u-boot on raspberry pi with secure boot

Caleb Connolly caleb.connolly at linaro.org
Tue Aug 20 16:29:23 CEST 2024


Hi Jonas,

On 19/08/2024 15:11, Jonas Kvinge wrote:
> Hi,
> 
> I have a custom installation of openSUSE Tumbleweed which uses u-boot
> and Grub.
> To use secure boot on the RPI, one creates a boot.img containing the
> kernel and other files which is signed, and the eeprom is locked to
> only allow booting with this signature.
> (https://github.com/raspberrypi/usbboot/blob/master/secure-boot-recovery/README.md
> ).
> Since I'm using u-boot, I'm creating a boot.img containing u-boot.bin
> instead of the linux kernel and ramdisk.
> But then nothing is locking down which kernel can boot, since that's
> controller by UEFI and Grub. u-boot starts Grub from the UEFI
> partition, and Grub starts the kernel from a separate /boot partition.
> And I see no way to change this
> I use a 3 partition setup where the partitions are 1. FAT UEFI
> partition, 2. Linux ext4 /boot partition, 3. Encrypted LUKS ext4 root
> partition.
> I've been looking into
> https://trac.gateworks.com/wiki/secure_boot#SecuringtheKernelFDTramdiskviaFITimages
> But is that possible to do with my current setup? Can I include grub
> and the kernel/initrd in the boot.img and make u-boot use that instead
> of from the UEFI partition?

I don't know the details of how this is implemented, but the way to 
solve this is by doing EFI secureboot in U-Boot. The trick is to embed 
the securebook public key hash into U-Boot, there it will be validated 
by the bootrom stage and can be trusted to validate the signed kernel EFI.

The kernel would then need to be booted as a "UKI" (refer to the uapi 
group uki docs), this embeds the kernel, ramdisk, and DTB into a single 
EFI image which can be signed and verified.

Hopefully this points you in the right direction.

Kind regards,
> 
> Jonas
> 

-- 
// Caleb (they/them)


More information about the U-Boot mailing list