[U-Boot] [PATCH v3 3/5] docs: Document verified-boot for sunxi a64
Tom Rini
trini at konsulko.com
Thu Dec 14 01:28:10 UTC 2017
On Wed, Dec 13, 2017 at 04:47:29PM +0000, Andre Przywara wrote:
> Hi,
>
> On 13/12/17 16:35, Jagan Teki wrote:
> > On Wed, Dec 13, 2017 at 9:55 PM, Andre Przywara <andre.przywara at arm.com> wrote:
> >> Hi,
> >>
> >> On 13/12/17 16:16, Jagan Teki wrote:
> >>> On Wed, Dec 13, 2017 at 9:29 PM, Quentin Schulz
> >>> <quentin.schulz at free-electrons.com> wrote:
> >>>> Hi Jagan,
> >>>>
> >>>> On 13/12/2017 07:03, Jagan Teki wrote:
> >>>>> Add verified-boot documentation for sunxi a64 platform.
> >>>>>
> >>>>> Signed-off-by: Jagan Teki <jagan at amarulasolutions.com>
> >>>>> ---
> >>>>> Changes for v3:
> >>>>> - Create separate document file
> >>>>> Changes for v2:
> >>>>> - New patch
> >>>>>
> >>>>> doc/README.sunxi | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >>>>> 1 file changed, 193 insertions(+)
> >>>>> create mode 100644 doc/README.sunxi
> >>>>>
> >>>>> diff --git a/doc/README.sunxi b/doc/README.sunxi
> >>>>> new file mode 100644
> >>>>> index 0000000..ef4f735
> >>>>> --- /dev/null
> >>>>> +++ b/doc/README.sunxi
> >>>>> @@ -0,0 +1,193 @@
> >>>>> +#
> >>>>> +# Copyright (C) 2017 Amarula Solutions
> >>>>> +#
> >>>>> +# SPDX-License-Identifier: GPL-2.0+
> >>>>> +#
> >>>>> +
> >>>>> +U-Boot on SunXi
> >>>>> +==============
> >>>>> +
> >>>>> +Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform.
> >>>>> +
> >>>>> + 1. Verified Boot
> >>>>> +
> >>>>> +1. Verified Boot
> >>>>> +================
> >>>>> +
> >>>>> +U-Boot supports an image verification method called "Verified Boot".
> >>>>> +This is a brief tutorial to utilize this feature for the Sunxi A64 platform.
> >>>>> +You will find details documents in the doc/uImage.FIT directory.
> >>>>> +
> >>>>> +Here, we take Orangepi Win board for example, but it should work for any
> >>>>> +other boards including 32 bit SoCs.
> >>>>> +
> >>>>> +1. Generate RSA key to sign
> >>>>> +
> >>>>> + $ mkdir keys
> >>>>> + $ openssl genpkey -algorithm RSA -out keys/dev.key \
> >>>>> + -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
> >>>>> + $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
> >>>>> +
> >>>>> +Two files "dev.key" and "dev.crt" will be created. The base name is arbitrary,
> >>>>> +but need to match to the "key-name-hint" property described below.
