[U-Boot] verifying & signing - issue in generating private key & ceritficate containing public key

Simon Glass sjg at chromium.org
Wed Nov 5 06:19:23 CET 2014 

Hi,

On 4 November 2014 19:36, Srinivasan S <srinivasan.s at tataelxsi.co.in> wrote:
> Hi Simon
>
>
> Sorry to push you hard again could you please help me in resolving the below issue that am facing  while generating private key & certificate containing public key
>
> ie., when executing Step 4: Create a key pair (http://lists.denx.de/pipermail/u-boot/2014-June/180845.html)
>
> WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf
> Unable to load config info from /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf

Please don't top post.

I don't know what xxxxyyyy is or why it appears. Did you 'mkdir keys'?

Regards,
Simon

>
>
> Many Thanks a lot in advance
> ________________________________________
> From: Srinivasan S
> Sent: Tuesday, November 4, 2014 3:37 PM
> To: Simon Glass
> Cc: srinivasan; U-Boot Mailing List
> Subject: Re: verifying & signing
>
> Hi Simon,
>
> When I was generating the keys ie., Step 4: Create a key pair
>
> Am facing one more error while generating private key & certificate containing public key used for verification when I execute the below openssl commands it is saying can't open  config file:
>
> srinivasan at tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$ openssl genrsa -F4 -out keys/dev.key 2048
> WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf
> Generating RSA private key, 2048 bit long modulus
> ............................+++
> ...............................................+++
> e is 65537 (0x10001)
> srinivasan at tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
> WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf
> Unable to load config info from /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf
>
> Could you pls do the needful in resolving this errors cz of which am not able to proceed further
>
> Many Thanks in advance
>
> ________________________________________
> From: sjg at google.com <sjg at google.com> on behalf of Simon Glass <sjg at chromium.org>
> Sent: Tuesday, November 4, 2014 12:07 PM
> To: Srinivasan S
> Cc: srinivasan; U-Boot Mailing List
> Subject: Re: verifying & signing
>
> Hi,
>
> On 3 November 2014 20:01, Srinivasan S <srinivasan.s at tataelxsi.co.in> wrote:
>> Hi Simon,
>>
>> Good Morning!
>>
>> Many Thanks a lot for all your support so far,
>>
>> 1. With respect to the verified boot , I want to put the images onto NAND FLASH, Could you please let me know what is the procedure of flashing  the verified boot images onto NAND instead of micro-SD
>
> One option would be to use UBI to provide a consistent block interface
> and then sit verity on top of that. But there may be other options,
> I'm not sure.
>
>>
>> 2.Does dm-verity works only on read-only rootfs?.. or it works on read-write rootfs?.. because as of  now we are looking out only for a bare minimal rootfs , could you please suggest me if any rootfs with minimal support where dm-verity can be applied & verified apart from android
>
> It requires a read-only rootfs. You can enable it on a filesystem
> fairly easily - you need to run a tool to generate the hashes and root
> hash, then pass that to the kernel on boot. You don't need to use
> Android or Chrome OS - it is available in mainline Linux. I'm not sure
> if there is a cogent guide somewhere though.
>
>>
>>  I want to implement the automatic software update & recovery feature (ie., firmware update of uboot, kernel & rootfs) in ti-sdk-am335x-evm-07.00.00.00 BSP's , if in case if it bricks to unbrick by itself,
>>  Could you please help me with suitable pointers & source code links for implementing this feature
>
> This is one way.
>
> http://www.chromium.org/chromium-os/u-boot-porting-guide/2-concepts
>
> So ensure there can be no bricking you probably need to have a U-Boot
> that you never update. It can then check the signature of a secondary
> updateable U-Boot, and jump to it if it is OK. This is what Chrome OS
> does.
>
> BTW as this is a mailing list you should normally put the replies
> below the text, not above.
>
> Regards,
> Simon
>
>
>>
>> Awaiting for your replies
>> Many Thanks in advance again,
>>
>> Srinivasan S
>>
>>
>> ________________________________________
>> From: sjg at google.com <sjg at google.com> on behalf of Simon Glass <sjg at chromium.org>
>> Sent: Monday, November 3, 2014 5:08 AM
>> To: srinivasan
>> Cc: U-Boot Mailing List; Srinivasan S
>> Subject: Re: verifying & signing
>>
>> Hi,
>>
>> On 2 November 2014 07:06, srinivasan <srinivasan.rns at gmail.com> wrote:
>>>
>>>
>>>
>>>
>>> Hi Simon,
>>>
>>> http://lists.denx.de/pipermail/u-boot/2014-June/180845.html
>>>
>>> As the above link explains the Signing of kernel & verifying with uboot,
>>>
>>> Could you please let me know do you have any methods of signing & verifying
>>> the linux kernel with root file system ie., am using
>>> ti-sdk-am335x-evm-07.00.00.00 BSP's where linux kernel is from this BSP only
>>> & would be planning to use rootfs as my Angstrom filesystem or any others
>>
>> If you use dm-verity you can verify your root disk using a hash which
>> is stored in the verified part of U-Boot. This is the method used by
>> Chrome OS. This requires a read-only rootfs though. Is that
>> acceptable?
>>
>> See this page for some info on how Android does this:
>>
>> https://source.android.com/devices/tech/security/dm-verity.html
>>
>>>
>>> Could you please let me know how do we sign & verify the kernel with rootfs
>>> with detailed steps as am using beaglebone black as my development board
>>> with ti-sdk-am335x-evm-07.00.00.00 BSP's
>>
>> I don't have details steps of this part sorry. An overview is here:
>>
>> http://events.linuxfoundation.org/sites/events/files/slides/chromeos_and_diy_vboot_0.pdf
>>
>>
>>>
>>> Awaiting for your replies
>>> Many Thanks in advance
>>>
>>>
>>>
>>
>> Regards,
>> Simon

More information about the U-Boot mailing list