xref: /OK3568_Linux_fs/u-boot/doc/README.esbc_validate (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593Smuzhiyun/*
2*4882a593Smuzhiyun * (C) Copyright 2015
3*4882a593Smuzhiyun *
4*4882a593Smuzhiyun * SPDX-License-Identifier:	GPL-2.0+
5*4882a593Smuzhiyun */
6*4882a593Smuzhiyun
7*4882a593Smuzhiyunesbc_validate command
8*4882a593Smuzhiyun========================================
9*4882a593Smuzhiyun
10*4882a593Smuzhiyun1. esbc_validate command is meant for validating header and
11*4882a593Smuzhiyun    signature of images (Boot Script and ESBC uboot client).
12*4882a593Smuzhiyun    SHA-256 and RSA operations are performed using SEC block in HW.
13*4882a593Smuzhiyun    This command works on both PBL based and Non PBL based Freescale
14*4882a593Smuzhiyun    platforms.
15*4882a593Smuzhiyun   Command usage:
16*4882a593Smuzhiyun    esbc_validate img_hdr_addr [pub_key_hash]
17*4882a593Smuzhiyun    esbc_validate hdr_addr <hash_val>
18*4882a593Smuzhiyun     Validates signature using RSA verification.
19*4882a593Smuzhiyun     $hdr_addr Address of header of the image to be validated.
20*4882a593Smuzhiyun     $hash_val -Optional. It provides Hash of public/srk key to be
21*4882a593Smuzhiyun       used to verify signature.
22*4882a593Smuzhiyun
23*4882a593Smuzhiyun2. ESBC uboot client can be linux. Additionally, rootfs and device
24*4882a593Smuzhiyun    tree blob can also be signed.
25*4882a593Smuzhiyun3. In the event of header or signature failure in validation,
26*4882a593Smuzhiyun    ITS and ITF bits determine further course of action.
27*4882a593Smuzhiyun4. In case of soft failure, appropriate error is dumped on console.
28*4882a593Smuzhiyun5. In case of hard failure, SoC is issued RESET REQUEST after
29*4882a593Smuzhiyun    dumping error on the console.
30*4882a593Smuzhiyun6. KEY REVOCATION Feature:
31*4882a593Smuzhiyun    QorIQ platforms like B4/T4 have support of srk key table and key
32*4882a593Smuzhiyun    revocation in ISBC code in Silicon.
33*4882a593Smuzhiyun    The srk key table allows the user to have a key table with multiple
34*4882a593Smuzhiyun    keys and revoke any key in case of particular key gets compromised.
35*4882a593Smuzhiyun    In case the ISBC code uses the key revocation and srk key table to
36*4882a593Smuzhiyun    verify the u-boot code, the subsequent chain of trust should also
37*4882a593Smuzhiyun    use the same.
38*4882a593Smuzhiyun6. ISBC KEY EXTENSION Feature:
39*4882a593Smuzhiyun    This feature allows large number of keys to be used for esbc validation
40*4882a593Smuzhiyun    of images. A set of public keys is being signed and validated by ISBC
41*4882a593Smuzhiyun    which can be further used for esbc validation of images.
42