[U-Boot] [RFC PATCH 0/44] RFC: Verified boot implementation based on FIT
Simon Glass
sjg at chromium.org
Sat Jan 5 02:51:29 CET 2013
This series implemented a verified boot system based around FIT images
as discussed on the U-Boot mailing list, including on this thread:
http://permalink.gmane.org/gmane.comp.boot-loaders.u-boot/147830
RSA is used to implement the encryption. Images are signed by mkimage
using private keys created by the user. Public keys are written into
U-Boot control FDT (CONFIG_OF_CONTROL) for access by bootm etc. at
run-time. The control FDT must be stored in a secure place where it
cannot be changed after manufacture. Some notes are provided in the
documentaion on how this can be achieved.
When images are loaded, they are verified with the public keys.
Some minor restructuring of the image code is included in this series,
since we now support signatures as well as hashes.
It is important to have a test framework for this series. For this, sandbox
is used, and a script is provided which signs images and gets sandbox to
load them using a script, to check that all is well. So some of the patches
here release to adding image support for sandbox.
This series is not quite in final form since it still needs rollback
support, using a TPM or some other mechanism to make sure that an attacker
cannot boot your system with an old image that has been compromised.
Also a few more tests are needed to check that image corruption has the
desired effect, some proofreading is required, another review of error
checking, etc.
This series relies on two previous series: sandbox filesystem and sandbox
memory. Without these, it is (at best) not possible to run the verified
boot test on sandbox.
This series and its dependencies are available at:
http://git.denx.de/u-boot-x86.git
in the branch 'vboot'.
Comments welcome.
Simon Glass (44):
sandbox: config: Enable CONFIG_FIT and CONFIG_CMD_FIT
bootstage: Don't build for HOSTCC
mkimage: Move ARRAY_SIZE to header file
libfdt: Add fdt_next_subnode() to permit easy subnode iteration
image: Move timestamp #ifdefs to header file
image: Export fit_check_ramdisk()
image: Split FIT code into new image-fit.c
image: Move HOSTCC image code to tools/
image: Split hash node processing into its own function
image: Convert fit_image_hash_set_value() to static, and rename
image: Rename fit_image_check_hashes() to fit_image_verify()
image: Move hash checking into its own functions
image: Move error! string to common place
image: Export fit_conf_get_prop_node()
image: Rename fit_add_hashes() to fit_add_verification_data()
image: Rename hash printing to fit_image_print_verification_data()
sandbox: Add CONFIG_OF_HOSTFILE to read FDT from host file
fdt: Add a parameter to fdt_valid()
Add getenv_hex() to return an environment variable as hex
fdt: Allow fdt command to check and update control FDT
sandbox: fdt: Support fdt command for sandbox
env: Fix minor comment typos in cmd_nvedit
fdt: Skip checking FDT if the pointer is NULL
Revert "fdt- Tell the FDT library where the device tree is"
Add stdarg to vsprintf.h
Add minor updates to README.fdt-control
hash: Add a way to calculate a hash for any algortihm
sandbox: config: Enable FIT signatures with RSA
sandbox: Provide a way to map from host RAM to U-Boot RAM
sandbox: image: Add support for booting images in sandbox
image: Add signing infrastructure
image: Support signing of images
image: Verify signatures in FIT images
image: Add RSA support for image signing
mkimage: Put FIT loading in function and tidy error handling
mkimage: Add -k option to specify key directory
mkimage: Add -K to write public keys to an FDT blob
mkimage: Add -F option to modify an existing .fit file
mkimage: Add -c option to specify a comment for key signing
mkimage: Add -r option to specify keys that must be verified
libfdt: Add fdt_find_regions()
image: Add support for signing of FIT configurations
Add verified boot information and test
WIP: sandbox: config: Add test config for verified boot
Makefile | 1 +
README | 15 +
arch/sandbox/cpu/cpu.c | 5 +
arch/sandbox/cpu/start.c | 7 +
arch/sandbox/include/asm/io.h | 2 +
arch/sandbox/include/asm/state.h | 1 +
arch/sandbox/lib/board.c | 42 +-
common/Makefile | 2 +
common/cmd_bootm.c | 37 +-
common/cmd_fdt.c | 83 ++-
common/cmd_fpga.c | 2 +-
common/cmd_nvedit.c | 19 +-
common/cmd_source.c | 2 +-
common/cmd_ximg.c | 2 +-
common/hash.c | 22 +
common/image-fit.c | 1544 +++++++++++++++++++++++++++++++++++
common/image-sig.c | 407 +++++++++
common/image.c | 1677 +-------------------------------------
common/main.c | 8 -
common/update.c | 2 +-
config.mk | 1 +
doc/README.fdt-control | 13 +-
doc/mkimage.1 | 73 ++-
doc/uImage.FIT/sign-configs.its | 45 +
doc/uImage.FIT/sign-images.its | 42 +
doc/uImage.FIT/signature.txt | 376 +++++++++
doc/uImage.FIT/verified-boot.txt | 104 +++
include/bootstage.h | 5 +-
include/common.h | 18 +
include/configs/sandbox.h | 20 +-
include/hash.h | 15 +
include/image.h | 213 +++++-
include/libfdt.h | 81 ++
include/rsa.h | 108 +++
include/vsprintf.h | 2 +
lib/fdtdec.c | 3 +-
lib/libfdt/fdt.c | 12 +
lib/libfdt/fdt_wip.c | 129 +++
lib/rsa/Makefile | 46 +
lib/rsa/rsa-sign.c | 454 +++++++++++
lib/rsa/rsa-verify.c | 374 +++++++++
test/vboot/.gitignore | 3 +
test/vboot/sandbox-kernel.dts | 7 +
test/vboot/sandbox-u-boot.dts | 7 +
test/vboot/sign-configs.its | 45 +
test/vboot/sign-images.its | 42 +
test/vboot/vboot_test.sh | 122 +++
tools/Makefile | 21 +-
tools/aisimage.c | 1 -
tools/fit_image.c | 134 ++-
tools/image-host.c | 727 +++++++++++++++++
tools/mkimage.c | 27 +-
tools/mkimage.h | 6 +
53 files changed, 5386 insertions(+), 1770 deletions(-)
create mode 100644 common/image-fit.c
create mode 100644 common/image-sig.c
create mode 100644 doc/uImage.FIT/sign-configs.its
create mode 100644 doc/uImage.FIT/sign-images.its
create mode 100644 doc/uImage.FIT/signature.txt
create mode 100644 doc/uImage.FIT/verified-boot.txt
create mode 100644 include/rsa.h
create mode 100644 lib/rsa/Makefile
create mode 100644 lib/rsa/rsa-sign.c
create mode 100644 lib/rsa/rsa-verify.c
create mode 100644 test/vboot/.gitignore
create mode 100644 test/vboot/sandbox-kernel.dts
create mode 100644 test/vboot/sandbox-u-boot.dts
create mode 100644 test/vboot/sign-configs.its
create mode 100644 test/vboot/sign-images.its
create mode 100755 test/vboot/vboot_test.sh
create mode 100644 tools/image-host.c
--
1.7.7.3
More information about the U-Boot
mailing list