> >>>>> +
> >>>>> +2. FIT Input
> >>>>> +
> >>>>> +---------------------------------------->8----------------------------------------
> >>>>> +/dts-v1/;
> >>>>> +/ {
> >>>>> + description = "FIT image with single Linux kernel, FDT blob";
> >>>>> + #address-cells = <1>;
> >>>>> +
> >>>>> + images {
> >>>>> + kernel at 0 {
> >>>>> + description = "ARM64 Linux kernel";
> >>>>> + data = /incbin/("/path/to/linux/dir/arch/arm64/boot/Image.gz");
> >>>>> + type = "kernel";
> >>>>> + arch = "arm64";
> >>>>> + os = "linux";
> >>>>> + compression = "gzip";
> >>>>> + load = <0x50080000>;
> >>>>> + entry = <0x50080000>;
> >>>>> + hash at 1 {
> >>>>> + algo = "sha256";
> >>>>> + };
> >>>>> + };
> >>>>> +
> >>>>> + fdt at 0 {
> >>>>> + description = "Orangepi Win/Win+ Devicetree blob";
> >>>>> + data = /incbin/("/path/to/linux/dir/arch/arm64/boot/dts/allwinner/sun50i-a64-orangepi-win.dtb");
> >>>>> + type = "flat_dt";
> >>>>> + arch = "arm64";
> >>>>> + compression = "none";
> >>>>> + hash at 1 {
> >>>>> + algo = "sha256";
> >>>>> + };
> >>>>> + };
> >>>>> + };
> >>>>> +
> >>>>> + configurations {
> >>>>> + default = "conf at 0";
> >>>>> +
> >>>>> + conf at 0 {
> >>>>> + description = "Boot Linux kernel, FDT blob";
> >>>>> + kernel = "kernel at 0";
> >>>>> + fdt = "fdt at 0";
> >>>>> + signature at 0 {
> >>>>> + algo = "sha256,rsa2048";
> >>>>> + key-name-hint = "dev";
> >>>>> + sign-images = "kernel", "fdt";
> >>>>> + };
> >>>>> + };
> >>>>> + };
> >>>>> +};
> >>>>> +---------------------------------------->8----------------------------------------
> >>>>> +
> >>>>> +You need to change the two '/incbin/' lines, depending on the location of
> >>>>> +your kernel image and devicetree blob. The "load" and "entry" properties also
> >>>>> +need to be adjusted if you want to change the physical placement of the kernel.
> >>>>> +
> >>>>> +The "key-name-hint" must specify the key name you have created in the step 1.
> >>>>> +
> >>>>> +The FIT file name is arbitrary. Let's say you saved it into "fit.its".
> >>>>> +
> >>>>> +3. Compile U-Boot with FIT and signature enabled
> >>>>> +
> >>>>> +To use the Verified Boot, you need to enable the following two options:
> >>>>> + CONFIG_FIT
> >>>>> + CONFIG_FIT_SIGNATURE
> >>>>> +
> >>>>> + $ make orangepi_win_defconfig
> >>>>> + $ make CROSS_COMPILE=aarch64-linux-gnu-
> >>>>> +
> >>>>> +4. FIT Output
> >>>>> +
> >>>>> +After building U-Boot, you will see tools/mkimage. With this tool, you can
> >>>>> +create an image tree blob as follows:
> >>>>> +
> >>>>> + $ tools/mkimage -f fit.its -k keys -K dts/dt.dtb -r -F fitImage
> >>>>> +
> >>>>> +The -k option must specify the key directory you have created in step 1.
> >>>>> +
> >>>>> +A file "fitImage" will be created. This includes kernel, DTB,
> >>>>> +hash data for each of the three, and signature data.
> >>>>> +
> >>>>> +The public key needed for the run-time verification is stored in "dts/dt.dtb".
> >>>>> +
> >>>>> +5. Compile Verified U-Boot
> >>>>> +
> >>>>> +Since the "dt.dtb" has been updated in step 4, you need to re-compile the
> >>>>> +U-Boot.
> >>>>> +
> >>>>> + $ make CROSS_COMPILE=aarch64-linux-gnu-
> >>>>> +
> >>>>> +The re-compiled "u-boot.bin" is appended with DTB that contains the public key.
> >>>>> +
> >>>>> +6. Flash the image
> >>>>> +
> >>>>> +Flash the "fitImage" to a storage device (SD, NAND, eMMC, or whatever) on your
> >>>>> +board.
> >>>>> +
> >>>>> +7. Boot verified kernel
> >>>>> +
> >>>>> +Load the fitImage to memory and run the following from the U-Boot command line.
> >>>>> +
> >>>>> + > bootm <addr>
> >>>>> +
> >>>>> +Here, <addr> is the base address of the fitImage.
> >>>>> +
> >>>>> +If it is successful, you will see messages like follows:
> >>>>> +
> >>>>> +---------------------------------------->8----------------------------------------
> >>>>> +=> setenv bootargs console=ttyS0,115200 earlyprintk root=/dev/mmcblk0p1 rootwait
> >>>>> +=> ext4load mmc 0:1 $kernel_addr_r /boot/fitImage
> >>>>> +16321738 bytes read in 1049 ms (14.8 MiB/s)
> >>>>> +=> bootm $kernel_addr_r
> >>>>> +## Loading kernel from FIT Image at 40080000 ...
