[U-Boot] U-boot FIT Signature

Tue Feb 28 07:50:27 UTC 2017

Hi Markus,

> Hi Maria,
>
> On Mon, 2017-02-20 at 12:33 +0100, Maria Sepulveda wrote:
>> The reason to store the public key on an external device is to verify
>> that it is our hardware.
> Do you want to verify it is your hardware or do you want to verify the Software
> is the one you designated to run on this hardware?
I want to avoid that someone could use my Software in a different hardware.
>> This is my idea:
>>
>> In the host:
>>
>> 1. Sign my fit image with mkimage.
>> 2. Store the public key in some i2c device ( crypto-memory, read-only
>> device, TPM)
>>
>> In the target:
>>
>> 1. Start U-boot and load my standalone application.
>> Using i2c functions, I would like to check the i2c address of my
>> external device (i2c_probe function) and read the public key stored
>> inside. Then, I want to pass the public key to the U-boot to do the
>> verification.
>> I am not sure about if the public key has to be always stored in DBT to
>> do the verification (in both: DBT and external device) or it could just
>> be in the external device.
>> This is my configuration to enable verification:
>>
>> [...]
>> 2. U-boot load the fit image  (bootm command)
>>
>> This is the general idea but first of all, I need to know if it is
>> possible to do that and how I could store the public key in somewhere
>> else, not only in dtb.
> As far as i know it is not designated to store the public key outside the DTB
> so it would need some coding on your side.
>
> As i said before you can do the verification with less effort, storing a
> checksum of your public key in a save place. It will take less space and you
> can make sure your public key, stored in the DTB, has not been modified by a
> third party.
>
> You just need to calculate a checksum over your public key at runtime and compare it to the securely stored one, if they match your public key is authenticated
>
> Maybe your processor has some builtin secure boot mechanism?
I am using an AM3352 processor and I think it doesn't have any secure 
boot mechanism. That's why I would like to do the security part of my 
project in U-Boot before load the kernel image.

Maybe your idea could satisfy my needs. I will calculate a checksum over 
the public key that will be stored in an external device. With a 
standalone U-Boot Application, I will read the checksum from the 
external device and check that the public key hasn't been tampered with. 
If everything is right, U-Boot will load the FIT image.

My question now is how to do that. I have read about 'crc' command but I 
don't know if there is a better way to check at runtime the checksum of 
the public key stored in dtb and compare it with the one stored in my 
external device.

Thank you,
María
> best regards
>
> Markus
>> El 20/02/2017 a las 10:49, Markus Valentin escribió:
>>> Hi,
>>>
>>> On Fri, 2017-02-17 at 13:55 -0800, Rick Altherr wrote:
>>>> How would you verify that the public key hasn't been tampered with?
>>>>
>>>> On Fri, Feb 17, 2017 at 12:37 AM, Maria Sepulveda <electronica at cojali.com
>>>> wrote:
>>>>
>>>>> Good morning,
>>>>>
>>>>> I am working with FIT image in U-Boot 2013.07. I have configured the
>>>>> image
>>>>> verification with signed image and kernel boots fine so, I would like
>>>>> to
>>>>> know if I can store my public key in an external device (like crypto-
>>>>> memory
>>>>> or an i2c device) because I am storing the key in DBT with the
>>>>> CONFIG_OF_CONTROL configuration.
>>> Imho is perfectly fine to store the public key in the u-boot.dtb for most
>>> needs(specially for using it with fit-images). Do you have a specific
>>> reason
>>> for wanting to store it elsewhere?
>>>>>    The aim of this is that U-Boot should check the i2c address of my
>>>>> external device, read the public key and verify the signed image later.
>>>>> I work with am335x board and Kernel 3.14.
>>> As Rick suggests you should verify your public key with a checksum which is
>>> somehow protected from being tampered. In the most cases there is some OTP-
>>> Fuse-Register that can do the job.
>>>
>>> best regards
>>>
>>> Markus
>>>

--