doc/device-tree/ibm,secureboot.rst - skiboot - Git at Google

 .. _device-tree/ibm,secureboot:

 ibm,secureboot
 ==============

 Secure boot and trusted boot relies on a code stored in the secure ROM at
 manufacture time to verify and measure other codes before they are executed.
 This ROM code is also referred to as ROM verification code.

 On POWER8, the presence of the ROM code is announced to skiboot (by Hostboot)
 by the ``ibm,secureboot`` device tree node.

 If the system is booting up in secure mode, the ROM code is called for secure
 boot to verify the integrity and authenticity of an image before it is executed.

 If the system is booting up in trusted mode, the ROM code is called for trusted
 boot to calculate the SHA512 hash of an image only if the image is not a secure boot
 container or the system is not booting up in secure mode.

 For further information about secure boot and trusted boot please refer to
 :ref:`stb-overview`.


 Required properties
 -------------------

 .. code-block:: none

     compatible:         ibm,secureboot version. It is related to the ROM code version.

     hash-algo:          hash algorithm used for the hw-key-hash. Aspects such as the size
                         of the hw-key-hash can be infered from this property.

     secure-enabled:     this property exists if the system is booting in secure mode.

     trusted-enabled:    this property exists if the system is booting in trusted mode.

     hw-key-hash:        hash of three concatenated hardware public key. This is required
                         by the ROM code to verify images.

 Example
 -------

 For the first version ``ibm,secureboot-v1``, the ROM code expects the *hw-key-hash*
 to be a SHA512 hash.

 .. code-block:: dts

     ibm,secureboot {
         compatible = "ibm,secureboot-v1";
         hash-algo = "sha512";
         secure-enabled;
         trusted-enabled;
         hw-key-hash = <0x40d487ff 0x7380ed6a 0xd54775d5 0x795fea0d 0xe2f541fe
                        0xa9db06b8 0x466a42a3 0x20e65f75 0xb4866546 0x17d907
                        0x515dc2a5 0xf9fc5095 0x4d6ee0c9 0xb67d219d 0xfb708535
                        0x1d01d6d1>;
         phandle = <0x100000fd>;
         linux,phandle = <0x100000fd>;
     };
	.. _device-tree/ibm,secureboot:

	ibm,secureboot
	==============

	Secure boot and trusted boot relies on a code stored in the secure ROM at
	manufacture time to verify and measure other codes before they are executed.
	This ROM code is also referred to as ROM verification code.

	On POWER8, the presence of the ROM code is announced to skiboot (by Hostboot)
	by the ``ibm,secureboot`` device tree node.

	If the system is booting up in secure mode, the ROM code is called for secure
	boot to verify the integrity and authenticity of an image before it is executed.

	If the system is booting up in trusted mode, the ROM code is called for trusted
	boot to calculate the SHA512 hash of an image only if the image is not a secure boot
	container or the system is not booting up in secure mode.

	For further information about secure boot and trusted boot please refer to
	:ref:`stb-overview`.


	Required properties
	-------------------

	.. code-block:: none

	compatible: ibm,secureboot version. It is related to the ROM code version.

	hash-algo: hash algorithm used for the hw-key-hash. Aspects such as the size
	of the hw-key-hash can be infered from this property.

	secure-enabled: this property exists if the system is booting in secure mode.

	trusted-enabled: this property exists if the system is booting in trusted mode.

	hw-key-hash: hash of three concatenated hardware public key. This is required
	by the ROM code to verify images.

	Example
	-------

	For the first version ``ibm,secureboot-v1``, the ROM code expects the hw-key-hash
	to be a SHA512 hash.

	.. code-block:: dts

	ibm,secureboot {
	compatible = "ibm,secureboot-v1";
	hash-algo = "sha512";
	secure-enabled;
	trusted-enabled;
	hw-key-hash = <0x40d487ff 0x7380ed6a 0xd54775d5 0x795fea0d 0xe2f541fe
	0xa9db06b8 0x466a42a3 0x20e65f75 0xb4866546 0x17d907
	0x515dc2a5 0xf9fc5095 0x4d6ee0c9 0xb67d219d 0xfb708535
	0x1d01d6d1>;
	phandle = <0x100000fd>;
	linux,phandle = <0x100000fd>;
	};