[U-Boot-Users] Secure Bootloader patch
emre kara
emrekara2002 at yahoo.co.uk
Wed Sep 13 23:34:45 CEST 2006
Hi Stephen;
I'am not an expert on crypto but It seems that it's
really a good job. This was critical a security
requirement for a bootloader. Thanks for sharing this
to community.
Emre
--- Stephen Johnson <steve at research.panasonic.com>
wrote:
>
> This message contains a patch to add RSA signature
> validation to
> U-Boot. I previously sent a similar e-mail to the
> CELinux-dev mailing
> list for comments where I received the following:
>
> 1. I shouldn't be using OpenSSL (due to licensing
> concerns),
> 2. alternate RSA libraries are GNU TLS and
> MatrixSSL, and
> 3. the U-Boot mailing list might be a more
> appropriate place
>
> The patch modifies u-boot to verify an image
> signature created with a
> SHA1 digest and RSA encryption/decryption. Because
> I found the
> necessary information fairly easily about SHA1 and
> RSA from the
> OpenSSL package, that's what I used. Hence, the
> modified u-boot ran
> quite quickly, but was rather large. The eventual
> goal is to release
> this patch to the community.
>
> I'm looking for additional comments, especially
> about other encryption
> libraries that would be better to use, and whether
> or not something
> like this is seen as useful.
>
> Notes:
> - I'm linking against openssl-0.9.8b.
> - I used crosstool based on gcc-3.4.5 and
> glibc-2.3.6 for the tool
> chain.
> - It all was built for an omap5912osk board.
> - The signature is added to the u-boot header by a
> modified mkimage
> (patch is included).
> - The signature is verified in cmd_bootm.c.
> - In u-boot/include/configs/omap5912osk.h there is
> a CONFIG_SIGNATURE
> that turns on/off the signature checking and
> creating.
>
> To compile the modified u-boot the following were
> needed:
>
> CPATH should be defined to point to where ever
> crosstool has it's
> generic include files, e.g.
> export
>
CPATH="/opt/crosstool/gcc-3.4.5-glibc-2.3.6/arm-softfloat-linux-gnu/arm-softfloat-linux-gnu/include"
>
> CRYPTO_INC needs to point at the openssl include
> files, e.g.
> export
>
CRYPTO_INC="-I/home/steve/src/SecureBoot/openssl-0.9.8b/include"
>
> CRYPTO_LIBS needs to point the the openssl
> libraries, e.g.
> export CRYPTO_LIBS="-L
> /home/steve/src/SecureBoot/openssl-0.9.8b -lssl
> -lcrypto -lm -lc"
>
> If anyone has any problems or even better,
> suggestions, don't hesitate
> to let me know.
>
> Best regards,
> Steve
>
> =========================================
>
> diff -Naur u-boot.orig/common/cmd_bootm.c
> u-boot/common/cmd_bootm.c
> --- u-boot.orig/common/cmd_bootm.c 2006-05-10
> 11:43:20.000000000 -0400
> +++ u-boot/common/cmd_bootm.c 2006-06-12
> 10:35:57.000000000 -0400
> @@ -79,6 +79,12 @@
> # define CHUNKSZ (64 * 1024)
> #endif
>
> +#ifdef CONFIG_SIGNATURE
> +extern int verify_signature (const unsigned char
> *signature,
> + const unsigned char
> *buf,
> + unsigned int len);
> +#endif /* CONFIG_SIGNATURE */
> +
> int gunzip (void *, int, unsigned char *, unsigned
> long *);
>
> static void *zalloc(void *, unsigned, unsigned);
