[U-Boot] [PATCH v3 3/5] docs: Document verified-boot for sunxi a64

Maxime Ripard maxime.ripard at free-electrons.com
Thu Dec 14 09:07:40 UTC 2017


On Wed, Dec 13, 2017 at 09:41:35PM +0530, Jagan Teki wrote:
> On Wed, Dec 13, 2017 at 9:08 PM, Maxime Ripard
> <maxime.ripard at free-electrons.com> wrote:
> > Hi,
> >
> > On Wed, Dec 13, 2017 at 11:33:04AM +0530, Jagan Teki wrote:
> >> Add verified-boot documentation for sunxi a64 platform.
> >>
> >> Signed-off-by: Jagan Teki <jagan at amarulasolutions.com>
> >> ---
> >> Changes for v3:
> >> - Create separate document file
> >> Changes for v2:
> >> - New patch
> >>
> >>  doc/README.sunxi | 193 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >>  1 file changed, 193 insertions(+)
> >>  create mode 100644 doc/README.sunxi
> >>
> >> diff --git a/doc/README.sunxi b/doc/README.sunxi
> >> new file mode 100644
> >> index 0000000..ef4f735
> >> --- /dev/null
> >> +++ b/doc/README.sunxi
> >> @@ -0,0 +1,193 @@
> >> +#
> >> +# Copyright (C) 2017 Amarula Solutions
> >> +#
> >> +# SPDX-License-Identifier:   GPL-2.0+
> >> +#
> >> +
> >> +U-Boot on SunXi
> >> +==============
> >> +
> >> +Tutorial describe all details relevant for U-Boot on Allwinner SunXi platform.
> >> +
> >> +     1. Verified Boot
> >> +
> >> +1. Verified Boot
> >> +================
> >> +
> >> +U-Boot supports an image verification method called "Verified Boot".
> >> +This is a brief tutorial to utilize this feature for the Sunxi A64 platform.
> >> +You will find details documents in the doc/uImage.FIT directory.
> >> +
> >> +Here, we take Orangepi Win board for example, but it should work for any
> >> +other boards including 32 bit SoCs.
> >> +
> >> +1. Generate RSA key to sign
> >> +
> >> +  $ mkdir keys
> >> +  $ openssl genpkey -algorithm RSA -out keys/dev.key \
> >> +    -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
> >> +  $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
> >> +
> >> +Two files "dev.key" and "dev.crt" will be created.  The base name is arbitrary,
> >> +but need to match to the "key-name-hint" property described below.
> >
> > I really think that the very first thing you must talk about in that
> > documentation is that it will not protect the SPL itself and that this
> > is not a secure setup.
> 
> Based on my experience with U-boot, verified-boot here doesn't relate
> to protect SPL or U-Boot. it's generally for kernel and followed
> stages. I don't think we can think here too-much. some reference
> doc/README.uniphier

Except that when you read verified boot, it also comes with the
assumption that you're actually protected against something.

In this particular case, you're protected against exactly
nothing. Anyone could come up, replace the bootloader to remove the
signature check, and you're doomed. It's trivial to do, and you're not
mentionning it anywhere.

Maxime

-- 
Maxime Ripard, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20171214/6e4e269c/attachment.sig>


More information about the U-Boot mailing list