Convert CONFIG_CMD_BLOB to Kconfig

This converts the following to Kconfig: CONFIG_CMD_BLOB Signed-off-by: Simon Glass <sjg@chromium.org> [trini: Add imply CMD_BLOB under CHAIN_OF_TRUST] Signed-off-by: Tom Rini <trini@konsulko.com>
8 years ago · c04b9b3440
parent ac20a1b21c
commit c04b9b3440
6 changed files with 46 additions and 4 deletions
--- a/arch/arm/include/asm/fsl_secure_boot.h
+++ b/arch/arm/include/asm/fsl_secure_boot.h
@ -30,7 +30,6 @@
 #define CONFIG_KEY_REVOCATION

 #ifndef CONFIG_SPL_BUILD
-#define CONFIG_CMD_BLOB
 #define CONFIG_CMD_HASH
 #ifndef CONFIG_SYS_RAMBOOT
 /* The key used for verification of next level images
--- a/arch/powerpc/include/asm/fsl_secure_boot.h
+++ b/arch/powerpc/include/asm/fsl_secure_boot.h
@ -104,7 +104,6 @@
 #define CONFIG_SHA_PROG_HW_ACCEL

 #ifndef CONFIG_SPL_BUILD
-#define CONFIG_CMD_BLOB
 /*
 * fsl_setenv_chain_of_trust() must be called from
 * board_late_init()
--- a/board/freescale/common/Kconfig
+++ b/board/freescale/common/Kconfig
@ -1,5 +1,6 @@
 config CHAIN_OF_TRUST
 	depends on !FIT_SIGNATURE && SECURE_BOOT
+	imply CMD_BLOB
 	select FSL_CAAM
 	bool
 	default y
--- a/cmd/Kconfig
+++ b/cmd/Kconfig
@ -779,6 +779,50 @@ config CMD_AES
 	  supported by the algorithm but this command only supports 128 bits
 	  at present.

+config CMD_BLOB
+	bool "Enable the 'blob' command"
+	help
+	  This is used with the Freescale secure boot mechanism.
+
+	  Freescale's SEC block has built-in Blob Protocol which provides
+	  a method for protecting user-defined data across system power
+	  cycles. SEC block protects data in a data structure called a Blob,
+	  which provides both confidentiality and integrity protection.
+
+	  Encapsulating data as a blob
+	  Each time that the Blob Protocol is used to protect data, a
+	  different randomly generated key is used to encrypt the data.
+	  This random key is itself encrypted using a key which is derived
+	  from SoC's non-volatile secret key and a 16 bit Key identifier.
+	  The resulting encrypted key along with encrypted data is called a
+	  blob. The non-volatile secure key is available for use only during
+	  secure boot.
+
+	  During decapsulation, the reverse process is performed to get back
+	  the original data.
+
+	  Sub-commands:
+            blob enc - encapsulating data as a cryptgraphic blob
+	    blob dec - decapsulating cryptgraphic blob to get the data
+
+	  Syntax:
+
+	  blob enc src dst len km
+
+	  Encapsulate and create blob of data $len bytes long
+	  at address $src and store the result at address $dst.
+	  $km is the 16 byte key modifier is also required for
+	  generation/use as key for cryptographic operation. Key
+	  modifier should be 16 byte long.
+
+	  blob dec src dst len km
+
+	  Decapsulate the  blob of data at address $src and
+	  store result of $len byte at addr $dst.
+	  $km is the 16 byte key modifier is also required for
+	  generation/use as key for cryptographic operation. Key
+	  modifier should be 16 byte long.
+
 config CMD_TPM
 	bool "Enable the 'tpm' command"
 	depends on TPM
--- a/cmd/Makefile
+++ b/cmd/Makefile
@ -152,9 +152,9 @@ obj-$(CONFIG_CMD_ETHSW) += ethsw.o
 # Power
 obj-$(CONFIG_CMD_PMIC) += pmic.o
 obj-$(CONFIG_CMD_REGULATOR) += regulator.o
-endif # !CONFIG_SPL_BUILD

 obj-$(CONFIG_CMD_BLOB) += blob.o
+endif # !CONFIG_SPL_BUILD

 # core command
 obj-y += nvedit.o
--- a/scripts/config_whitelist.txt
+++ b/scripts/config_whitelist.txt
@ -393,7 +393,6 @@ CONFIG_CM922T_XA10
 CONFIG_CMDLINE_EDITING
 CONFIG_CMDLINE_PS_SUPPORT
 CONFIG_CMDLINE_TAG
-CONFIG_CMD_BLOB
 CONFIG_CMD_BMODE
 CONFIG_CMD_BMP
 CONFIG_CMD_BSP