Hi,

On Tue, Jan 12, 2016 at 9:35 PM, Leo Yan <leo.yan@linaro.org> wrote:
Hi Vee, Joakim,

On Tue, Jan 12, 2016 at 09:25:39PM +0900, Victor Chong wrote:
> On Tue, Jan 12, 2016 at 8:03 AM, Joakim Bech <joakim.bech@linaro.org> wrote:
> > On Tue, Jan 12, 2016 at 12:32:45AM +0530, Amit Kucheria wrote:
> > > On Tue, Jan 12, 2016 at 12:08 AM, git git <gitfineon@online.de> wrote:
> > > > Hi,
> > > >
> > > > has anybody tried to activate/implement the Trusted Board Boot (TBB)
> > feature
> > > > of ARM Trusted Firmware (ATF) on Hikey or any other 96Board, yet?
> > >
> > > It would be interesting to get this working but I don't think we've
> > > worked on it. Joakim, has anybody in the security WG tried this?
> > >
> > I'm afraid not, however we have it on the todo-list, then plan is to
> > deal with it in SWG-112 (Epic, and Stories, 113 to 116).
> >
> > > > Minimal requirement to run TBB is GENERATE_COT, but it should be
> > possible to
> > > > only generate these Certificates of Trust (CoT) and add them to the
> > your
> > > > Firmware Image Package (FIP). I've already tested TBB (incl. CoT) with
> > Juno
> > > > DevBoard and it worked fine. The 96Boards repository does not mention
> > TBB
> > > > anywhere.
> > >
> > I think ARM introduced the authenticated framework somewhere after they
> > released v1.1, could it be that simple that 96Boards ARM-TF fork lags
> > behind? The authenticated framework was introduced somewhere here:
> >
> > https://github.com/ARM-software/arm-trusted-firmware/commits/d337aaaf53ef27897f52e66718a2741399c8a021
>
>
> Above is dated 2015/6/16
> Hikey branch forked here:
> https://github.com/96boards/arm-trusted-firmware/commits/hikey?page=5
> https://github.com/96boards/arm-trusted-firmware/commit/68fc81743e8671312a98c364ba2b0d69429cf4c6
> dated 2015/2/15, so seems like it is behind.
> I believe work is ongoing to rebase on something newer, but don't have any
> more info about it.

Just reminding, I checked changelog ARM-TF for Hikey is based on v1.1;
I also see in the code there have "TRUSTED_BOARD_BOOT" related
configuration. So actually now ARM-TF can support trusted boot
but has not enabled yet, right?

So it looks like the one in Feb is the 'old' implementation and was replaced by a 'new' implementation in June (https://github.com/ARM-software/arm-trusted-firmware/commit/1779ba6b97fbff87290f164c7c78559329173e02). Seem to remember the old one was just a first prototype so not sure how well it works or how well tested it is vs the new. Maybe someone from ARM can verify?

Thanks!


 4 New features
 5 ------------
 6
 7 *   A prototype implementation of Trusted Board Boot has been added. Boot
 8     loader images are verified by BL1 and BL2 during the cold boot path. BL1 and
 9     BL2 use the PolarSSL SSL library to verify certificates and images. The
10     OpenSSL library is used to create the X.509 certificates. Support has been
11     added to `fip_create` tool to package the certificates in a FIP.
12

Thanks,
Leo Yan

> > > > But also in Hikey branch it is possible to set the GENERATE_COT
> > > > flag and the *.crt files get generated.
> >
> > --
> > Regards,
> > Joakim B
> > _______________________________________________
> > Dev mailing list
> > Dev@lists.96boards.org
> > https://lists.96boards.org/mailman/listinfo/dev
> >

> _______________________________________________
> Dev mailing list
> Dev@lists.96boards.org
> https://lists.96boards.org/mailman/listinfo/dev