> @@ -238,6 +244,19 @@
> }
> puts ("OK\n");
> }
> +
> +#ifdef CONFIG_SIGNATURE
> + puts (" Verifying Signature ... ");
> + if (verify_signature(hdr->ih_sign,
> + (const unsigned char *)data,
> + len) == 0) {
> + puts("Invalid image signature\n");
> + SHOW_BOOT_PROGRESS(-3);
> + return 1;
> + }
> + puts ("OK\n");
> +#endif /* CONFIG_SIGNATURE */
> +
> SHOW_BOOT_PROGRESS (4);
>
> len_ptr = (ulong *)data;
> diff -Naur u-boot.orig/config.mk u-boot/config.mk
> --- u-boot.orig/config.mk 2006-05-10
> 11:43:20.000000000 -0400
> +++ u-boot/config.mk 2006-06-08 09:41:17.000000000
> -0400
> @@ -126,7 +126,7 @@
> -D__KERNEL__ -DTEXT_BASE=$(TEXT_BASE) \
> -I$(TOPDIR)/include \
> -fno-builtin -ffreestanding -nostdinc -isystem \
> - $(gccincdir) -pipe $(PLATFORM_CPPFLAGS)
> + $(gccincdir) -pipe $(PLATFORM_CPPFLAGS)
> $(CRYPTO_INC)
>
> ifdef BUILD_TAG
> CFLAGS := $(CPPFLAGS) -Wall -Wstrict-prototypes \
> diff -Naur u-boot.orig/include/configs/omap5912osk.h
> u-boot/include/configs/omap5912osk.h
> --- u-boot.orig/include/configs/omap5912osk.h
> 2006-05-10 11:43:20.000000000 -0400
> +++ u-boot/include/configs/omap5912osk.h 2006-06-08
> 15:34:00.000000000 -0400
> @@ -38,6 +38,8 @@
> #define CONFIG_DISPLAY_CPUINFO 1 /* display cpu
> info (and speed) */
> #define CONFIG_DISPLAY_BOARDINFO 1 /* display board
> info */
>
> +#define CONFIG_SIGNATURE 1
> +
> /* input clock of PLL */
> /* the OMAP5912 OSK has 12MHz input clock */
> #define CONFIG_SYS_CLK_FREQ 12000000
> @@ -112,7 +122,11 @@
> */
> #define CFG_LONGHELP /* undef to save memory */
> #define CFG_PROMPT "OMAP5912 OSK # " /* Monitor
> Command Prompt */
> +#ifdef CONFIG_SIGNATURE
> +#define CFG_CBSIZE 512 /* Console I/O Buffer Size
> */
> +#else
> #define CFG_CBSIZE 256 /* Console I/O Buffer Size
> */
> +#endif
> /* Print Buffer Size */
> #define CFG_PBSIZE
> (CFG_CBSIZE+sizeof(CFG_PROMPT)+16)
> #define CFG_MAXARGS 16 /* max number of command
> args */
> @@ -183,9 +197,9 @@
> */
> #define CFG_ENV_IS_IN_FLASH 1
> /* addr of environment */
> -#define CFG_ENV_ADDR (CFG_FLASH_BASE + 0x020000)
> +#define CFG_ENV_ADDR (CFG_FLASH_BASE + 0x0E0000)
>
> #define CFG_ENV_SIZE 0x20000 /* Total Size of
> Environment Sector */
> -#define CFG_ENV_OFFSET 0x20000 /* environment
> starts here */
> +#define CFG_ENV_OFFSET 0xE0000 /* environment
> starts here */
>
> #endif /* __CONFIG_H */
> diff -Naur u-boot.orig/include/image.h
> u-boot/include/image.h
> --- u-boot.orig/include/image.h 2006-05-10
> 11:43:20.000000000 -0400
> +++ u-boot/include/image.h 2006-06-08
> 09:09:09.000000000 -0400
> @@ -134,6 +134,9 @@
>
> #define IH_MAGIC 0x27051956 /* Image Magic Number
> */
> #define IH_NMLEN 32 /* Image Name Length */
> +#ifdef CONFIG_SIGNATURE
> +#define IH_SIGN 256 /* Image Signature Length */
> +#endif /* CONFIG_SIGNATURE */
>
> /*
> * all data in network byte order (aka natural aka
> bigendian)
> @@ -152,6 +155,9 @@
>
=== message truncated ===
___________________________________________________________
All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine
http://uk.docs.yahoo.com/nowyoucan.html
More information about the U-Boot
mailing list