Lines Matching +full:pre +full:- +full:verified
1 Verified Boot on the Beaglebone Black
5 ------------
7 Before reading this, please read verified-boot.txt and signature.txt. These
8 instructions are for mainline U-Boot from v2014.07 onwards.
11 verified boot works in U-Boot. There is also a test which runs through the
12 entire process of signing an image and running U-Boot (sandbox) to check it.
16 for an example of how to enable verified boot using U-Boot.
18 First a note that may to help avoid confusion. U-Boot and Linux both use
21 U-Boot has its device tree packaged wtih it, and the kernel's device tree is
22 packaged with the kernel. In particular this is important with verified boot,
23 since U-Boot's device tree must be immutable. If it can be changed then the
24 public keys can be changed and verified boot is useless. An attacker can
25 simply generate a new key and put his public key into U-Boot so that
28 tree with the kernel binary. U-Boot supports the latter with its flexible FIT
33 --------
37 1. Build U-Boot for the board, with the verified boot options enabled.
48 6. Put the public key into U-Boot's image
50 7. Put U-Boot and the kernel onto the board
55 Step 1: Build U-Boot
56 --------------------
59 this for U-Boot and also for the kernel if you build it. For example if you
62 …export CROSS_COMPILE=/opt/linaro/gcc-linaro-arm-linux-gnueabihf-4.8-2013.08_linux/bin/arm-linux-gn…
64 or if you just installed gcc-arm-linux-gnueabi then it might be
66 export CROSS_COMPILE=arm-linux-gnueabi-
68 b. Configure and build U-Boot with verified boot enabled:
71 export UBOOT=/path/to/u-boot
73 # You can add -j10 if you have 10 CPUs to make it faster
77 c. You will now have a U-Boot image:
79 file b/am335x_boneblack_vboot/u-boot-dtb.img
80 b/am335x_boneblack_vboot/u-boot-dtb.img: u-boot legacy uImage, U-Boot 2014.07-rc2-00065-g2f69f8, Fi…
84 --------------------
87 use. In our case it is am335x-boneblack.dtb and it is built with the kernel.
110 make uImage dtbs # -j10 if you have 10 CPUs
113 c. You now have the 'Image' and 'am335x-boneblack.dtb' files needed to boot.
117 ----------------------
126 /dts-v1/;
130 #address-cells = <1>;
141 hash-1 {
145 fdt-1 {
146 description = "beaglebone-black";
147 data = /incbin/("am335x-boneblack.dtb");
151 hash-1 {
157 default = "conf-1";
158 conf-1 {
160 fdt = "fdt-1";
161 signature-1 {
163 key-name-hint = "dev";
164 sign-images = "fdt", "kernel";
178 -------------------------
184 openssl genrsa -F4 -out keys/dev.key 2048
185 openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
192 -----------------------
194 We need to use mkimage (which was built when you built U-Boot) to package the
195 Linux kernel into a FIT (Flat Image Tree, a flexible file format that U-Boot
198 At the same time we must put the public key into U-Boot device tree, with the
199 'required' property, which tells U-Boot that this key must be verified for the
200 image to be valid. You will make this key available to U-Boot for booting in
203 ln -s $OKERNEL/dts/am335x-boneblack.dtb
204 ln -s $OKERNEL/Image
205 ln -s $UOUT/u-boot-dtb.img
206 cp $UOUT/arch/arm/dts/am335x-boneblack.dtb am335x-boneblack-pubkey.dtb
208 $UOUT/tools/mkimage -f sign.its -K am335x-boneblack-pubkey.dtb -k keys -r image.fit
226 Image 1 (fdt-1)
227 Description: beaglebone-black
235 Default Configuration: 'conf-1'
236 Configuration 0 (conf-1)
239 FDT: fdt-1
242 Now am335x-boneblack-pubkey.dtb contains the public key and image.fit contains
248 $UOUT/tools/fit_check_sign -f image.fit -k am335x-boneblack-pubkey.dtb
254 Using 'conf-1' configuration
277 Using 'conf-1' configuration
278 Trying 'fdt-1' fdt subimage
279 Description: beaglebone-black
294 Using 'conf-1' configuration
302 'dev' and the '+' means that it verified. If it showed '-' that would be bad.
304 Once the configuration is verified it is then possible to rely on the hashes
308 hash verified. This means that none of the images has been tampered with.
