[U-Boot] verified boot of beaglebone black

Simon Glass sjg at chromium.org
Thu Nov 13 17:24:14 CET 2014 

Hi,

On 11 November 2014 21:29, Srinivasan S <srinivasan.s at tataelxsi.co.in> wrote:
> Hi ,
>
> ________________________________________
> From: sjg at google.com <sjg at google.com> on behalf of Simon Glass <sjg at chromium.org>
> Sent: Monday, November 10, 2014 9:23 PM
> To: Srinivasan S
> Cc: Jagan Teki; U-Boot Mailing List
> Subject: Re: [U-Boot] verified boot of beaglebone black
>
> Hi,
>
> On 9 November 2014 17:13, Srinivasan S <srinivasan.s at tataelxsi.co.in> wrote:
>> Hi Simon,
>>
>> Hi Simon,
>>
>> As you suggested earlier am using u-boot-2014.07 & Am using ~/ti-sdk-am335x-evm-07.00.00.00/bin/create-sdcard.sh for creating the partitions,
>> After creating the partitions I tried implementing step 7. Put U-Boot and the kernel onto the board & step 8. Try it,  by the following steps,
>> And when I tried to boot I am facing the below error for which am not able to get the uboot prompt
>>
>> U-Boot SPL 2013.10-g78d8ebd (Mar 30 2014 - 20:46:34)
>> reading args
>> spl: error reading image args, err - -1
>> reading u-boot.img
>> reading u-boot.img
>> No valid FDT found - please append one to U-Boot binary, use u-boot-dtb.bin or define CONFIG_OF_EMBED. For sandbox, use -d <file.dtb>
>> initcall sequence 808511ec failed at call 80833f84
>> ### ERROR ### Please RESET the board ###
>
> I think you may have missed something here. The instructions should
> tell you to use u-boot-dtb.img which has a device tree attached.
>
> Also please can you read about 'top posting' - you should avoid doing
> this on the U-Boot mailing list. Put your response after any part of
> the message that you are responding to.
>
>>
>> Steps followed by me
>> 1.
>> As tmp directory was unavailable while mounting /dev/sdc1, so I created tmp directory while mounting /dev/sdc1 & executed the commands as below
>> sudo mount /dev/sdc1 /mnt/tmp
>> sudo cp ~/ti-sdk-am335x-evm-07.00.00.00/board-support/u-boot-2014.07/b/am335x_boneblack_vboot/u-boot.img /mnt/tmp/u-boot.img
>> sleep 1
>> sudo umount /dev/sdc1
>>
>> sudo mount /dev/sdc2 /mnt/tmp
>> sudo cp ~/ti-sdk-am335x-evm-07.00.00.00/board-support/linux-3.12.10-ti2013.12.01/work/image.fit /mnt/tmp/boot/image.fit
>> sleep 1
>> sudo umount /dev/sdc2
>>
>> 2.
>>
>> I have even tried copying MLO & u-boot.img of as below, but still the same error where unable to get uboot prompt
>>
>> sudo cp ~/ti-sdk-am335x-evm-07.00.00.00/board-support/u-boot-2014.07/b/am335x_boneblack_vboot/MLO /media/boot/
>> sudo cp ~/ti-sdk-am335x-evm-07.00.00.00/board-support/u-boot-2014.07/b/am335x_boneblack_vboot/u-boot.img /media/boot/
>>
>> appusony at appusony-laptop:~/ti-sdk-am335x-evm-07.00.00.00/board-support/linux-3.12.10-ti2013.12.01/work$ ls
>> am335x-boneblack.dtb  am335x-boneblack-pubkey.dtb  Image  image.fit  Image.lzo  keys  sign.its  u-boot-dtb.img
>> appusony at appusony-laptop:~/ti-sdk-am335x-evm-07.00.00.00/board-support/linux-3.12.10-ti2013.12.01/work$ sudo image.fit /media/rootfs/boot/
>>
>> Please do the needful in resolving the above issue as this is the last steps
>>
>> Many Thanks in Advance again,
>
> Regards,
> Simon
>
>
> Thanks a lot for your quick responses, Finally I got resolved this problem & was able to boot uboot 2014 with my linux kernel, The issue was I had defined the flag in CONFIG_EMBEDD in uboot 2014 & got resolved this issue
>
> And sorry I didn't understand the meaning of TOP posting
>
> Could you please suggest me w.r.t following points
>
> 1. And now Am trying to sign even my rootfs also from kernel, as long back you had suggested dm_verity could you please let me know which version of linux kernel in mainline is supported , so that I can back port it to my kernel & get rootfs also signed from my kernel & please let me know if any rootfs changes also required for this signing from kernel to rootfs or Is there any possible way to  add hashes in sign.its  for rootfs also, so that it gets verified, if this is possible could you please let me know how this can be done in sign.its (ie., how hashes can be added in rootfs)

It was merged in late 2012, so any version since then should work, but
I suggest going with a recent version.

>
> 2. And am trying to flash MLO, uboot.img,  image.fit & rootfs into eMMC instaed of SD card could you please let me know how this can be flashed onto emmc & vcan be verified the same

There are no special requirements here that I know of. U-Boot will
verify the kernel wherever it comes from. I can't remember if I wrote
the kernel to the boot partial (FAT format) or the /boot directory of
the root disk (ext4 format). But wherever you write it such that
U-Boot can find it will be fine.

Verify requires a block filesystem such as ext4 in a partition, and a
separate area for hashes, typically 8MB or so. You will need to
allocate off some space on the eMMC to hold the hashes, and run the
tool to write them after you create your read-only ext2 filesystem.

On Chrome OS the hashes go in the same disk partition as the ext2
filesystem, and the filesystem is made a little bit smaller than the
partition to provide space for that. The script that runs is here,
although you're need to chase down quite a bit:

https://chromium.googlesource.com/chromiumos/platform/crosutils/+/master/build_image

>
> Could you please let me know as early as possiblem as only this is left from my side w.r.t signing activity  so that I can close this activity

I have to say I have not done verity outside the Chrome OS
environment. I believe that Redhat uses it, so there might be pointers
there too.

Regards,
Simon

More information about the U-Boot mailing list