Lines Matching +full:conf +full:- +full:mdio
5 ------------
7 Before reading this, please read verified-boot.txt and signature.txt. These
8 instructions are for mainline U-Boot from v2014.07 onwards.
11 verified boot works in U-Boot. There is also a test which runs through the
12 entire process of signing an image and running U-Boot (sandbox) to check it.
16 for an example of how to enable verified boot using U-Boot.
18 First a note that may to help avoid confusion. U-Boot and Linux both use
21 U-Boot has its device tree packaged wtih it, and the kernel's device tree is
23 since U-Boot's device tree must be immutable. If it can be changed then the
25 simply generate a new key and put his public key into U-Boot so that
28 tree with the kernel binary. U-Boot supports the latter with its flexible FIT
33 --------
37 1. Build U-Boot for the board, with the verified boot options enabled.
48 6. Put the public key into U-Boot's image
50 7. Put U-Boot and the kernel onto the board
55 Step 1: Build U-Boot
56 --------------------
59 this for U-Boot and also for the kernel if you build it. For example if you
62 …export CROSS_COMPILE=/opt/linaro/gcc-linaro-arm-linux-gnueabihf-4.8-2013.08_linux/bin/arm-linux-gn…
64 or if you just installed gcc-arm-linux-gnueabi then it might be
66 export CROSS_COMPILE=arm-linux-gnueabi-
68 b. Configure and build U-Boot with verified boot enabled:
71 export UBOOT=/path/to/u-boot
73 # You can add -j10 if you have 10 CPUs to make it faster
77 c. You will now have a U-Boot image:
79 file b/am335x_boneblack_vboot/u-boot-dtb.img
80 b/am335x_boneblack_vboot/u-boot-dtb.img: u-boot legacy uImage, U-Boot 2014.07-rc2-00065-g2f69f8, Fi…
84 --------------------
87 use. In our case it is am335x-boneblack.dtb and it is built with the kernel.
110 make uImage dtbs # -j10 if you have 10 CPUs
113 c. You now have the 'Image' and 'am335x-boneblack.dtb' files needed to boot.
117 ----------------------
126 /dts-v1/;
130 #address-cells = <1>;
141 hash-1 {
145 fdt-1 {
146 description = "beaglebone-black";
147 data = /incbin/("am335x-boneblack.dtb");
151 hash-1 {
157 default = "conf-1";
158 conf-1 {
160 fdt = "fdt-1";
161 signature-1 {
163 key-name-hint = "dev";
164 sign-images = "fdt", "kernel";
178 -------------------------
184 openssl genrsa -F4 -out keys/dev.key 2048
185 openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
192 -----------------------
194 We need to use mkimage (which was built when you built U-Boot) to package the
195 Linux kernel into a FIT (Flat Image Tree, a flexible file format that U-Boot
198 At the same time we must put the public key into U-Boot device tree, with the
199 'required' property, which tells U-Boot that this key must be verified for the
200 image to be valid. You will make this key available to U-Boot for booting in
203 ln -s $OKERNEL/dts/am335x-boneblack.dtb
204 ln -s $OKERNEL/Image
205 ln -s $UOUT/u-boot-dtb.img
206 cp $UOUT/arch/arm/dts/am335x-boneblack.dtb am335x-boneblack-pubkey.dtb
208 $UOUT/tools/mkimage -f sign.its -K am335x-boneblack-pubkey.dtb -k keys -r image.fit
226 Image 1 (fdt-1)
227 Description: beaglebone-black
235 Default Configuration: 'conf-1'
236 Configuration 0 (conf-1)
239 FDT: fdt-1
242 Now am335x-boneblack-pubkey.dtb contains the public key and image.fit contains
248 $UOUT/tools/fit_check_sign -f image.fit -k am335x-boneblack-pubkey.dtb
254 Using 'conf-1' configuration
277 Using 'conf-1' configuration
278 Trying 'fdt-1' fdt subimage
279 Description: beaglebone-black
294 Using 'conf-1' configuration
302 'dev' and the '+' means that it verified. If it showed '-' that would be bad.
