Thanks, applied as a4c386b34b25fa0c838797a533fc716b46c80dc0. Michael
[sent from post-receive hook] On Sat, 17 May 2025 00:02:53 +0200, Alexander Dahl <[email protected]> wrote: > Requires U-Boot v2023.04 or later, certain options set in board config, > and KERNEL_FIT_SIGNED enabled. Algorithm "sha256,rsa4096" is hardcoded > to the same value as harcoded in ptxd_make_image_fit_its() which is used > by the kernel-fit package. > > With those premises met, U-Boot Verified Boot is possible. Tested with > U-Boot v2024.04 on Microchip SAM9X60-Curiosity in custom layer on top of > DistroKit-2024.06.0. > > Hit any key to stop autoboot: 0 > 8787737 bytes read in 391 ms (21.4 MiB/s) > ## Loading kernel from FIT Image at 22000000 ... > Using 'conf-microchip,sam9x60-curiosity' configuration > Verifying Hash Integrity ... sha256,rsa4096:image-kernel-fit+ OK > Trying 'kernel' kernel subimage > Description: kernel > Type: Kernel Image (no loading done) > Compression: uncompressed > Data Start: 0x220000b4 > Data Size: 8757936 Bytes = 8.4 MiB > Hash algo: sha256 > Hash value: > 8c109fc75263329402c7ae63e3d47c18aabf67307ebc0023e88921227abc7cf3 > Verifying Hash Integrity ... sha256+ OK > ## Loading fdt from FIT Image at 22000000 ... > Using 'conf-microchip,sam9x60-curiosity' configuration > Verifying Hash Integrity ... sha256,rsa4096:image-kernel-fit+ OK > Trying 'fdt-microchip,sam9x60-curiosity' fdt subimage > Description: unavailable > Type: Flat Device Tree > Compression: uncompressed > Data Start: 0x2285a45c > Data Size: 27903 Bytes = 27.2 KiB > Architecture: ARM > Hash algo: sha256 > Hash value: > db2e8047b404f92cc7ca4f7b918be1191aab3ce33d574f046c0f1da959d3cbb2 > Verifying Hash Integrity ... sha256+ OK > Booting using the fdt blob at 0x2285a45c > Working FDT set to 2285a45c > XIP Kernel Image (no loading done) to 220000b4 > Loading Device Tree to 27b31000, end 27b3acfe ... OK > Working FDT set to 27b31000 > > Starting kernel ... > > [ 0.000000] Booting Linux on physical CPU 0x0 > [ 0.000000] Linux version 6.6.0-tt (ptxdist@ptxdist) > (arm-v5te-linux-gnueabi-gcc (OSELAS.Toolchain-2023.07.1 13-20231118) 13.2.1 > 20231118, GNU ld (GNU Binutils) 2.40) #2 PREEMPT 2024-06-07T12:29:46+00:00 > > Link: https://docs.u-boot.org/en/latest/usage/fit/verified-boot.html > Signed-off-by: Alexander Dahl <[email protected]> > Message-Id: <[email protected]> > Signed-off-by: Michael Olbrich <[email protected]> > > diff --git a/platforms/u-boot.in b/platforms/u-boot.in > index 5ce7387e495d..d263135ca7e7 100644 > --- a/platforms/u-boot.in > +++ b/platforms/u-boot.in > @@ -7,6 +7,7 @@ config U_BOOT_DEPENDENCIES > menuconfig U_BOOT > select U_BOOT_DEPENDENCIES > select BOOTLOADER > + select CODE_SIGNING if U_BOOT_VERIFY_SIGNATURE > select HOST_SYSTEM_PYTHON3 > select HOST_OPENSSL if U_BOOT_NEEDS_HOST_OPENSSL > select HOST_GNUTLS if U_BOOT_NEEDS_HOST_GNUTLS > @@ -18,11 +19,11 @@ if U_BOOT > > config U_BOOT_VERSION > string > - default "2019.01" > + default "2023.04" > prompt "U-Boot version" > help > - Enter the U-Boot version you want to build. Usually something like > - "2019.01". > + Enter the U-Boot version you want to build. > + Usually something like "2019.01". > > config U_BOOT_MD5 > string > @@ -193,6 +194,29 @@ config U_BOOT_BOOT_SCRIPT_ROOTFS_PATH > > endif > > +config U_BOOT_VERIFY_SIGNATURE > + bool > + prompt "Verify FIT image signature" > + select U_BOOT_NEEDS_HOST_OPENSSL > + imply KERNEL_FIT_SIGNED > + help > + For U-Boot Verified Boot [1] a public key has to be put into > + the control dtb built with U-Boot. > + The loaded image (most probably a Linux Kernel image) must be > + signed with the matching private key. > + Uses the PTXdist Code Signing Infrastructure. > + > + Note: You need U-Boot 2023.04 or later. > + > + Note: You must enable CONFIG_TOOLS_FIT_SIGNATURE in U-Boot > + Kconfig for the necessary host mkimage features, and > + enable CONFIG_FIT_SIGNATURE, CONFIG_RSA, and > + CONFIG_ECDSA for runtime verification. > + Ensure you have _disabled_ CONFIG_LEGACY_IMAGE_FORMAT to > + not accidentally allow running unsigned images. > + > + [1] https://docs.u-boot.org/en/latest/usage/fit/verified-boot.html > + > comment "target install" > > config U_BOOT_INSTALL_U_BOOT_BIN > diff --git a/rules/u-boot.make b/rules/u-boot.make > index 204475b7843b..d3ea65cf2a53 100644 > --- a/rules/u-boot.make > +++ b/rules/u-boot.make > @@ -120,6 +120,19 @@ endif > $(STATEDIR)/u-boot.compile: > @$(call targetinfo) > @$(call world/compile, U_BOOT) > +ifdef PTXCONF_U_BOOT_VERIFY_SIGNATURE > + @mv $(U_BOOT_BUILD_DIR)/u-boot.dtb $(U_BOOT_BUILD_DIR)/u-boot-pubkey.dtb > + @$(CODE_SIGNING_ENV) $(U_BOOT_BUILD_DIR)/tools/mkimage \ > + -f auto-conf -d /dev/null -r \ > + -g image-kernel-fit -N pkcs11 -o "sha256,rsa4096" \ > + -k "$(shell cs_get_uri image-kernel-fit)" \ > + -K "$(U_BOOT_BUILD_DIR)/u-boot-pubkey.dtb" \ > + $(U_BOOT_BUILD_DIR)/unused.itb > +# # retrigger building dts/dt.dtb to use EXT_DTB, might stay as is > otherwise > + @rm $(U_BOOT_BUILD_DIR)/dts/dt.dtb > + @$(call compile, U_BOOT, $(U_BOOT_MAKE_OPT) > EXT_DTB=$(U_BOOT_BUILD_DIR)/u-boot-pubkey.dtb) > +endif > + > ifdef PTXCONF_U_BOOT_BOOT_SCRIPT > @$(U_BOOT_BUILD_DIR)/tools/mkimage -T script -C none \ > -d $(U_BOOT_BOOT_SCRIPT_TXT) \
