[U-Boot] [PATCH v3 3/5] docs: Document verified-boot for sunxi a64
Jagan Teki
jagannadh.teki at gmail.com
Wed Dec 13 16:11:35 UTC 2017
On Wed, Dec 13, 2017 at 9:08 PM, Maxime Ripard
<maxime.ripard at free-electrons.com> wrote:
> Hi,
>
> On Wed, Dec 13, 2017 at 11:33:04AM +0530, Jagan Teki wrote:
>> Add verified-boot documentation for sunxi a64 platform.
>>
>> Signed-off-by: Jagan Teki <jagan at amarulasolutions.com>
>> ---
>> Changes for v3:
>> - Create separate document file
>> Changes for v2:
>> - New patch
>>
>> doc/README.sunxi | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 193 insertions(+)
>> create mode 100644 doc/README.sunxi
>>
>> diff --git a/doc/README.sunxi b/doc/README.sunxi
>> new file mode 100644
>> index 0000000..ef4f735
>> --- /dev/null
>> +++ b/doc/README.sunxi
>> @@ -0,0 +1,193 @@
>> +#
>> +# Copyright (C) 2017 Amarula Solutions
>> +#
>> +# SPDX-License-Identifier: GPL-2.0+
>> +#
>> +
>> +U-Boot on SunXi
>> +==============
>> +
>> +Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform.
>> +
>> + 1. Verified Boot
>> +
>> +1. Verified Boot
>> +================
>> +
>> +U-Boot supports an image verification method called "Verified Boot".
>> +This is a brief tutorial to utilize this feature for the Sunxi A64 platform.
>> +You will find details documents in the doc/uImage.FIT directory.
>> +
>> +Here, we take Orangepi Win board for example, but it should work for any
>> +other boards including 32 bit SoCs.
>> +
>> +1. Generate RSA key to sign
>> +
>> + $ mkdir keys
>> + $ openssl genpkey -algorithm RSA -out keys/dev.key \
>> + -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
>> + $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
>> +
>> +Two files "dev.key" and "dev.crt" will be created. The base name is arbitrary,
>> +but need to match to the "key-name-hint" property described below.
>
> I really think that the very first thing you must talk about in that
> documentation is that it will not protect the SPL itself and that this
> is not a secure setup.
Based on my experience with U-boot, verified-boot here doesn't relate
to protect SPL or U-Boot. it's generally for kernel and followed
stages. I don't think we can think here too-much. some reference
doc/README.uniphier
You're true if we protect boot stages, then it becomes secure
boot(from BROM) like HABv4 in i.MX6, but verified boot in U-Boot is
different.
thanks!
--
Jagan Teki
Free Software Engineer | www.openedev.com
U-Boot, Linux | Upstream Maintainer
Hyderabad, India.
More information about the U-Boot
mailing list