u-boot on raspberry pi with secure boot
Ilias Apalodimas
ilias.apalodimas at linaro.org
Wed Aug 21 20:42:52 CEST 2024
Hi Jonas on mobile and on vacation, I'll respond in a week or so. In the
meantime https://www.linaro.org/blog/uefi-secureboot-in-u-boot/ this might
help.
In sort you have to include the efi keys in the uboot binary.
Cheers
Ilias
On Wed, Aug 21, 2024, 20:35 Jonas Kvinge <jonaski at opensuse.org> wrote:
> On Tue, 2024-08-20 at 16:29 +0200, Caleb Connolly wrote:
> > Hi Jonas,
> >
> >
> > I don't know the details of how this is implemented, but the way to
> > solve this is by doing EFI secureboot in U-Boot. The trick is to
> > embed
> > the securebook public key hash into U-Boot, there it will be
> > validated
> > by the bootrom stage and can be trusted to validate the signed kernel
> > EFI.
> >
> > The kernel would then need to be booted as a "UKI" (refer to the uapi
> > group uki docs), this embeds the kernel, ramdisk, and DTB into a
> > single
> > EFI image which can be signed and verified.
> >
> > Hopefully this points you in the right direction.
> >
>
> Thanks, this got me a bit further, I have managed to produce a UKI
> using dracut on openSUSE, this is written as /boot/efi/EFI/Linux/linux-
> 6.10.5-1-default-69b6602716a8442d94a79481993e2ded.efi,
> I verified that it works by copying it to
> /boot/efi/EFI/BOOT/bootaa64.efi.
> I've also signed it now following the instructions on
> https://github.com/u-boot/u-boot/blob/master/doc/develop/uefi/uefi.rst
> So it produced a signed file (/boot/efi/EFI/Linux/linux-6.10.5-1-
> default-69b6602716a8442d94a79481993e2ded.efi.signed).
> So the next step is to restrict booting to this signed efi file.
> But I'm still not sure how to configure U-Boot to only accept to boot
> EFI files with my certificate.
> I don't see anywhere to configure that in 'make menuconfig', of course,
> if I copy the files to the UEFI partition, someone could just replace
> the .auth files.
> Do I need to use FIT image like described on
> https://trac.gateworks.com/wiki/secure_boot ?
> In that case how do I configure the .its file to include the efi file
> and the certificate instead of the kernel, ramdisk and fdt files
> described in the wiki?
>
> Jonas
>
>
More information about the U-Boot
mailing list