[U-Boot] verifying & signing
Simon Glass
sjg at chromium.org
Tue Nov 4 07:37:00 CET 2014
Hi,
On 3 November 2014 20:01, Srinivasan S <srinivasan.s at tataelxsi.co.in> wrote:
> Hi Simon,
>
> Good Morning!
>
> Many Thanks a lot for all your support so far,
>
> 1. With respect to the verified boot , I want to put the images onto NAND FLASH, Could you please let me know what is the procedure of flashing the verified boot images onto NAND instead of micro-SD
One option would be to use UBI to provide a consistent block interface
and then sit verity on top of that. But there may be other options,
I'm not sure.
>
> 2.Does dm-verity works only on read-only rootfs?.. or it works on read-write rootfs?.. because as of now we are looking out only for a bare minimal rootfs , could you please suggest me if any rootfs with minimal support where dm-verity can be applied & verified apart from android
It requires a read-only rootfs. You can enable it on a filesystem
fairly easily - you need to run a tool to generate the hashes and root
hash, then pass that to the kernel on boot. You don't need to use
Android or Chrome OS - it is available in mainline Linux. I'm not sure
if there is a cogent guide somewhere though.
>
> I want to implement the automatic software update & recovery feature (ie., firmware update of uboot, kernel & rootfs) in ti-sdk-am335x-evm-07.00.00.00 BSP's , if in case if it bricks to unbrick by itself,
> Could you please help me with suitable pointers & source code links for implementing this feature
This is one way.
http://www.chromium.org/chromium-os/u-boot-porting-guide/2-concepts
So ensure there can be no bricking you probably need to have a U-Boot
that you never update. It can then check the signature of a secondary
updateable U-Boot, and jump to it if it is OK. This is what Chrome OS
does.
BTW as this is a mailing list you should normally put the replies
below the text, not above.
Regards,
Simon
>
> Awaiting for your replies
> Many Thanks in advance again,
>
> Srinivasan S
>
>
> ________________________________________
> From: sjg at google.com <sjg at google.com> on behalf of Simon Glass <sjg at chromium.org>
> Sent: Monday, November 3, 2014 5:08 AM
> To: srinivasan
> Cc: U-Boot Mailing List; Srinivasan S
> Subject: Re: verifying & signing
>
> Hi,
>
> On 2 November 2014 07:06, srinivasan <srinivasan.rns at gmail.com> wrote:
>>
>>
>>
>>
>> Hi Simon,
>>
>> http://lists.denx.de/pipermail/u-boot/2014-June/180845.html
>>
>> As the above link explains the Signing of kernel & verifying with uboot,
>>
>> Could you please let me know do you have any methods of signing & verifying
>> the linux kernel with root file system ie., am using
>> ti-sdk-am335x-evm-07.00.00.00 BSP's where linux kernel is from this BSP only
>> & would be planning to use rootfs as my Angstrom filesystem or any others
>
> If you use dm-verity you can verify your root disk using a hash which
> is stored in the verified part of U-Boot. This is the method used by
> Chrome OS. This requires a read-only rootfs though. Is that
> acceptable?
>
> See this page for some info on how Android does this:
>
> https://source.android.com/devices/tech/security/dm-verity.html
>
>>
>> Could you please let me know how do we sign & verify the kernel with rootfs
>> with detailed steps as am using beaglebone black as my development board
>> with ti-sdk-am335x-evm-07.00.00.00 BSP's
>
> I don't have details steps of this part sorry. An overview is here:
>
> http://events.linuxfoundation.org/sites/events/files/slides/chromeos_and_diy_vboot_0.pdf
>
>
>>
>> Awaiting for your replies
>> Many Thanks in advance
>>
>>
>>
>
> Regards,
> Simon
More information about the U-Boot
mailing list