[U-Boot] [RFC PATCH 0/44] RFC: Verified boot implementation based on FIT

Simon Glass sjg at chromium.org
Fri Mar 8 05:25:01 CET 2013 

Hi,

On Fri, Jan 4, 2013 at 5:51 PM, Simon Glass <sjg at chromium.org> wrote:
> This series implemented a verified boot system based around FIT images
> as discussed on the U-Boot mailing list, including on this thread:
>
> http://permalink.gmane.org/gmane.comp.boot-loaders.u-boot/147830
>
> RSA is used to implement the encryption. Images are signed by mkimage
> using private keys created by the user. Public keys are written into
> U-Boot control FDT (CONFIG_OF_CONTROL) for access by bootm etc. at
> run-time. The control FDT must be stored in a secure place where it
> cannot be changed after manufacture. Some notes are provided in the
> documentaion on how this can be achieved.
>
> When images are loaded, they are verified with the public keys.
>
> Some minor restructuring of the image code is included in this series,
> since we now support signatures as well as hashes.
>
> It is important to have a test framework for this series. For this, sandbox
> is used, and a script is provided which signs images and gets sandbox to
> load them using a script, to check that all is well. So some of the patches
> here release to adding image support for sandbox.
>
> This series is not quite in final form since it still needs rollback
> support, using a TPM or some other mechanism to make sure that an attacker
> cannot boot your system with an old image that has been compromised.
>
> Also a few more tests are needed to check that image corruption has the
> desired effect, some proofreading is required, another review of error
> checking, etc.
>
> This series relies on two previous series: sandbox filesystem and sandbox
> memory. Without these, it is (at best) not possible to run the verified
> boot test on sandbox.
>
> This series and its dependencies are available at:
>
>    http://git.denx.de/u-boot-x86.git
>
> in the branch 'vboot'.
>
> Comments welcome.

I know are few people are trying this out. Are there any comments at this stage?

Che-Liang Chiou has posted a patch for the TPM command that are
referenced above. These include rollback support.

http://patchwork.ozlabs.org/patch/224163/

I intend to respin this soon to tidy up a few issues.

