summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorTom Rini <trini@konsulko.com>2019-07-18 11:31:37 -0400
committerTom Rini <trini@konsulko.com>2019-07-18 11:31:37 -0400
commit0de815356474912ef5bef9a69f0327a5a93bb2c2 (patch)
tree92db8fda09396081f58a0c5fb182e72fbc3fdd50 /doc
parent9a06eb800c1bdc68aa81fcad6d4f404e12dfff33 (diff)
parentbf88d2b023063a0c46d7617a4f6897d5d561662d (diff)
Merge branch '2019-07-17-master-imports'
- Various FS/disk related fixes with security implications. - Proper fix for the pci_ep test. - Assorted bugfixes - Some MediaTek updates. - 'env erase' support.
Diffstat (limited to 'doc')
-rw-r--r--doc/README.chromium12
-rw-r--r--doc/android/fastboot-protocol.txt (renamed from doc/README.android-fastboot-protocol)0
-rw-r--r--doc/android/fastboot.txt4
-rw-r--r--doc/uImage.FIT/signature.txt37
4 files changed, 44 insertions, 9 deletions
diff --git a/doc/README.chromium b/doc/README.chromium
index 096bc4f1f7..8f67da6c72 100644
--- a/doc/README.chromium
+++ b/doc/README.chromium
@@ -33,12 +33,18 @@ To obtain:
cd u-boot
git checkout cros-master
+ cd ..
+ git clone https://chromium.googlesource.com/chromiumos/platform/vboot_reference
+ cd vboot_reference
+ git checkout 45964294
+ # futility: updater: Correct output version for Snow
+
To build for sandbox:
UB=/tmp/b/chromeos_sandbox # U-Boot build directory
- CROS=/home/sglass/cosarm # Chromium OS directory
- make O=$UB/chromeos_sandbox_defconfig
- make O=$UB -j20 -s VBOOT_SOURCE=$CROS/src/platform/vboot_reference \
+ cd u-boot
+ make O=$UB chromeos_sandbox_defconfig
+ make O=$UB -j20 -s VBOOT_SOURCE=/path/to/vboot_reference \
MAKEFLAGS_VBOOT=DEBUG=1 QUIET=1
Replace sandbox with another supported target.
diff --git a/doc/README.android-fastboot-protocol b/doc/android/fastboot-protocol.txt
index e9e7166a26..e9e7166a26 100644
--- a/doc/README.android-fastboot-protocol
+++ b/doc/android/fastboot-protocol.txt
diff --git a/doc/android/fastboot.txt b/doc/android/fastboot.txt
index 431191c473..ea0d1da1fd 100644
--- a/doc/android/fastboot.txt
+++ b/doc/android/fastboot.txt
@@ -5,8 +5,8 @@ Android Fastboot
Overview
========
-The protocol that is used over USB and UDP is described in the
-``README.android-fastboot-protocol`` file in the same directory.
+The protocol that is used over USB and UDP is described in
+``doc/android/fastboot-protocol.txt``.
The current implementation supports the following standard commands:
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
index 78b59e7203..c9b1802686 100644
--- a/doc/uImage.FIT/signature.txt
+++ b/doc/uImage.FIT/signature.txt
@@ -388,8 +388,8 @@ Test Verified Boot Run: signed config with bad hash: OK
Test passed
-Hardware Signing with PKCS#11
------------------------------
+Hardware Signing with PKCS#11 or with HSM
+-----------------------------------------
Securely managing private signing keys can challenging, especially when the
keys are stored on the file system of a computer that is connected to the
@@ -402,14 +402,43 @@ them perform the signing. PKCS#11 is standard for interfacing with these crypto
device.
Requirements:
-Smartcard/USB token/HSM which can work with the pkcs11 engine
+Smartcard/USB token/HSM which can work with some openssl engine
openssl
+
+For pkcs11 engine usage:
libp11 (provides pkcs11 engine)
p11-kit (recommended to simplify setup)
opensc (for smartcards and smartcard like USB devices)
gnutls (recommended for key generation, p11tool)
-The following examples use the Nitrokey Pro. Instructions for other devices may vary.
+For generic HSMs respective openssl engine must be installed and locateable by
+openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed
+to openssl's default search paths.
+
+PKCS11 engine support forms "key id" based on "keydir" and with
+"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if
+defined is used to define (prefix for) which PKCS11 source is being used for
+lookup up for the key.
+
+PKCS11 engine key ids:
+ "pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>"
+or
+ "pkcs11:object=<key-name-hint>;type=<public|private>",
+
+Generic HSM engine support forms "key id" based on "keydir" and with
+"key-name-hint". If "keydir" is specified for mkimage it is used as a prefix in
+"key id" and is appended with "key-name-hint".
+
+Generic engine key ids:
+ "<keydir><key-name-hint>"
+or
+ "<key-name-hint>"
+
+As mkimage does not at this time support prompting for passwords HSM may need
+key preloading wrapper to be used when invoking mkimage.
+
+The following examples use the Nitrokey Pro using pkcs11 engine. Instructions
+for other devices may vary.
Notes on pkcs11 engine setup: