[U-Boot] [RFC PATCH 0/44] RFC: Verified boot implementation based on FIT

Simon Glass sjg at chromium.org
Sat Jan 5 02:51:29 CET 2013 

This series implemented a verified boot system based around FIT images
as discussed on the U-Boot mailing list, including on this thread:

http://permalink.gmane.org/gmane.comp.boot-loaders.u-boot/147830

RSA is used to implement the encryption. Images are signed by mkimage
using private keys created by the user. Public keys are written into
U-Boot control FDT (CONFIG_OF_CONTROL) for access by bootm etc. at
run-time. The control FDT must be stored in a secure place where it
cannot be changed after manufacture. Some notes are provided in the
documentaion on how this can be achieved.

When images are loaded, they are verified with the public keys.

Some minor restructuring of the image code is included in this series,
since we now support signatures as well as hashes.

It is important to have a test framework for this series. For this, sandbox
is used, and a script is provided which signs images and gets sandbox to
load them using a script, to check that all is well. So some of the patches
here release to adding image support for sandbox.

This series is not quite in final form since it still needs rollback
support, using a TPM or some other mechanism to make sure that an attacker
cannot boot your system with an old image that has been compromised.

Also a few more tests are needed to check that image corruption has the
desired effect, some proofreading is required, another review of error
checking, etc.

This series relies on two previous series: sandbox filesystem and sandbox
memory. Without these, it is (at best) not possible to run the verified
boot test on sandbox.

This series and its dependencies are available at:

   http://git.denx.de/u-boot-x86.git

in the branch 'vboot'.

Comments welcome.


Simon Glass (44):
  sandbox: config: Enable CONFIG_FIT and CONFIG_CMD_FIT
  bootstage: Don't build for HOSTCC
  mkimage: Move ARRAY_SIZE to header file
  libfdt: Add fdt_next_subnode() to permit easy subnode iteration
  image: Move timestamp #ifdefs to header file
  image: Export fit_check_ramdisk()
  image: Split FIT code into new image-fit.c
  image: Move HOSTCC image code to tools/
  image: Split hash node processing into its own function
  image: Convert fit_image_hash_set_value() to static, and rename
  image: Rename fit_image_check_hashes() to fit_image_verify()
  image: Move hash checking into its own functions
  image: Move error! string to common place
  image: Export fit_conf_get_prop_node()
  image: Rename fit_add_hashes() to fit_add_verification_data()
  image: Rename hash printing to fit_image_print_verification_data()
  sandbox: Add CONFIG_OF_HOSTFILE to read FDT from host file
  fdt: Add a parameter to fdt_valid()
  Add getenv_hex() to return an environment variable as hex
  fdt: Allow fdt command to check and update control FDT
  sandbox: fdt: Support fdt command for sandbox
  env: Fix minor comment typos in cmd_nvedit
  fdt: Skip checking FDT if the pointer is NULL
  Revert "fdt- Tell the FDT library where the device tree is"
  Add stdarg to vsprintf.h
  Add minor updates to README.fdt-control
  hash: Add a way to calculate a hash for any algortihm
  sandbox: config: Enable FIT signatures with RSA
  sandbox: Provide a way to map from host RAM to U-Boot RAM
  sandbox: image: Add support for booting images in sandbox
  image: Add signing infrastructure
  image: Support signing of images
  image: Verify signatures in FIT images
  image: Add RSA support for image signing
  mkimage: Put FIT loading in function and tidy error handling
  mkimage: Add -k option to specify key directory
  mkimage: Add -K to write public keys to an FDT blob
  mkimage: Add -F option to modify an existing .fit file
  mkimage: Add -c option to specify a comment for key signing
  mkimage: Add -r option to specify keys that must be verified
  libfdt: Add fdt_find_regions()
  image: Add support for signing of FIT configurations
  Add verified boot information and test
  WIP: sandbox: config: Add test config for verified boot

 Makefile                         |    1 +
 README                           |   15 +
 arch/sandbox/cpu/cpu.c           |    5 +
 arch/sandbox/cpu/start.c         |    7 +
 arch/sandbox/include/asm/io.h    |    2 +
 arch/sandbox/include/asm/state.h |    1 +
 arch/sandbox/lib/board.c         |   42 +-
 common/Makefile                  |    2 +
 common/cmd_bootm.c               |   37 +-
 common/cmd_fdt.c                 |   83 ++-
 common/cmd_fpga.c                |    2 +-
 common/cmd_nvedit.c              |   19 +-
 common/cmd_source.c              |    2 +-
 common/cmd_ximg.c                |    2 +-
 common/hash.c                    |   22 +
 common/image-fit.c               | 1544 +++++++++++++++++++++++++++++++++++
 common/image-sig.c               |  407 +++++++++
 common/image.c                   | 1677 +-------------------------------------
 common/main.c                    |    8 -
 common/update.c                  |    2 +-
 config.mk                        |    1 +
 doc/README.fdt-control           |   13 +-
 doc/mkimage.1                    |   73 ++-
 doc/uImage.FIT/sign-configs.its  |   45 +
 doc/uImage.FIT/sign-images.its   |   42 +
 doc/uImage.FIT/signature.txt     |  376 +++++++++
 doc/uImage.FIT/verified-boot.txt |  104 +++
 include/bootstage.h              |    5 +-
 include/common.h                 |   18 +
 include/configs/sandbox.h        |   20 +-
 include/hash.h                   |   15 +
 include/image.h                  |  213 +++++-
 include/libfdt.h                 |   81 ++
 include/rsa.h                    |  108 +++
 include/vsprintf.h               |    2 +
 lib/fdtdec.c                     |    3 +-
 lib/libfdt/fdt.c                 |   12 +
 lib/libfdt/fdt_wip.c             |  129 +++
 lib/rsa/Makefile                 |   46 +
 lib/rsa/rsa-sign.c               |  454 +++++++++++
 lib/rsa/rsa-verify.c             |  374 +++++++++
 test/vboot/.gitignore            |    3 +
 test/vboot/sandbox-kernel.dts    |    7 +
 test/vboot/sandbox-u-boot.dts    |    7 +
 test/vboot/sign-configs.its      |   45 +
 test/vboot/sign-images.its       |   42 +
 test/vboot/vboot_test.sh         |  122 +++
 tools/Makefile                   |   21 +-
 tools/aisimage.c                 |    1 -
 tools/fit_image.c                |  134 ++-
 tools/image-host.c               |  727 +++++++++++++++++
 tools/mkimage.c                  |   27 +-
 tools/mkimage.h                  |    6 +
 53 files changed, 5386 insertions(+), 1770 deletions(-)
 create mode 100644 common/image-fit.c
 create mode 100644 common/image-sig.c
 create mode 100644 doc/uImage.FIT/sign-configs.its
 create mode 100644 doc/uImage.FIT/sign-images.its
 create mode 100644 doc/uImage.FIT/signature.txt
 create mode 100644 doc/uImage.FIT/verified-boot.txt
 create mode 100644 include/rsa.h
 create mode 100644 lib/rsa/Makefile
 create mode 100644 lib/rsa/rsa-sign.c
 create mode 100644 lib/rsa/rsa-verify.c
 create mode 100644 test/vboot/.gitignore
 create mode 100644 test/vboot/sandbox-kernel.dts
 create mode 100644 test/vboot/sandbox-u-boot.dts
 create mode 100644 test/vboot/sign-configs.its
 create mode 100644 test/vboot/sign-images.its
 create mode 100755 test/vboot/vboot_test.sh
 create mode 100644 tools/image-host.c

-- 
1.7.7.3

More information about the U-Boot mailing list