>
>
> Simon Glass (44):
>   sandbox: config: Enable CONFIG_FIT and CONFIG_CMD_FIT
>   bootstage: Don't build for HOSTCC
>   mkimage: Move ARRAY_SIZE to header file
>   libfdt: Add fdt_next_subnode() to permit easy subnode iteration
>   image: Move timestamp #ifdefs to header file
>   image: Export fit_check_ramdisk()
>   image: Split FIT code into new image-fit.c
>   image: Move HOSTCC image code to tools/
>   image: Split hash node processing into its own function
>   image: Convert fit_image_hash_set_value() to static, and rename
>   image: Rename fit_image_check_hashes() to fit_image_verify()
>   image: Move hash checking into its own functions
>   image: Move error! string to common place
>   image: Export fit_conf_get_prop_node()
>   image: Rename fit_add_hashes() to fit_add_verification_data()
>   image: Rename hash printing to fit_image_print_verification_data()
>   sandbox: Add CONFIG_OF_HOSTFILE to read FDT from host file
>   fdt: Add a parameter to fdt_valid()
>   Add getenv_hex() to return an environment variable as hex
>   fdt: Allow fdt command to check and update control FDT
>   sandbox: fdt: Support fdt command for sandbox
>   env: Fix minor comment typos in cmd_nvedit
>   fdt: Skip checking FDT if the pointer is NULL
>   Revert "fdt- Tell the FDT library where the device tree is"
>   Add stdarg to vsprintf.h
>   Add minor updates to README.fdt-control
>   hash: Add a way to calculate a hash for any algortihm
>   sandbox: config: Enable FIT signatures with RSA
>   sandbox: Provide a way to map from host RAM to U-Boot RAM
>   sandbox: image: Add support for booting images in sandbox
>   image: Add signing infrastructure
>   image: Support signing of images
>   image: Verify signatures in FIT images
>   image: Add RSA support for image signing
>   mkimage: Put FIT loading in function and tidy error handling
>   mkimage: Add -k option to specify key directory
>   mkimage: Add -K to write public keys to an FDT blob
>   mkimage: Add -F option to modify an existing .fit file
>   mkimage: Add -c option to specify a comment for key signing
>   mkimage: Add -r option to specify keys that must be verified
>   libfdt: Add fdt_find_regions()
>   image: Add support for signing of FIT configurations
>   Add verified boot information and test
>   WIP: sandbox: config: Add test config for verified boot
>
>  Makefile                         |    1 +
>  README                           |   15 +
>  arch/sandbox/cpu/cpu.c           |    5 +
>  arch/sandbox/cpu/start.c         |    7 +
>  arch/sandbox/include/asm/io.h    |    2 +
>  arch/sandbox/include/asm/state.h |    1 +
>  arch/sandbox/lib/board.c         |   42 +-
>  common/Makefile                  |    2 +
>  common/cmd_bootm.c               |   37 +-
>  common/cmd_fdt.c                 |   83 ++-
>  common/cmd_fpga.c                |    2 +-
>  common/cmd_nvedit.c              |   19 +-
>  common/cmd_source.c              |    2 +-
>  common/cmd_ximg.c                |    2 +-
>  common/hash.c                    |   22 +
>  common/image-fit.c               | 1544 +++++++++++++++++++++++++++++++++++
>  common/image-sig.c               |  407 +++++++++
>  common/image.c                   | 1677 +-------------------------------------
>  common/main.c                    |    8 -
>  common/update.c                  |    2 +-
>  config.mk                        |    1 +
>  doc/README.fdt-control           |   13 +-
>  doc/mkimage.1                    |   73 ++-
>  doc/uImage.FIT/sign-configs.its  |   45 +
>  doc/uImage.FIT/sign-images.its   |   42 +
>  doc/uImage.FIT/signature.txt     |  376 +++++++++
>  doc/uImage.FIT/verified-boot.txt |  104 +++
>  include/bootstage.h              |    5 +-
>  include/common.h                 |   18 +
>  include/configs/sandbox.h        |   20 +-
>  include/hash.h                   |   15 +
>  include/image.h                  |  213 +++++-
>  include/libfdt.h                 |   81 ++
>  include/rsa.h                    |  108 +++
>  include/vsprintf.h               |    2 +
>  lib/fdtdec.c                     |    3 +-
>  lib/libfdt/fdt.c                 |   12 +
>  lib/libfdt/fdt_wip.c             |  129 +++
>  lib/rsa/Makefile                 |   46 +
>  lib/rsa/rsa-sign.c               |  454 +++++++++++
>  lib/rsa/rsa-verify.c             |  374 +++++++++
>  test/vboot/.gitignore            |    3 +
>  test/vboot/sandbox-kernel.dts    |    7 +
>  test/vboot/sandbox-u-boot.dts    |    7 +
>  test/vboot/sign-configs.its      |   45 +
>  test/vboot/sign-images.its       |   42 +
>  test/vboot/vboot_test.sh         |  122 +++
>  tools/Makefile                   |   21 +-
>  tools/aisimage.c                 |    1 -
>  tools/fit_image.c                |  134 ++-
>  tools/image-host.c               |  727 +++++++++++++++++
>  tools/mkimage.c                  |   27 +-
>  tools/mkimage.h                  |    6 +
>  53 files changed, 5386 insertions(+), 1770 deletions(-)
>  create mode 100644 common/image-fit.c
>  create mode 100644 common/image-sig.c
>  create mode 100644 doc/uImage.FIT/sign-configs.its
>  create mode 100644 doc/uImage.FIT/sign-images.its
>  create mode 100644 doc/uImage.FIT/signature.txt
>  create mode 100644 doc/uImage.FIT/verified-boot.txt
>  create mode 100644 include/rsa.h
>  create mode 100644 lib/rsa/Makefile
>  create mode 100644 lib/rsa/rsa-sign.c
>  create mode 100644 lib/rsa/rsa-verify.c
>  create mode 100644 test/vboot/.gitignore
>  create mode 100644 test/vboot/sandbox-kernel.dts
>  create mode 100644 test/vboot/sandbox-u-boot.dts
>  create mode 100644 test/vboot/sign-configs.its
>  create mode 100644 test/vboot/sign-images.its
>  create mode 100755 test/vboot/vboot_test.sh
>  create mode 100644 tools/image-host.c
>
> --
> 1.7.7.3
>

Regards,
Simon

More information about the U-Boot mailing list