github/acrn-hypervisor
1
0
Fork 0
mirror of https://github.com/projectacrn/acrn-hypervisor.git synced 2025-06-24 14:33:38 +00:00
Code Issues Projects Releases Wiki Activity

doc: update hld-security verified boot section

Browse Source 
1. Remove vSBL and ABL descriptions, which are absolete.
2. Add UEFI bootflow description.

Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
This commit is contained in:
Yonghua Huang 2019-10-16 17:25:51 +08:00 committed by deb-intel
parent edffde4e3c
commit b3142e1600
4 changed files with 25 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
doc/developer-guides/hld/hld-security.rst
View File

@ -129,15 +129,11 @@ is not currently supported for ACRN and its guest VMs.
Boot Flow Boot Flow
--------- ---------
ACRN supports two verified boot sequences.
.. figure:: images/security-image2.png 1) Verified Boot Sequence with SBL
:width: 900px ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:align: center As shown in :numref:`security-bootflow-sbl`, the Converged Security Engine
:name: security-bootflow
ACRN Boot Flow
As shown in :numref:`security-bootflow`, the Converged Security Engine
Firmware (CSE FW) behaves as the root of trust in this platform boot Firmware (CSE FW) behaves as the root of trust in this platform boot
flow. It authenticates and starts the BIOS (SBL), whereupon the SBL is flow. It authenticates and starts the BIOS (SBL), whereupon the SBL is
responsible for authenticating and verifying the ACRN hypervisor image. responsible for authenticating and verifying the ACRN hypervisor image.
@ -145,9 +141,29 @@ Currently the SOS kernel is built together with the ACRN hypervisor as
one image bundle, so this whole image signature is verified by SBL one image bundle, so this whole image signature is verified by SBL
before launching. before launching.
.. figure:: images/security-image-bootflow-sbl.png
:width: 900px
:align: center
:name: security-bootflow-sbl
ACRN Boot Flow with SBL
2) Verified Boot Sequence with UEFI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
As shown in :numref:`security-bootflow-uefi`, in this boot sequence,UEFI
authenticates and starts the ACRN hypervisor firstly,and hypervisor will return
to UEFI enviorment to authenticate and load SOS kernel bootloader.
.. figure:: images/security-image-bootflow-uefi.png
:width: 900px
:align: center
:name: security-bootflow-uefi
ACRN Boot Flow with UEFI
As long as the SOS kernel starts, the SOS kernel will load all its As long as the SOS kernel starts, the SOS kernel will load all its
subsystems subsequently. In order to launch a guest UOS, a DM process is subsystems subsequently. In order to launch a guest UOS, a DM process is
started to launch the virtual BIOS (vSBL), and eventually the vSBL is started to launch the virtual BIOS (OVMF), and eventually, the OVMF is
responsible for verifying and launching the guest UOS kernel (or the responsible for verifying and launching the guest UOS kernel (or the
Android OS loader for an Android UOS). Android OS loader for an Android UOS).

BIN
doc/developer-guides/hld/images/security-image-bootflow-sbl.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
doc/developer-guides/hld/images/security-image-bootflow-uefi.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
doc/developer-guides/hld/images/security-image2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 28 KiB