[U-Boot] [PATCH] rpi3: Enable verified boot from FIT image

Heinrich Schuchardt xypron.glpk at gmx.de
Mon Sep 2 11:19:06 UTC 2019 

On 9/2/19 12:30 PM, Matthias Brugger wrote:
> +Alex, Lukas, Heinrich, Bin and Simon
>
> On 31/07/2019 10:16, Jun Nie wrote:
>> Matthias Brugger <mbrugger at suse.com> 于2019年7月31日周三 下午4:05写道:
>>>
>>>
>>>
>>> On 11/07/2019 05:55, Jun Nie wrote:
>>>> Enable verified boot from FIT image with select configs
>>>> and specify boot script image node in FIT image, the FIT
>>>> image is verified before it is run.
>>>>
>>>> Code that reusing dtb in firmware is disabled, so that
>>>> the dtb with pubic key packed in u-boot.bin can be used
>>>> to verify the signature of next stage FIT image.
>>>>
>>>> Signed-off-by: Jun Nie <jun.nie at linaro.org>
>>>> ---
>>>>   board/raspberrypi/rpi/rpi.c |  6 ++++++
>>>>   include/configs/rpi.h       | 15 ++++++++++++++-
>>>>   2 files changed, 20 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/board/raspberrypi/rpi/rpi.c b/board/raspberrypi/rpi/rpi.c
>>>> index 617c892..950ee84 100644
>>>> --- a/board/raspberrypi/rpi/rpi.c
>>>> +++ b/board/raspberrypi/rpi/rpi.c
>>>> @@ -297,6 +297,7 @@ static void set_fdtfile(void)
>>>>        env_set("fdtfile", fdtfile);
>>>>   }
>>>>
>>>> +#ifndef CONFIG_FIT_SIGNATURE
>>>>   /*
>>>>    * If the firmware provided a valid FDT at boot time, let's expose it in
>>>>    * ${fdt_addr} so it may be passed unmodified to the kernel.
>>>> @@ -311,6 +312,7 @@ static void set_fdt_addr(void)
>>>>
>>>>        env_set_hex("fdt_addr", fw_dtb_pointer);
>>>>   }
>>>> +#endif
>>>>
>>>>   /*
>>>>    * Prevent relocation from stomping on a firmware provided FDT blob.
>>>> @@ -393,7 +395,9 @@ static void set_serial_number(void)
>>>>
>>>>   int misc_init_r(void)
>>>>   {
>>>> +#ifndef CONFIG_FIT_SIGNATURE
>>>>        set_fdt_addr();
>>>> +#endif
>>>>        set_fdtfile();
>>>>        set_usbethaddr();
>>>>   #ifdef CONFIG_ENV_VARS_UBOOT_RUNTIME_CONFIG
>>>> @@ -470,6 +474,7 @@ int board_init(void)
>>>>        return bcm2835_power_on_module(BCM2835_MBOX_POWER_DEVID_USB_HCD);
>>>>   }
>>>>
>>>> +#ifndef CONFIG_FIT_SIGNATURE
>>>>   /*
>>>>    * If the firmware passed a device tree use it for U-Boot.
>>>>    */
>>>> @@ -479,6 +484,7 @@ void *board_fdt_blob_setup(void)
>>>>                return NULL;
>>>>        return (void *)fw_dtb_pointer;
>>>>   }
>>>> +#endif
>>>
>>> Just to get this clear we need this because we want to pass the device tree via
>>> OF_SEPARATE, correct?
>>
>> You are right.  U-boot need to read he signature from dtb.
>>
>>>
>>>>
>>>>   int ft_board_setup(void *blob, bd_t *bd)
>>>>   {
>>>> diff --git a/include/configs/rpi.h b/include/configs/rpi.h
>>>> index f76c7d1..ba91205 100644
>>>> --- a/include/configs/rpi.h
>>>> +++ b/include/configs/rpi.h
>>>> @@ -180,11 +180,24 @@
>>>>
>>>>   #include <config_distro_bootcmd.h>
>>>>
>>>> +#ifdef CONFIG_FIT_SIGNATURE
>>>> +#define FIT_BOOT_CMD                                                 \
>>>> +     "boot_a_script="                                                \
>>>> +             "load ${devtype} ${devnum}:${distro_bootpart} "         \
>>>> +                     "${scriptaddr} ${prefix}${script}; "            \
>>>> +             "iminfo ${scriptaddr};"                                 \
>>>> +             "if test $? -eq 1; then reset; fi;"                     \
>>>> +             "source ${scriptaddr}:bootscr\0"
>>>> +#else
>>>> +#define FIT_BOOT_CMD ""
>>>> +#endif
>>>> +
>>>
>>> Doesn't this overwrite the boot_a_script in distro_bootcmd?
>>>
>>> Would it make sense to add FIT booting to the distro boot command?
>>>
>>> Regards,
>>> Matthias
>>
>> Yes, it overwrite the boot_a_script in distro_bootcmd. It is make
>> sense to add this to the distro boot command. I can send another patch
>> to move these lines to common code later.
>>
>
> Question to the people just added, as you have relevant submission to
> distroboot. Do you think it makes sense to add FIT_BOOT_CMD to that?
>
> Regards,
> Matthias

The idea of distro-boot was to make it easier for Linux distributions to
update the information needed by U-Boot to find the right kernel and
ramdisk.

According to doc/README.distro file extlinux.conf should be used for the
communication between the distribution and U-Boot. Some distributions
like Debian still rely on boot.scr.

Many distributions (OpenBSD, FreeBSD, Suse, Fedora) have moved from
distro-boot to UEFI as booting standard. Unfortunately we have not
documented our support for this in doc/README.distro (TODO for me).
Takahiro is working on secure boot using UEFI. Once completed this could
obsolete FIT images.

Would we expect Linux distributions to provide FIT images upon kernel
updates?
Is there any Linux distribution doing so?

Only if we can answer these questions with yes, adding FIT_BOOT_CMD to
distro-boot would make sense to me.

Best regards

Heinrich

>
>>>
>>>>   #define CONFIG_EXTRA_ENV_SETTINGS \
>>>>        "dhcpuboot=usb start; dhcp u-boot.uimg; bootm\0" \
>>>>        ENV_DEVICE_SETTINGS \
>>>>        ENV_MEM_LAYOUT_SETTINGS \
>>>> -     BOOTENV
>>>> +     BOOTENV \
>>>> +     FIT_BOOT_CMD
>>>>
>>>>
>>>>   #endif
>>>>
>>
>

More information about the U-Boot mailing list