.. _device-tree/ibm,secureboot:

ibm,secureboot
==============

The ``ìbm,secureboot`` node provides secure boot and trusted boot information
up to the target OS. Further information can be found in :ref:`stb-overview`.

Required properties
-------------------

.. code-block:: none

    compatible:         Either one of the following values:

                        ibm,secureboot-v1  :  The container-verification-code
                                              is stored in a secure ROM memory.

                        ibm,secureboot-v2  :  The container-verification-code
                                              is stored in a reserved memory.
                                              It described by the ibm,cvc child
                                              node.

    secure-enabled:     this property exists when the firmware stack is booting
                        in secure mode (hardware secure boot jumper asserted).

    trusted-enabled:    this property exists when the firmware stack is booting
                        in trusted mode.

    hw-key-hash:        hash of the three hardware public keys trusted by the
                        platformw owner. This is used to verify if a firmware
                        code is signed with trusted keys.

    hw-key-hash-size:   hw-key-hash size

    os-secureboot-enforcing:
                        this property is created by the secure variable backend
                        if it detects a desire by the owner to requre any
                        images (e.g. kernels) to be signed by an appropriate
                        key stored in secure variables.

    physical-presence-asserted:
                        this property exists to indicate the physical presence
                        of user to request key clearance.

    clear-os-keys:      this property exists when the firmware indicates that
                        physical presence is asserted to clear only Host OS
                        secure boot keys.

    clear-all-keys:     this property exists when the firmware indicates that
                        physical presence is asserted to clear all sensistive
                        data controlled by platform firmware.

    clear-mfg-keys:     this property exists only during manufacturing process
                        when the firmware indicates to clear all senstive data
                        during manufacturing. It is only valid on development
                        drivers.

Obsolete properties
-------------------

.. code-block:: none

    hash-algo:          Superseded by the hw-key-hash-size property in
                        'ibm,secureboot-v2'.

Example
-------

.. code-block:: dts

    ibm,secureboot {
        compatible = "ibm,secureboot-v2";
        secure-enabled;
        trusted-enabled;
        hw-key-hash-size = <0x40>;
        hw-key-hash = <0x40d487ff 0x7380ed6a 0xd54775d5 0x795fea0d 0xe2f541fe
                       0xa9db06b8 0x466a42a3 0x20e65f75 0xb4866546 0x0017d907
                       0x515dc2a5 0xf9fc5095 0x4d6ee0c9 0xb67d219d 0xfb708535
                       0x1d01d6d1>;
        phandle = <0x100000fd>;
        linux,phandle = <0x100000fd>;
    };