[U-Boot] [PATCH v3 3/5] docs: Document verified-boot for sunxi a64
Andre Przywara
andre.przywara at arm.com
Wed Dec 13 16:25:12 UTC 2017
Hi,
On 13/12/17 16:16, Jagan Teki wrote:
> On Wed, Dec 13, 2017 at 9:29 PM, Quentin Schulz
> <quentin.schulz at free-electrons.com> wrote:
>> Hi Jagan,
>>
>> On 13/12/2017 07:03, Jagan Teki wrote:
>>> Add verified-boot documentation for sunxi a64 platform.
>>>
>>> Signed-off-by: Jagan Teki <jagan at amarulasolutions.com>
>>> ---
>>> Changes for v3:
>>> - Create separate document file
>>> Changes for v2:
>>> - New patch
>>>
>>> doc/README.sunxi | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>> 1 file changed, 193 insertions(+)
>>> create mode 100644 doc/README.sunxi
>>>
>>> diff --git a/doc/README.sunxi b/doc/README.sunxi
>>> new file mode 100644
>>> index 0000000..ef4f735
>>> --- /dev/null
>>> +++ b/doc/README.sunxi
>>> @@ -0,0 +1,193 @@
>>> +#
>>> +# Copyright (C) 2017 Amarula Solutions
>>> +#
>>> +# SPDX-License-Identifier: GPL-2.0+
>>> +#
>>> +
>>> +U-Boot on SunXi
>>> +==============
>>> +
>>> +Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform.
>>> +
>>> + 1. Verified Boot
>>> +
>>> +1. Verified Boot
>>> +================
>>> +
>>> +U-Boot supports an image verification method called "Verified Boot".
>>> +This is a brief tutorial to utilize this feature for the Sunxi A64 platform.
>>> +You will find details documents in the doc/uImage.FIT directory.
>>> +
>>> +Here, we take Orangepi Win board for example, but it should work for any
>>> +other boards including 32 bit SoCs.
>>> +
>>> +1. Generate RSA key to sign
>>> +
>>> + $ mkdir keys
>>> + $ openssl genpkey -algorithm RSA -out keys/dev.key \
>>> + -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
>>> + $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
>>> +
>>> +Two files "dev.key" and "dev.crt" will be created. The base name is arbitrary,
>>> +but need to match to the "key-name-hint" property described below.
>>> +
>>> +2. FIT Input
>>> +
>>> +---------------------------------------->8----------------------------------------
>>> +/dts-v1/;
>>> +/ {
>>> + description = "FIT image with single Linux kernel, FDT blob";
>>> + #address-cells = <1>;
>>> +
>>> + images {
>>> + kernel at 0 {
>>> + description = "ARM64 Linux kernel";
>>> + data = /incbin/("/path/to/linux/dir/arch/arm64/boot/Image.gz");
>>> + type = "kernel";
>>> + arch = "arm64";
>>> + os = "linux";
>>> + compression = "gzip";
>>> + load = <0x50080000>;
>>> + entry = <0x50080000>;
>>> + hash at 1 {
>>> + algo = "sha256";
>>> + };
>>> + };
>>> +
>>> + fdt at 0 {
>>> + description = "Orangepi Win/Win+ Devicetree blob";
>>> + data = /incbin/("/path/to/linux/dir/arch/arm64/boot/dts/allwinner/sun50i-a64-orangepi-win.dtb");
>>> + type = "flat_dt";
>>> + arch = "arm64";
>>> + compression = "none";
>>> + hash at 1 {
>>> + algo = "sha256";
>>> + };
>>> + };
>>> + };
>>> +
>>> + configurations {
>>> + default = "conf at 0";
>>> +
>>> + conf at 0 {
>>> + description = "Boot Linux kernel, FDT blob";
>>> + kernel = "kernel at 0";
>>> + fdt = "fdt at 0";
>>> + signature at 0 {
>>> + algo = "sha256,rsa2048";
>>> + key-name-hint = "dev";
>>> + sign-images = "kernel", "fdt";
>>> + };
>>> + };
>>> + };
>>> +};
>>> +---------------------------------------->8----------------------------------------
>>> +
>>> +You need to change the two '/incbin/' lines, depending on the location of
>>> +your kernel image and devicetree blob. The "load" and "entry" properties also
>>> +need to be adjusted if you want to change the physical placement of the kernel.
>>> +
>>> +The "key-name-hint" must specify the key name you have created in the step 1.
>>> +
>>> +The FIT file name is arbitrary. Let's say you saved it into "fit.its".
>>> +
>>> +3. Compile U-Boot with FIT and signature enabled
>>> +
>>> +To use the Verified Boot, you need to enable the following two options:
>>> + CONFIG_FIT
>>> + CONFIG_FIT_SIGNATURE
>>> +
>>> + $ make orangepi_win_defconfig
>>> + $ make CROSS_COMPILE=aarch64-linux-gnu-
>>> +
>>> +4. FIT Output
>>> +
>>> +After building U-Boot, you will see tools/mkimage. With this tool, you can
>>> +create an image tree blob as follows:
>>> +
>>> + $ tools/mkimage -f fit.its -k keys -K dts/dt.dtb -r -F fitImage
>>> +
>>> +The -k option must specify the key directory you have created in step 1.
