On Thu, Jun 13, 2013 at 03:09:59PM -0700, Simon Glass wrote: > This series implemented a verified boot system based around FIT images > as discussed on the U-Boot mailing list, including on this thread: > > http://permalink.gmane.org/gmane.comp.boot-loaders.u-boot/147830 > > RSA is used to implement the encryption. Images are signed by mkimage > using private keys created by the user. Public keys are written into > U-Boot control FDT (CONFIG_OF_CONTROL) for access by bootm etc. at > run-time. The control FDT must be stored in a secure place where it > cannot be changed after manufacture. Some notes are provided in the > documentaion on how this can be achieved. The implementation is fairly > efficient and fits nicely into U-Boot. FIT plus RSA adds around 18KB > to SPL size which is manageable on modern SoCs. > > When images are loaded, they are verified with the public keys. > > It is important to have a test framework for this series. For this, sandbox > is used, and a script is provided which signs images and gets sandbox to > load them using a script, to check that all is well. > > Rollback prevention has been added in a separate TPM patch. This ensures > that an attacker cannot boot your system with an old image that has been > compromised. Support for this is not built into bootm, but instead must > be scripted in U-Boot. It is possible that a standard scheme for this could > be devised by adding version number tags to the signing procedure. However > scripts do provide more flexibility. See the 'tpm' command for more > information. > > Two patches affect libfdt and have material which is not yet upstream in > that project: > > image: Add support for signing of FIT configurations > libfdt: Add fdt_find_regions() > > If these are not desired, then the rest of the series can stand alone, > just without the configuration-signing feature. > > This series requires the 'trace' series since it sits on top of the bootm > refactor there. > > This series is available at: > > http://git.denx.de/u-boot-x86.git > > in the branch 'vboot'. > > Changes in v3: > - Fix 'compile' typo > - Rebase to master > - Use new fdt_first/next_subnode() > > Changes in v2: > - Add sanity checks on key sizes in RSA (improves security) > - Adjust how signing enable works in image.h > - Adjust mkimage help to separate out signing options > - Avoid using malloc in RSA routines (for smaller SPL code size) > - Build signing support unconditionally in mkimage > - Fix FDT error handling in fit_image_write_sig() > - Fix checkpatch checks about parenthesis alignment > - Fix checkpatch warnings about split strings > - Fix spelling of multiply in rsa-verify.c > - Only build RSA support into mkimage if CONFIG_RSA is defined > - Rebase on previous patches > - Require CONFIG_FIT_SIGNATURE in image.h for mkimage to support signing > - Support RSA library version without ERR_remove_thread_state() > - Tweak tools/Makefile to make image signing optional > - Update README to fix typos > - Update README to fix typos and clarify some points > - Use U-Boot's -c option instead of hard-coding a boot script > - Use stack instead of calloc() within U-Boot's signature verification code > - gd->fdt_blob is now available on all archs (generic board landed) > > Simon Glass (12): > image: Add signing infrastructure > image: Support signing of images > image: Add RSA support for image signing > mkimage: Add -k option to specify key directory > mkimage: Add -K to write public keys to an FDT blob > mkimage: Add -F option to modify an existing .fit file > mkimage: Add -c option to specify a comment for key signing > mkimage: Add -r option to specify keys that must be verified > libfdt: Add fdt_find_regions() > image: Add support for signing of FIT configurations > sandbox: config: Enable FIT signatures with RSA > Add verified boot information and test > > Makefile | 1 + > README | 15 ++ > common/Makefile | 1 + > common/image-fit.c | 83 ++++-- > common/image-sig.c | 422 +++++++++++++++++++++++++++++++ > config.mk | 1 + > doc/mkimage.1 | 73 +++++- > doc/uImage.FIT/sign-configs.its | 45 ++++ > doc/uImage.FIT/sign-images.its | 42 ++++ > doc/uImage.FIT/signature.txt | 382 ++++++++++++++++++++++++++++ > doc/uImage.FIT/verified-boot.txt | 104 ++++++++ > include/configs/sandbox.h | 2 + > include/image.h | 165 +++++++++++- > include/libfdt.h | 64 +++++ > include/rsa.h | 108 ++++++++ > lib/libfdt/fdt_wip.c | 129 ++++++++++ > lib/rsa/Makefile | 48 ++++ > lib/rsa/rsa-sign.c | 460 ++++++++++++++++++++++++++++++++++ > lib/rsa/rsa-verify.c | 385 ++++++++++++++++++++++++++++ > test/vboot/.gitignore | 3 + > test/vboot/sandbox-kernel.dts | 7 + > test/vboot/sandbox-u-boot.dts | 7 + > test/vboot/sign-configs.its | 45 ++++ > test/vboot/sign-images.its | 42 ++++ > test/vboot/vboot_test.sh | 126 ++++++++++ > tools/Makefile | 19 +- > tools/fit_image.c | 44 +++- > tools/image-host.c | 527 > ++++++++++++++++++++++++++++++++++++++- > tools/mkimage.c | 36 ++- > tools/mkimage.h | 4 + > 30 files changed, 3333 insertions(+), 57 deletions(-) > create mode 100644 common/image-sig.c > create mode 100644 doc/uImage.FIT/sign-configs.its > create mode 100644 doc/uImage.FIT/sign-images.its > create mode 100644 doc/uImage.FIT/signature.txt > create mode 100644 doc/uImage.FIT/verified-boot.txt > create mode 100644 include/rsa.h > create mode 100644 lib/rsa/Makefile > create mode 100644 lib/rsa/rsa-sign.c > create mode 100644 lib/rsa/rsa-verify.c > create mode 100644 test/vboot/.gitignore > create mode 100644 test/vboot/sandbox-kernel.dts > create mode 100644 test/vboot/sandbox-u-boot.dts > create mode 100644 test/vboot/sign-configs.its > create mode 100644 test/vboot/sign-images.its > create mode 100755 test/vboot/vboot_test.sh
Applied to u-boot/master, thanks! -- Tom
signature.asc
Description: Digital signature
_______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
