On Mon, Mar 10, 2025 at 08:26:01PM +0100, Marco Felsch wrote: > On 25-02-28, Sascha Hauer wrote: > > This adds the Kconfig option CONFIG_ARCH_K3_AUTHENTICATE_IMAGE. When > > enabled, the full barebox image will only be started when it can be > > authenticated using the ROM API. > > > > Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> > > --- > > arch/arm/mach-k3/Kconfig | 7 ++++++ > > arch/arm/mach-k3/r5.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++- > > 2 files changed, 70 insertions(+), 1 deletion(-) > > > > diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig > > index 37d5155577..e93e3154c8 100644 > > --- a/arch/arm/mach-k3/Kconfig > > +++ b/arch/arm/mach-k3/Kconfig > > @@ -37,6 +37,13 @@ config MACH_BEAGLEPLAY > > help > > Say Y here if you are using a TI AM62x based BeaglePlay board > > > > +config ARCH_K3_AUTHENTICATE_IMAGE > > + bool "Force authentication of FIP image against ROM API" > > + help > > + By enabling this option the FIP image loaded by the first stage > > + will be authenticated against the K3 ROM API. Images which fail > > + to authenticate will not be started. > > The ROM is checking only the sha sum or does the ROM also have some kind > of signature-checking (pub/priv keys requried)? The ROM cheks against signatures Sascha -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
