>>> @@ -0,0 +1,42 @@
>>> +Device tree bindings for ibm,secureboot
>>> +=======================================
>>> +
>>> +This node represents the presence of the ROM verification code in the
>>> +platform. It has properties related to secure boot and trusted boot.
>> 
>> Could you expand a bit on what you mean by ROM? (or point to the
>> explanation).
>> 
>> Maybe something like:
>> "In a secure ROM flashed during manufacturing, there may exist some code
>> for secure/trusted boot. On POWER8, the presence of this code is announced to
>> skiboot (by HostBoot) by the ibm,secureboot node."
>
> I can replace the first paragraph by this in the V2:
>
> "Secure boot and trusted boot relies on a code burned in a secure ROM at
> manufacture time to verify and measure other codes before they are
> executed. This ROM code is also referred to as ROM verification code.
>
> On POWER8, the presence of the ROM code is announced to skiboot (by
> Hostboot) by the ibm,secureboot node.
>
> If the system is booting up in secure mode, the ROM code is called for
> secure boot to verify the integrity and authenticity of a code before it
> is executed.
>
> If the system is booting up in trusted mode, the ROM code is called for
> trusted boot to calculate the sha512 hash of a code before it is executed.
>
> For further information about secure boot and trusted boot please refer
> to 'doc/stb.rst'."
>
> What do you think?

I think that's better.

-- 
Stewart Smith
OPAL Architect, IBM.

More information about the Skiboot mailing list