[U-Boot] Complete verified uboot example
Ron Brash
ron.brash at gmail.com
Tue Feb 21 18:08:19 UTC 2017
Hello all,
I am adding verified kernel support on a board we are using and I am
struggling to fully understand all of the concepts and steps required to
pull everything together (on ARM, using ZImages and booting with a working
DTB on 4.4.3x). I also looked at the test script inside of examples, but
it left me with more questions than understanding.
Please correct me where appropriate in my understanding, but if I am
confused, likely others are too and I hope this helps everyone involved
overall.
Steps:
---------------------------------------------------------------
First, u-boot needs to have the appropriate features enabled and to be
built using them. At a minimum, I suspect:
CONFIG_RSA=y
CONFIG_FIT=y
CONFIG_FIT_SIGNATURE=y
CONFIG_OF_CONTROL=y
Next, we need to derive the appropriate cryptographic primitives/keys.
#Generate a private signing key (RSA2048):
openssl genrsa -F4 -out \
"${key_dir}"/"${key_name}".key 2048
# Generate a public key:
openssl req -batch -new -x509 \
-key "${key_dir}"/"${key_name}".key \
-out "${key_dir}"/"${key_name}".crt
Then we derive the ITS or image source file - a file that hints/describes
the elements that will be verified and/or inside of the FIT image? Lets
call this $FIT_ITS
/ dts - v1 /;
/ {
description = "Configuration to load a Xen Kernel";
#address-cells = <1>;
images {
linux_kernel @ 1 {
description = "Linux zImage";
data = /incbin / ("pathToImage/zImage");
type = "kernel";
arch = "arm";
os = "linux";
compression = "none";
load = <0xaf600000 >;
entry = <0xaf600000 >;
hash @ 1 {
algo = "sha1";
};
};
fdt @ 1 {
description = "FDT blob";
data = /incbin / ("PathToDTBUsedByBootingKernel/ex.dtb");
type = "flat_dt";
arch = "arm";
compression = "none";
load = <0xaec00000 >;
hash @ 1 {
algo = "sha1";
};
};
};
configurations {
default = "config at 1";
config @ 1 {
description = "Plain Linux";
kernel = "linux_kernel at 1";
fdt = "fdt at 1";
loadables = "linux_kernel at 1";
};
};
};
Question: Does a signature section go into this as well? underneath the
hash node for each value?
signature at 1 {
algo = "sha1,rsa2048";
value = <...kernel signature 1...>
};
Then using the device-tree-compiler (dtc), I create a DTB for u-boot. This
is the control FDT and this defines what keys are used etc..
#Assemble control FDT for U-Boot with space for public key:
$DTC -p 0x1000 u-boot.dts -O dtb -o u-boot.dtb
Question: What is required inside of the u-boot.dts for u-boot? Is it
simply the same .dts used by the booting kernel, but with a section
proclaiming the keys?
Question: Where will the compiled u-boot.dtb eventually go? Is this put
into a FIT image, or flashed onto the board alongside the u-boot bootloader
itself?
Next, given that the above steps are completed, I need to create a FIT
image with space for the signature.
# Generate fitImage with space for signature:
$MKIMG -D "-I dts -O dtb -p 2000" \
-f f$FIT_ITS $FIT_IMG
Question: Is the FIT_IMAGE the actual zimage or is it an output image that
contains all of the values contained within the ITS?
Next this FIT_IMAGE (assuming that this is the final FIT image that
contains the FDT and zImage) needs to be signed and the public key added to
it; given that that the key information is in the uboot.
# Sign fitImage and add public key into u-boot.dtb:
$MKIMG -D "-I dts -O dtb -p 2000" -F \
-k "${key dir}" -K u-boot.dtb -r $FIT_IMG
Then, we sign the subsequent fitImage again - correct?
# Signing subsequent fitImage:
$MKIMG -D "-I dts -O dtb -p 2000" \
-k "${key dir}" -f $FIT_ITS -r $FIT_IMG
Now that all of the above is done - we need to:
1. Write our uboot to the flash
2. Write our FIT_IMAGE to flash
Question: Do we write anything else to persistent storage? The ITS? etc..
Question: Do we just boot using anything else or just bootm
0xLocationOfTheFitImageInRAM
Greatly appreciate any assistance to all of these questions and I'm sure
this threat will be of interest to anyone else too.
Thanks!
More information about the U-Boot
mailing list