> >>>>> + Using 'conf at 0' configuration
> >>>>> + Verifying Hash Integrity ... OK
> >>>>> + Trying 'kernel at 0' kernel subimage
> >>>>> + Description: ARM64 Linux kernel
> >>>>> + Type: Kernel Image
> >>>>> + Compression: gzip compressed
> >>>>> + Data Start: 0x400800e4
> >>>>> + Data Size: 6884659 Bytes = 6.6 MiB
> >>>>> + Architecture: AArch64
> >>>>> + OS: Linux
> >>>>> + Load Address: 0x50080000
> >>>>> + Entry Point: 0x50080000
> >>>>> + Hash algo: sha256
> >>>>> + Hash value: 6808fe51ea3c15f31c4510d2701d4707b56d20213c9da05bce79fb53bf108f1a
> >>>>> + Verifying Hash Integrity ... sha256+ OK
> >>>>> +## Loading fdt from FIT Image at 40080000 ...
> >>>>> + Using 'conf at 0' configuration
> >>>>> + Trying 'fdt at 0' fdt subimage
> >>>>> + Description: Orangepi Win/Win+ Devicetree blob
> >>>>> + Type: Flat Device Tree
> >>>>> + Compression: uncompressed
> >>>>> + Data Start: 0x40710f24
> >>>>> + Data Size: 9032 Bytes = 8.8 KiB
> >>>>> + Architecture: AArch64
> >>>>> + Hash algo: sha256
> >>>>> + Hash value: ca3d874cd10466633ff133cc0156828d48c8efb96987fa45f885761d22a25dc1
> >>>>> + Verifying Hash Integrity ... sha256+ OK
> >>>>> + Booting using the fdt blob at 0x40710f24
> >>>>> + Uncompressing Kernel Image ... OK
> >>>>> + Loading Device Tree to 0000000049ffa000, end 0000000049fff347 ... OK
> >>>>> +
> >>>>> +Starting kernel ...
> >>>>> +---------------------------------------->8----------------------------------------
> >>>>> +
> >>>>> +Please pay attention to the lines that start with "Verifying Hash Integrity".
> >>>>> +
> >>>>> +"Verifying Hash Integrity ... sha256,rsa2048:dev+ OK" means the signature check
> >>>>> +passed.
> >>>>> +
> >>>>> +"Verifying Hash Integrity ... sha256+ OK" (2 times) means the hash check passed
> >>>>> +for kernel and DTB.
> >>>>> +
> >>>>> +If they are not displayed, the Verified Boot is not working.
> >>>>> +
> >>>>> +--
> >>>>> +Jagan Teki <jagan at amarulasolutions.com>
> >>>>> +13 Dec 2017
> >>>>>
> >>>>
> >>>> What's specific to sunxi boards in this README?
> >>>
> >>> it not board specific, it's generic sunxi platform README.
> >>
> >> I guess Quentin's point was that those instructions are generic to every
> >> U-Boot platform. There is nothing sunxi specific in there.
> >> docs/uImage.FIT is definitely the place for this doc to go.
> >
> > Yeah, I understand instructions are generic for all platforms but what
> > I'm trying to show how these generic things are applying or verified
> > on sunxi like what other platforms does. (like README.unipher)
> > wouldn't be beneficial to show these details on sunxi?
>
> A single line like: "Verified boot like described in
> doc/uImage.FIT/verified works on sunxi boards." would be sufficient for
> that.
>
> So looking closer I see that you copied and modified that part from
> README.uniphier - where I consider this misplaced as well. I would
> recommend to instead move that verified boot part out of that file, and
> add it to doc/uImage.FIT/verified-boot.txt under an example section.
> Then you can point from both the sunxi and uniphier documentation to
> that generic documentation.
>
> Duplicating the documentation definitely does not make sense to me.
> If you want to spoon-feed beginners with step-by-step instructions, feel
> free to add a page to the linux-sunxi wiki with all those details.
Agreed, thanks Andre!
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20171213/6cf35ee8/attachment.sig>
More information about the U-Boot
mailing list