u-boot on raspberry pi with secure boot

Jonas Kvinge jonaski at opensuse.org
Wed Aug 21 19:35:23 CEST 2024


On Tue, 2024-08-20 at 16:29 +0200, Caleb Connolly wrote:
> Hi Jonas,
> 
> 
> I don't know the details of how this is implemented, but the way to 
> solve this is by doing EFI secureboot in U-Boot. The trick is to
> embed 
> the securebook public key hash into U-Boot, there it will be
> validated 
> by the bootrom stage and can be trusted to validate the signed kernel
> EFI.
> 
> The kernel would then need to be booted as a "UKI" (refer to the uapi
> group uki docs), this embeds the kernel, ramdisk, and DTB into a
> single 
> EFI image which can be signed and verified.
> 
> Hopefully this points you in the right direction.
> 

Thanks, this got me a bit further, I have managed to produce a UKI
using dracut on openSUSE, this is written as /boot/efi/EFI/Linux/linux-
6.10.5-1-default-69b6602716a8442d94a79481993e2ded.efi,
I verified that it works by copying it to
/boot/efi/EFI/BOOT/bootaa64.efi.
I've also signed it now following the instructions on
https://github.com/u-boot/u-boot/blob/master/doc/develop/uefi/uefi.rst
So it produced a signed file (/boot/efi/EFI/Linux/linux-6.10.5-1-
default-69b6602716a8442d94a79481993e2ded.efi.signed).
So the next step is to restrict booting to this signed efi file.
But I'm still not sure how to configure U-Boot to only accept to boot
EFI files with my certificate.
I don't see anywhere to configure that in 'make menuconfig', of course,
if I copy the files to the UEFI partition, someone could just replace
the .auth files.
Do I need to use FIT image like described on
https://trac.gateworks.com/wiki/secure_boot ?
In that case how do I configure the .its file to include the efi file
and the certificate instead of the kernel, ramdisk and fdt files
described in the wiki?

Jonas



More information about the U-Boot mailing list