310 There is a test in test/vboot which uses U-Boot's sandbox build to verify that
316 $UOUT/tools/fit_info -f image.fit -n /images/kernel -p data
327 Using 'conf-1' configuration
346 Bad hash value for 'hash-1' hash node in 'kernel' image node
350 Using 'conf-1' configuration
351 Trying 'fdt-1' fdt subimage
352 Description: beaglebone-black
367 Using 'conf-1' configuration
376 that come with dtc (package name is device-tree-compiler but you will need a
379 dtc -v
384 fdtget -l image.fit /
388 fdtget -l image.fit /configurations
389 conf-1
390 fdtget -l image.fit /configurations/conf-1
391 signature-1
393 fdtget -p image.fit /configurations/conf-1/signature-1
394 hashed-strings
395 hashed-nodes
397 signer-version
398 signer-name
401 key-name-hint
402 sign-images
404 fdtget image.fit /configurations/conf-1/signature-1 hashed-nodes
405 / /configurations/conf-1 /images/fdt-1 /images/fdt-1/hash /images/kernel /images/kernel/hash-1
415 fdtget -tx image.fit /images/kernel/hash-1 value
417 fdtput -tx image.fit /images/kernel/hash-1 value c9436464 6427e10f 423837e5 59898ef0 2c97b981
421 $UOUT/tools/fit_check_sign -f image.fit -k am335x-boneblack-pubkey.dtb
422 Verifying Hash Integrity ... sha1,rsa2048:devrsa_verify_with_keynode: RSA failed to verify: -13
423 rsa_verify_with_keynode: RSA failed to verify: -13
424 -
425 Failed to verify required signature 'key-dev'
430 signature check noticing. The configuration is essentially locked. U-Boot has
440 fdtput -p image.fit /configurations/conf-1/signature-1 value fred
441 $UOUT/tools/fit_check_sign -f image.fit -k am335x-boneblack-pubkey.dtb
442 Verifying Hash Integrity ... -
443 sha1,rsa2048:devrsa_verify_with_keynode: RSA failed to verify: -13
444 rsa_verify_with_keynode: RSA failed to verify: -13
445 -
446 Failed to verify required signature 'key-dev'
454 6. Put the public key into U-Boot's image
455 -----------------------------------------
458 U-Boot on the board. U-Boot needs access to the public key corresponding to
463 make O=b/am335x_boneblack_vboot EXT_DTB=${WORK}/am335x-boneblack-pubkey.dtb
468 Now you have a special U-Boot image with the public key. It can verify can
472 added to U-Boot's device tree:
474 fdtget -p am335x-boneblack-pubkey.dtb /signature/key-dev
477 rsa,r-squared
479 rsa,n0-inverse
480 rsa,num-bits
481 key-name-hint
483 This has information about the key and some pre-processed values which U-Boot
486 code space in U-Boot, the information is extracted and written in raw form for
487 U-Boot to easily use. The same mechanism is used in Google's Chrome OS.
489 Notice the 'required' property. This marks the key as required - U-Boot will
493 7. Put U-Boot and the kernel onto the board
494 -------------------------------------------
497 are booting from an micro-SD card with two partitions, one for U-Boot and one
498 for Linux. Put it into your machine and write U-Boot and the kernel to it.
504 …sudo mount $UDEV /mnt/tmp && sudo cp $UOUT/u-boot-dtb.img /mnt/tmp/u-boot.img && sleep 1 && sudo …
509 ---------
519 U-Boot# setenv bootargs console=ttyO0,115200n8 quiet root=/dev/mmcblk0p2 ro rootfstype=ext4 rootwait
520 U-Boot# ext2load mmc 0:2 82000000 /boot/image.fit
522 U-Boot# bootm 82000000
524 Using 'conf-1' configuration
528 Created: 2014-06-01 19:32:54 UTC
541 Using 'conf-1' configuration
542 Trying 'fdt-1' fdt subimage
543 Description: beaglebone-black
544 Created: 2014-06-01 19:32:54 UTC
560 [ 2.589651] musb-hdrc musb-hdrc.0.auto: Failed to request rx1.
561 [ 2.595830] musb-hdrc musb-hdrc.0.auto: musb_init_controller failed with status -517
562 [ 2.606470] musb-hdrc musb-hdrc.1.auto: Failed to request rx1.
563 [ 2.612723] musb-hdrc musb-hdrc.1.auto: musb_init_controller failed with status -517
567 systemd-fsck[83]: Angstrom: clean, 50607/218160 files, 306348/872448 blocks
569 .---O---.
570 | | .-. o o
571 | | |-----.-----.-----.| | .----..-----.-----.
572 | | | __ | ---'| '--.| .-'| | |
573 | | | | | |--- || --'| | | ' | | | |
574 '---'---'--'--'--. |-----''----''--' '-----'-'-'-'
575 -' |
576 '---'
580 Angstrom v2012.12 - Kernel 3.14.1+
584 At this point your kernel has been verified and you can be sure that it is one
590 --------------------
598 U-Boot's verified boot mechanism has not had a robust and independent security
602 Perhaps the verified boot feature could could be integrated into the Amstrom
608 2-June-14