[U-Boot] verifying & signing - issue in generating private key & ceritficate containing public key

Srinivasan S srinivasan.s at tataelxsi.co.in
Wed Nov 5 04:36:43 CET 2014


Hi Simon


Sorry to push you hard again could you please help me in resolving the below issue that am facing  while generating private key & certificate containing public key  

ie., when executing Step 4: Create a key pair (http://lists.denx.de/pipermail/u-boot/2014-June/180845.html)

WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf
Unable to load config info from /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf


Many Thanks a lot in advance
________________________________________
From: Srinivasan S
Sent: Tuesday, November 4, 2014 3:37 PM
To: Simon Glass
Cc: srinivasan; U-Boot Mailing List
Subject: Re: verifying & signing

Hi Simon,

When I was generating the keys ie., Step 4: Create a key pair

Am facing one more error while generating private key & certificate containing public key used for verification when I execute the below openssl commands it is saying can't open  config file:

srinivasan at tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$ openssl genrsa -F4 -out keys/dev.key 2048
WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf
Generating RSA private key, 2048 bit long modulus
............................+++
...............................................+++
e is 65537 (0x10001)
srinivasan at tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf
Unable to load config info from /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf

Could you pls do the needful in resolving this errors cz of which am not able to proceed further

Many Thanks in advance

________________________________________
From: sjg at google.com <sjg at google.com> on behalf of Simon Glass <sjg at chromium.org>
Sent: Tuesday, November 4, 2014 12:07 PM
To: Srinivasan S
Cc: srinivasan; U-Boot Mailing List
Subject: Re: verifying & signing

Hi,

On 3 November 2014 20:01, Srinivasan S <srinivasan.s at tataelxsi.co.in> wrote:
> Hi Simon,
>
> Good Morning!
>
> Many Thanks a lot for all your support so far,
>
> 1. With respect to the verified boot , I want to put the images onto NAND FLASH, Could you please let me know what is the procedure of flashing  the verified boot images onto NAND instead of micro-SD

One option would be to use UBI to provide a consistent block interface
and then sit verity on top of that. But there may be other options,
I'm not sure.

>
> 2.Does dm-verity works only on read-only rootfs?.. or it works on read-write rootfs?.. because as of  now we are looking out only for a bare minimal rootfs , could you please suggest me if any rootfs with minimal support where dm-verity can be applied & verified apart from android

It requires a read-only rootfs. You can enable it on a filesystem
fairly easily - you need to run a tool to generate the hashes and root
hash, then pass that to the kernel on boot. You don't need to use
Android or Chrome OS - it is available in mainline Linux. I'm not sure
if there is a cogent guide somewhere though.

>
>  I want to implement the automatic software update & recovery feature (ie., firmware update of uboot, kernel & rootfs) in ti-sdk-am335x-evm-07.00.00.00 BSP's , if in case if it bricks to unbrick by itself,
>  Could you please help me with suitable pointers & source code links for implementing this feature

This is one way.

http://www.chromium.org/chromium-os/u-boot-porting-guide/2-concepts

So ensure there can be no bricking you probably need to have a U-Boot
that you never update. It can then check the signature of a secondary
updateable U-Boot, and jump to it if it is OK. This is what Chrome OS
does.

BTW as this is a mailing list you should normally put the replies
below the text, not above.

Regards,
Simon


>
> Awaiting for your replies
> Many Thanks in advance again,
>
> Srinivasan S
>
>
> ________________________________________
> From: sjg at google.com <sjg at google.com> on behalf of Simon Glass <sjg at chromium.org>
> Sent: Monday, November 3, 2014 5:08 AM
> To: srinivasan
> Cc: U-Boot Mailing List; Srinivasan S
> Subject: Re: verifying & signing
>
> Hi,
>
> On 2 November 2014 07:06, srinivasan <srinivasan.rns at gmail.com> wrote:
>>
>>
>>
>>
>> Hi Simon,
>>
>> http://lists.denx.de/pipermail/u-boot/2014-June/180845.html
>>
>> As the above link explains the Signing of kernel & verifying with uboot,
>>
>> Could you please let me know do you have any methods of signing & verifying
>> the linux kernel with root file system ie., am using
>> ti-sdk-am335x-evm-07.00.00.00 BSP's where linux kernel is from this BSP only
>> & would be planning to use rootfs as my Angstrom filesystem or any others
>
> If you use dm-verity you can verify your root disk using a hash which
> is stored in the verified part of U-Boot. This is the method used by
> Chrome OS. This requires a read-only rootfs though. Is that
> acceptable?
>
> See this page for some info on how Android does this:
>
> https://source.android.com/devices/tech/security/dm-verity.html
>
>>
>> Could you please let me know how do we sign & verify the kernel with rootfs
>> with detailed steps as am using beaglebone black as my development board
>> with ti-sdk-am335x-evm-07.00.00.00 BSP's
>
> I don't have details steps of this part sorry. An overview is here:
>
> http://events.linuxfoundation.org/sites/events/files/slides/chromeos_and_diy_vboot_0.pdf
>
>
>>
>> Awaiting for your replies
>> Many Thanks in advance
>>
>>
>>
>
> Regards,
> Simon


More information about the U-Boot mailing list