>>> +
>>> +A file "fitImage" will be created. This includes kernel, DTB,
>>> +hash data for each of the three, and signature data.
>>> +
>>> +The public key needed for the run-time verification is stored in "dts/dt.dtb".
>>> +
>>> +5. Compile Verified U-Boot
>>> +
>>> +Since the "dt.dtb" has been updated in step 4, you need to re-compile the
>>> +U-Boot.
>>> +
>>> + $ make CROSS_COMPILE=aarch64-linux-gnu-
>>> +
>>> +The re-compiled "u-boot.bin" is appended with DTB that contains the public key.
>>> +
>>> +6. Flash the image
>>> +
>>> +Flash the "fitImage" to a storage device (SD, NAND, eMMC, or whatever) on your
>>> +board.
>>> +
>>> +7. Boot verified kernel
>>> +
>>> +Load the fitImage to memory and run the following from the U-Boot command line.
>>> +
>>> + > bootm <addr>
>>> +
>>> +Here, <addr> is the base address of the fitImage.
>>> +
>>> +If it is successful, you will see messages like follows:
>>> +
>>> +---------------------------------------->8----------------------------------------
>>> +=> setenv bootargs console=ttyS0,115200 earlyprintk root=/dev/mmcblk0p1 rootwait
>>> +=> ext4load mmc 0:1 $kernel_addr_r /boot/fitImage
>>> +16321738 bytes read in 1049 ms (14.8 MiB/s)
>>> +=> bootm $kernel_addr_r
>>> +## Loading kernel from FIT Image at 40080000 ...
>>> + Using 'conf at 0' configuration
>>> + Verifying Hash Integrity ... OK
>>> + Trying 'kernel at 0' kernel subimage
>>> + Description: ARM64 Linux kernel
>>> + Type: Kernel Image
>>> + Compression: gzip compressed
>>> + Data Start: 0x400800e4
>>> + Data Size: 6884659 Bytes = 6.6 MiB
>>> + Architecture: AArch64
>>> + OS: Linux
>>> + Load Address: 0x50080000
>>> + Entry Point: 0x50080000
>>> + Hash algo: sha256
>>> + Hash value: 6808fe51ea3c15f31c4510d2701d4707b56d20213c9da05bce79fb53bf108f1a
>>> + Verifying Hash Integrity ... sha256+ OK
>>> +## Loading fdt from FIT Image at 40080000 ...
>>> + Using 'conf at 0' configuration
>>> + Trying 'fdt at 0' fdt subimage
>>> + Description: Orangepi Win/Win+ Devicetree blob
>>> + Type: Flat Device Tree
>>> + Compression: uncompressed
>>> + Data Start: 0x40710f24
>>> + Data Size: 9032 Bytes = 8.8 KiB
>>> + Architecture: AArch64
>>> + Hash algo: sha256
>>> + Hash value: ca3d874cd10466633ff133cc0156828d48c8efb96987fa45f885761d22a25dc1
>>> + Verifying Hash Integrity ... sha256+ OK
>>> + Booting using the fdt blob at 0x40710f24
>>> + Uncompressing Kernel Image ... OK
>>> + Loading Device Tree to 0000000049ffa000, end 0000000049fff347 ... OK
>>> +
>>> +Starting kernel ...
>>> +---------------------------------------->8----------------------------------------
>>> +
>>> +Please pay attention to the lines that start with "Verifying Hash Integrity".
>>> +
>>> +"Verifying Hash Integrity ... sha256,rsa2048:dev+ OK" means the signature check
>>> +passed.
>>> +
>>> +"Verifying Hash Integrity ... sha256+ OK" (2 times) means the hash check passed
>>> +for kernel and DTB.
>>> +
>>> +If they are not displayed, the Verified Boot is not working.
>>> +
>>> +--
>>> +Jagan Teki <jagan at amarulasolutions.com>
>>> +13 Dec 2017
>>>
>>
>> What's specific to sunxi boards in this README?
>
> it not board specific, it's generic sunxi platform README.
I guess Quentin's point was that those instructions are generic to every
U-Boot platform. There is nothing sunxi specific in there.
docs/uImage.FIT is definitely the place for this doc to go.
>> We already have an extensive documentation in doc/uImage.FIT/. Could a
>> few parts of your README make it to this documentation instead if it
>> isn't already there?
>
> Since we've plenty of sunxi boards, showing readme with specific
> feature in single board with all details does make more sense rather
> than pointing out existing docs. It would be very beneficial for new
> user to try with detailed info.
I don't really get what you are after.
Please check doc/uImage.FIT/verified-boot.txt and see if you can extend
this file. As you pointed out yourself this is verified boot, a U-Boot
feature, which is totally architecture, platform and board agnostic.
Cheers,
Andre
More information about the U-Boot
mailing list