ibm,secureboot

The ìbm,secureboot node provides secure boot and trusted boot information up to the target OS. Further information can be found in Secure and Trusted Boot Library (LibSTB) Documentation.

Required properties

compatible:         Either one of the following values:

                    ibm,secureboot-v1  :  The container-verification-code
                                          is stored in a secure ROM memory.

                    ibm,secureboot-v2  :  The container-verification-code
                                          is stored in a reserved memory.
                                          It described by the ibm,cvc child
                                          node.

secure-enabled:     this property exists when the firmware stack is booting
                    in secure mode (hardware secure boot jumper asserted).

trusted-enabled:    this property exists when the firmware stack is booting
                    in trusted mode.

hw-key-hash:        hash of the three hardware public keys trusted by the
                    platformw owner. This is used to verify if a firmware
                    code is signed with trusted keys.

hw-key-hash-size:   hw-key-hash size

os-secureboot-enforcing:
                    this property is created by the secure variable backend
                    if it detects a desire by the owner to requre any
                    images (e.g. kernels) to be signed by an appropriate
                    key stored in secure variables.

physical-presence-asserted:
                    this property exists to indicate the physical presence
                    of user to request key clearance.

clear-os-keys:      this property exists when the firmware indicates that
                    physical presence is asserted to clear only Host OS
                    secure boot keys.

clear-all-keys:     this property exists when the firmware indicates that
                    physical presence is asserted to clear all sensistive
                    data controlled by platform firmware.

clear-mfg-keys:     this property exists only during manufacturing process
                    when the firmware indicates to clear all senstive data
                    during manufacturing. It is only valid on development
                    drivers.

Obsolete properties

hash-algo:          Superseded by the hw-key-hash-size property in
                    'ibm,secureboot-v2'.

Example

ibm,secureboot {
    compatible = "ibm,secureboot-v2";
    secure-enabled;
    trusted-enabled;
    hw-key-hash-size = <0x40>;
    hw-key-hash = <0x40d487ff 0x7380ed6a 0xd54775d5 0x795fea0d 0xe2f541fe
                   0xa9db06b8 0x466a42a3 0x20e65f75 0xb4866546 0x0017d907
                   0x515dc2a5 0xf9fc5095 0x4d6ee0c9 0xb67d219d 0xfb708535
                   0x1d01d6d1>;
    phandle = <0x100000fd>;
    linux,phandle = <0x100000fd>;
};