doc/device-tree/ibm,secureboot.rst - skiboot - Git at Google

 .. _device-tree/ibm,secureboot:

 ibm,secureboot
 ==============

 The ``ìbm,secureboot`` node provides secure boot and trusted boot information
 up to the target OS. Further information can be found in :ref:`stb-overview`.

 Required properties
 -------------------

 .. code-block:: none

     compatible:         Either one of the following values:

                         ibm,secureboot-v1  :  The container-verification-code
                                               is stored in a secure ROM memory.

                         ibm,secureboot-v2  :  The container-verification-code
                                               is stored in a reserved memory.
                                               It described by the ibm,cvc child
                                               node.

     secure-enabled:     this property exists when the firmware stack is booting
                         in secure mode (hardware secure boot jumper asserted).

     trusted-enabled:    this property exists when the firmware stack is booting
                         in trusted mode.

     hw-key-hash:        hash of the three hardware public keys trusted by the
                         platformw owner. This is used to verify if a firmware
                         code is signed with trusted keys.

     hw-key-hash-size:   hw-key-hash size

     os-secureboot-enforcing:
                         this property is created by the secure variable backend
                         if it detects a desire by the owner to requre any
                         images (e.g. kernels) to be signed by an appropriate
                         key stored in secure variables.

     physical-presence-asserted:
                         this property exists to indicate the physical presence
                         of user to request key clearance.

     clear-os-keys:      this property exists when the firmware indicates that
                         physical presence is asserted to clear only Host OS
                         secure boot keys.

     clear-all-keys:     this property exists when the firmware indicates that
                         physical presence is asserted to clear all sensistive
                         data controlled by platform firmware.

     clear-mfg-keys:     this property exists only during manufacturing process
                         when the firmware indicates to clear all senstive data
                         during manufacturing. It is only valid on development
                         drivers.

 Obsolete properties
 -------------------

 .. code-block:: none

     hash-algo:          Superseded by the hw-key-hash-size property in
                         'ibm,secureboot-v2'.

 Example
 -------

 .. code-block:: dts

     ibm,secureboot {
         compatible = "ibm,secureboot-v2";
         secure-enabled;
         trusted-enabled;
         hw-key-hash-size = <0x40>;
         hw-key-hash = <0x40d487ff 0x7380ed6a 0xd54775d5 0x795fea0d 0xe2f541fe
                        0xa9db06b8 0x466a42a3 0x20e65f75 0xb4866546 0x0017d907
                        0x515dc2a5 0xf9fc5095 0x4d6ee0c9 0xb67d219d 0xfb708535
                        0x1d01d6d1>;
         phandle = <0x100000fd>;
         linux,phandle = <0x100000fd>;
     };
	.. _device-tree/ibm,secureboot:

	ibm,secureboot
	==============

	The ``ìbm,secureboot`` node provides secure boot and trusted boot information
	up to the target OS. Further information can be found in :ref:`stb-overview`.

	Required properties
	-------------------

	.. code-block:: none

	compatible: Either one of the following values:

	ibm,secureboot-v1 : The container-verification-code
	is stored in a secure ROM memory.

	ibm,secureboot-v2 : The container-verification-code
	is stored in a reserved memory.
	It described by the ibm,cvc child
	node.

	secure-enabled: this property exists when the firmware stack is booting
	in secure mode (hardware secure boot jumper asserted).

	trusted-enabled: this property exists when the firmware stack is booting
	in trusted mode.

	hw-key-hash: hash of the three hardware public keys trusted by the
	platformw owner. This is used to verify if a firmware
	code is signed with trusted keys.

	hw-key-hash-size: hw-key-hash size

	os-secureboot-enforcing:
	this property is created by the secure variable backend
	if it detects a desire by the owner to requre any
	images (e.g. kernels) to be signed by an appropriate
	key stored in secure variables.

	physical-presence-asserted:
	this property exists to indicate the physical presence
	of user to request key clearance.

	clear-os-keys: this property exists when the firmware indicates that
	physical presence is asserted to clear only Host OS
	secure boot keys.

	clear-all-keys: this property exists when the firmware indicates that
	physical presence is asserted to clear all sensistive
	data controlled by platform firmware.

	clear-mfg-keys: this property exists only during manufacturing process
	when the firmware indicates to clear all senstive data
	during manufacturing. It is only valid on development
	drivers.

	Obsolete properties
	-------------------

	.. code-block:: none

	hash-algo: Superseded by the hw-key-hash-size property in
	'ibm,secureboot-v2'.

	Example
	-------

	.. code-block:: dts

	ibm,secureboot {
	compatible = "ibm,secureboot-v2";
	secure-enabled;
	trusted-enabled;
	hw-key-hash-size = <0x40>;
	hw-key-hash = <0x40d487ff 0x7380ed6a 0xd54775d5 0x795fea0d 0xe2f541fe
	0xa9db06b8 0x466a42a3 0x20e65f75 0xb4866546 0x0017d907
	0x515dc2a5 0xf9fc5095 0x4d6ee0c9 0xb67d219d 0xfb708535
	0x1d01d6d1>;
	phandle = <0x100000fd>;
	linux,phandle = <0x100000fd>;
	};