310 There is a test in test/vboot which uses U-Boot's sandbox build to verify that
316 $UOUT/tools/fit_info -f image.fit -n /images/kernel -p data
327 Using 'conf-1' configuration
346 Bad hash value for 'hash-1' hash node in 'kernel' image node
350 Using 'conf-1' configuration
351 Trying 'fdt-1' fdt subimage
352 Description: beaglebone-black
367 Using 'conf-1' configuration
376 that come with dtc (package name is device-tree-compiler but you will need a
379 dtc -v
384 fdtget -l image.fit /
388 fdtget -l image.fit /configurations
389 conf-1
390 fdtget -l image.fit /configurations/conf-1
391 signature-1
393 fdtget -p image.fit /configurations/conf-1/signature-1
394 hashed-strings
395 hashed-nodes
397 signer-version
398 signer-name
401 key-name-hint
402 sign-images
404 fdtget image.fit /configurations/conf-1/signature-1 hashed-nodes
405 / /configurations/conf-1 /images/fdt-1 /images/fdt-1/hash /images/kernel /images/kernel/hash-1
415 fdtget -tx image.fit /images/kernel/hash-1 value
417 fdtput -tx image.fit /images/kernel/hash-1 value c9436464 6427e10f 423837e5 59898ef0 2c97b981
421 $UOUT/tools/fit_check_sign -f image.fit -k am335x-boneblack-pubkey.dtb
422 Verifying Hash Integrity ... sha1,rsa2048:devrsa_verify_with_keynode: RSA failed to verify: -13
423 rsa_verify_with_keynode: RSA failed to verify: -13
424 -
425 Failed to verify required signature 'key-dev'
430 signature check noticing. The configuration is essentially locked. U-Boot has
440 fdtput -p image.fit /configurations/conf-1/signature-1 value fred
441 $UOUT/tools/fit_check_sign -f image.fit -k am335x-boneblack-pubkey.dtb
442 Verifying Hash Integrity ... -
443 sha1,rsa2048:devrsa_verify_with_keynode: RSA failed to verify: -13
444 rsa_verify_with_keynode: RSA failed to verify: -13
445 -
446 Failed to verify required signature 'key-dev'
454 6. Put the public key into U-Boot's image
455 -----------------------------------------
458 U-Boot on the board. U-Boot needs access to the public key corresponding to
463 make O=b/am335x_boneblack_vboot EXT_DTB=${WORK}/am335x-boneblack-pubkey.dtb
468 Now you have a special U-Boot image with the public key. It can verify can
472 added to U-Boot's device tree:
474 fdtget -p am335x-boneblack-pubkey.dtb /signature/key-dev
477 rsa,r-squared
479 rsa,n0-inverse
480 rsa,num-bits
481 key-name-hint
483 This has information about the key and some pre-processed values which U-Boot
486 code space in U-Boot, the information is extracted and written in raw form for
487 U-Boot to easily use. The same mechanism is used in Google's Chrome OS.
489 Notice the 'required' property. This marks the key as required - U-Boot will
493 7. Put U-Boot and the kernel onto the board
494 -------------------------------------------
497 are booting from an micro-SD card with two partitions, one for U-Boot and one
498 for Linux. Put it into your machine and write U-Boot and the kernel to it.
504 …sudo mount $UDEV /mnt/tmp && sudo cp $UOUT/u-boot-dtb.img /mnt/tmp/u-boot.img && sleep 1 && sudo …
509 ---------
519 U-Boot# setenv bootargs console=ttyO0,115200n8 quiet root=/dev/mmcblk0p2 ro rootfstype=ext4 rootwait
520 U-Boot# ext2load mmc 0:2 82000000 /boot/image.fit
522 U-Boot# bootm 82000000
524 Using 'conf-1' configuration
528 Created: 2014-06-01 19:32:54 UTC
541 Using 'conf-1' configuration
542 Trying 'fdt-1' fdt subimage
543 Description: beaglebone-black
544 Created: 2014-06-01 19:32:54 UTC
560 [ 2.589651] musb-hdrc musb-hdrc.0.auto: Failed to request rx1.
561 [ 2.595830] musb-hdrc musb-hdrc.0.auto: musb_init_controller failed with status -517
562 [ 2.606470] musb-hdrc musb-hdrc.1.auto: Failed to request rx1.
563 [ 2.612723] musb-hdrc musb-hdrc.1.auto: musb_init_controller failed with status -517
565 [ 7.248889] libphy: PHY 4a101000.mdio:01 not found
566 [ 7.253995] net eth0: phy 4a101000.mdio:01 not found on slave 1
567 systemd-fsck[83]: Angstrom: clean, 50607/218160 files, 306348/872448 blocks
569 .---O---.
570 | | .-. o o
571 | | |-----.-----.-----.| | .----..-----.-----.
572 | | | __ | ---'| '--.| .-'| | |
573 | | | | | |--- || --'| | | ' | | | |
574 '---'---'--'--'--. |-----''----''--' '-----'-'-'-'
575 -' |
576 '---'
580 Angstrom v2012.12 - Kernel 3.14.1+
590 --------------------
598 U-Boot's verified boot mechanism has not had a robust and independent security
608 2-June-14