warp7: Add support for automated secure boot.scr verification

This patch adds support for verifying a signed boot.scr. With this in place it's possible for run-time Linux to update boot.scr to set different variables such as switching between different boot partitions, pointing to different kernels etc and for u-boot to verify these changes via the HAB prior to executing the commands contained in boot.scr. Signed-off-by: Bryan O'Donoghue <[email protected]> Tested-by: Breno Lima <[email protected]> Reviewed-by: Fabio Estevam <[email protected]>
grygoriyS · Apr 26, 2018 · bb96a08 · bb96a08
1 parent baea5ec
commit bb96a08
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/include/configs/warp7.h b/include/configs/warp7.h
@@ -53,6 +53,14 @@
 		"root=PARTUUID=${uuid} rootwait rw\0" \
 	"ivt_offset=" __stringify(BOOTROM_IVT_HDR_OFFSET)"\0"\
 	"warp7_auth_or_fail=hab_auth_img_or_fail ${hab_ivt_addr} ${filesize} 0;\0" \
+	"do_bootscript_hab=" \
+		"if test ${hab_enabled} -eq 1; then " \
+			"setexpr hab_ivt_addr ${loadaddr} - ${ivt_offset}; " \
+			"setenv script ${script_signed}; " \
+			"load mmc ${mmcdev}:${mmcpart} ${hab_ivt_addr} ${script}; " \
+			"run warp7_auth_or_fail; " \
+			"run bootscript; "\
+		"fi;\0" \
 	"loadbootscript=" \
 		"load mmc ${mmcdev}:${mmcpart} ${loadaddr} ${script};\0" \
 	"bootscript=echo Running bootscript from mmc ...; " \
@@ -79,6 +87,7 @@
 #define CONFIG_BOOTCOMMAND \
 	   "mmc dev ${mmcdev};" \
 	   "mmc dev ${mmcdev}; if mmc rescan; then " \
+		   "run do_bootscript_hab;" \
 		   "if run loadbootscript; then " \
 			   "run bootscript; " \
 		   "else " \