Hi Ilias
-----Original Message----- From: Ilias Apalodimas ilias.apalodimas@linaro.org Sent: Friday, May 24, 2019 9:57 PM To: Udit Kumar udit.kumar@nxp.com Cc: boot-architecture@lists.linaro.org; Varun Sethi V.Sethi@nxp.com Subject: Re: [EXT] Securing the boot flow in U-Boot
Caution: EXT Email
Hi Udit,
What do you think?
Here we are talking about image signing and image validation. I am not sure, what are your plan to make keys data base (platform key, KeK and DBs) secure while writing. AFAIU, This is one of requirement of secure uefi that these secure variable
should be written in MM mode. The plan on that is run stMM as an OP-TEE TA. This will allow us to run StMM + fTPM simultaneously. The current plan is to support UEFI specs on U-Boot without having secure variable storage. That one is our next step.
May be I am asking too early about your next step Where you see flash driver sitting, Possible options I see, 1/ In OP-TEE and StMM is making sys-call to access it 2/ in TFA (EL3) itself and stMM is making smc calls 3/ OP-TEE is doing sort of mmap to flash controller area and driver is residing in Sec-EL0 itself
Thanks /Ilias