On Tue, 21 Feb 2017 13:08:19 -0500 Ron Brash <ron.br...@gmail.com> wrote:
> Hello all, > > I am adding verified kernel support on a board we are using and I am > struggling to fully understand all of the concepts and steps required > to pull everything together (on ARM, using ZImages and booting with a > working DTB on 4.4.3x). I also looked at the test script inside of > examples, but it left me with more questions than understanding. > > Please correct me where appropriate in my understanding, but if I am > confused, likely others are too and I hope this helps everyone > involved overall. Some time ago I've gave a try to verified boot on BBB (beagle bone black). Please refer to: /home/lukma/work/embedded/u-boot-denx/doc/uImage.FIT/beaglebone_vboot.txt It should shed some more light to your problem and provide reference. > > Steps: > --------------------------------------------------------------- > > First, u-boot needs to have the appropriate features enabled and to be > built using them. At a minimum, I suspect: > > CONFIG_RSA=y > CONFIG_FIT=y > CONFIG_FIT_SIGNATURE=y > CONFIG_OF_CONTROL=y > > Next, we need to derive the appropriate cryptographic primitives/keys. > > #Generate a private signing key (RSA2048): > openssl genrsa -F4 -out \ > "${key_dir}"/"${key_name}".key 2048 > > # Generate a public key: > openssl req -batch -new -x509 \ > -key "${key_dir}"/"${key_name}".key \ > -out "${key_dir}"/"${key_name}".crt > > Then we derive the ITS or image source file - a file that > hints/describes the elements that will be verified and/or inside of > the FIT image? Lets call this $FIT_ITS > > / dts - v1 /; > / { > description = "Configuration to load a Xen Kernel"; > #address-cells = <1>; > images { > linux_kernel @ 1 { > description = "Linux zImage"; > data = /incbin / ("pathToImage/zImage"); > type = "kernel"; > arch = "arm"; > os = "linux"; > compression = "none"; > load = <0xaf600000 >; > entry = <0xaf600000 >; > hash @ 1 { > algo = "sha1"; > }; > }; > fdt @ 1 { > description = "FDT blob"; > data = /incbin / ("PathToDTBUsedByBootingKernel/ex.dtb"); > type = "flat_dt"; > arch = "arm"; > compression = "none"; > load = <0xaec00000 >; > hash @ 1 { > algo = "sha1"; > }; > }; > }; > configurations { > default = "config@1"; > config @ 1 { > description = "Plain Linux"; > kernel = "linux_kernel@1"; > fdt = "fdt@1"; > loadables = "linux_kernel@1"; > }; > }; > }; > > Question: Does a signature section go into this as well? underneath > the hash node for each value? > > signature@1 { > algo = "sha1,rsa2048"; > value = <...kernel signature 1...> > }; > > Then using the device-tree-compiler (dtc), I create a DTB for > u-boot. This is the control FDT and this defines what keys are used > etc.. > > #Assemble control FDT for U-Boot with space for public key: > $DTC -p 0x1000 u-boot.dts -O dtb -o u-boot.dtb > > Question: What is required inside of the u-boot.dts for u-boot? Is it > simply the same .dts used by the booting kernel, but with a section > proclaiming the keys? u-boot dts is not 100% compatible with Linux kernel, but does the same job. Yes, you put your public key to it IIRC. > > Question: Where will the compiled u-boot.dtb eventually go? Is this > put into a FIT image, or flashed onto the board alongside the u-boot > bootloader itself? The u-boot dtb will be packed into FIT image, which comprise u-boot and several dtb's. This image is not the one, which kernel uses to boot the kernel. (There is a switch CONFIG_SPL_LOAD_FIT in spl.c, so please look for a reference). > > Next, given that the above steps are completed, I need to create a FIT > image with space for the signature. > > # Generate fitImage with space for signature: > $MKIMG -D "-I dts -O dtb -p 2000" \ > -f f$FIT_ITS $FIT_IMG > > Question: Is the FIT_IMAGE the actual zimage or is it an output image > that contains all of the values contained within the ITS? > > Next this FIT_IMAGE (assuming that this is the final FIT image that > contains the FDT and zImage) needs to be signed and the public key > added to it; given that that the key information is in the uboot. > > # Sign fitImage and add public key into u-boot.dtb: > $MKIMG -D "-I dts -O dtb -p 2000" -F \ > -k "${key dir}" -K u-boot.dtb -r $FIT_IMG > > Then, we sign the subsequent fitImage again - correct? > > # Signing subsequent fitImage: > $MKIMG -D "-I dts -O dtb -p 2000" \ > -k "${key dir}" -f $FIT_ITS -r $FIT_IMG > > Now that all of the above is done - we need to: > 1. Write our uboot to the flash > 2. Write our FIT_IMAGE to flash > > Question: Do we write anything else to persistent storage? The ITS? > etc.. > > Question: Do we just boot using anything else or just bootm > 0xLocationOfTheFitImageInRAM > > Greatly appreciate any assistance to all of these questions and I'm > sure this threat will be of interest to anyone else too. > > Thanks! > _______________________________________________ > U-Boot mailing list > U-Boot@lists.denx.de > http://lists.denx.de/mailman/listinfo/u-boot Best regards, Lukasz Majewski -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: w...@denx.de _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot