1*47151e4bSgaurav rana/* 2*47151e4bSgaurav rana * (C) Copyright 2015 3*47151e4bSgaurav rana * 4*47151e4bSgaurav rana * SPDX-License-Identifier: GPL-2.0+ 5*47151e4bSgaurav rana */ 6*47151e4bSgaurav rana 7*47151e4bSgaurav ranaesbc_validate command 8*47151e4bSgaurav rana======================================== 9*47151e4bSgaurav rana 10*47151e4bSgaurav rana1. esbc_validate command is meant for validating header and 11*47151e4bSgaurav rana signature of images (Boot Script and ESBC uboot client). 12*47151e4bSgaurav rana SHA-256 and RSA operations are performed using SEC block in HW. 13*47151e4bSgaurav rana This command works on both PBL based and Non PBL based Freescale 14*47151e4bSgaurav rana platforms. 15*47151e4bSgaurav rana Command usage: 16*47151e4bSgaurav rana esbc_validate img_hdr_addr [pub_key_hash] 17*47151e4bSgaurav rana esbc_validate hdr_addr <hash_val> 18*47151e4bSgaurav rana Validates signature using RSA verification. 19*47151e4bSgaurav rana $hdr_addr Address of header of the image to be validated. 20*47151e4bSgaurav rana $hash_val -Optional. It provides Hash of public/srk key to be 21*47151e4bSgaurav rana used to verify signature. 22*47151e4bSgaurav rana 23*47151e4bSgaurav rana2. ESBC uboot client can be linux. Additionally, rootfs and device 24*47151e4bSgaurav rana tree blob can also be signed. 25*47151e4bSgaurav rana3. In the event of header or signature failure in validation, 26*47151e4bSgaurav rana ITS and ITF bits determine further course of action. 27*47151e4bSgaurav rana4. In case of soft failure, appropriate error is dumped on console. 28*47151e4bSgaurav rana5. In case of hard failure, SoC is issued RESET REQUEST after 29*47151e4bSgaurav rana dumping error on the console. 30*47151e4bSgaurav rana6. KEY REVOCATION Feature: 31*47151e4bSgaurav rana QorIQ platforms like B4/T4 have support of srk key table and key 32*47151e4bSgaurav rana revocation in ISBC code in Silicon. 33*47151e4bSgaurav rana The srk key table allows the user to have a key table with multiple 34*47151e4bSgaurav rana keys and revoke any key in case of particular key gets compromised. 35*47151e4bSgaurav rana In case the ISBC code uses the key revocation and srk key table to 36*47151e4bSgaurav rana verify the u-boot code, the subsequent chain of trust should also 37*47151e4bSgaurav rana use the same. 38*47151e4bSgaurav rana6. ISBC KEY EXTENSION Feature: 39*47151e4bSgaurav rana This feature allows large number of keys to be used for esbc validation 40*47151e4bSgaurav rana of images. A set of public keys is being signed and validated by ISBC 41*47151e4bSgaurav rana which can be further used for esbc validation of images. 42