1041bca5bSSimon GlassU-Boot Verified Boot 2041bca5bSSimon Glass==================== 3041bca5bSSimon Glass 4041bca5bSSimon GlassIntroduction 5041bca5bSSimon Glass------------ 6041bca5bSSimon GlassVerified boot here means the verification of all software loaded into a 7041bca5bSSimon Glassmachine during the boot process to ensure that it is authorised and correct 8041bca5bSSimon Glassfor that machine. 9041bca5bSSimon Glass 10041bca5bSSimon GlassVerified boot extends from the moment of system reset to as far as you wish 11041bca5bSSimon Glassinto the boot process. An example might be loading U-Boot from read-only 12041bca5bSSimon Glassmemory, then loading a signed kernel, then using the kernel's dm-verity 13041bca5bSSimon Glassdriver to mount a signed root filesystem. 14041bca5bSSimon Glass 15041bca5bSSimon GlassA key point is that it is possible to field-upgrade the software on machines 16041bca5bSSimon Glasswhich use verified boot. Since the machine will only run software that has 17041bca5bSSimon Glassbeen correctly signed, it is safe to read software from an updatable medium. 18041bca5bSSimon GlassIt is also possible to add a secondary signed firmware image, in read-write 19041bca5bSSimon Glassmemory, so that firmware can easily be upgraded in a secure manner. 20041bca5bSSimon Glass 21041bca5bSSimon Glass 22041bca5bSSimon GlassSigning 23041bca5bSSimon Glass------- 24041bca5bSSimon GlassVerified boot uses cryptographic algorithms to 'sign' software images. 25041bca5bSSimon GlassImages are signed using a private key known only to the signer, but can 26041bca5bSSimon Glassbe verified using a public key. As its name suggests the public key can be 27041bca5bSSimon Glassmade available without risk to the verification process. The private and 28041bca5bSSimon Glasspublic keys are mathematically related. For more information on how this 29041bca5bSSimon Glassworks look up "public key cryptography" and "RSA" (a particular algorithm). 30041bca5bSSimon Glass 31041bca5bSSimon GlassThe signing and verification process looks something like this: 32041bca5bSSimon Glass 33041bca5bSSimon Glass 34041bca5bSSimon Glass Signing Verification 35041bca5bSSimon Glass ======= ============ 36041bca5bSSimon Glass 37041bca5bSSimon Glass +--------------+ * 38041bca5bSSimon Glass | RSA key pair | * +---------------+ 39041bca5bSSimon Glass | .key .crt | * | Public key in | 40041bca5bSSimon Glass +--------------+ +------> public key ----->| trusted place | 41041bca5bSSimon Glass | | * +---------------+ 42041bca5bSSimon Glass | | * | 43041bca5bSSimon Glass v | * v 44041bca5bSSimon Glass +---------+ | * +--------------+ 45041bca5bSSimon Glass | |----------+ * | | 46041bca5bSSimon Glass | signer | * | U-Boot | 47041bca5bSSimon Glass | |----------+ * | signature |--> yes/no 48041bca5bSSimon Glass +---------+ | * | verification | 49041bca5bSSimon Glass ^ | * | | 50041bca5bSSimon Glass | | * +--------------+ 51041bca5bSSimon Glass | | * ^ 52041bca5bSSimon Glass +----------+ | * | 53041bca5bSSimon Glass | Software | +----> signed image -------------+ 54041bca5bSSimon Glass | image | * 55041bca5bSSimon Glass +----------+ * 56041bca5bSSimon Glass 57041bca5bSSimon Glass 58041bca5bSSimon GlassThe signature algorithm relies only on the public key to do its work. Using 59041bca5bSSimon Glassthis key it checks the signature that it finds in the image. If it verifies 60041bca5bSSimon Glassthen we know that the image is OK. 61041bca5bSSimon Glass 62041bca5bSSimon GlassThe public key from the signer allows us to verify and therefore trust 63041bca5bSSimon Glasssoftware from updatable memory. 64041bca5bSSimon Glass 65041bca5bSSimon GlassIt is critical that the public key be secure and cannot be tampered with. 66041bca5bSSimon GlassIt can be stored in read-only memory, or perhaps protected by other on-chip 67a724b7e0SGuilherme Maciel Ferreiracrypto provided by some modern SOCs. If the public key can be changed, then 68041bca5bSSimon Glassthe verification is worthless. 69041bca5bSSimon Glass 70041bca5bSSimon Glass 71041bca5bSSimon GlassChaining Images 72041bca5bSSimon Glass--------------- 73041bca5bSSimon GlassThe above method works for a signer providing images to a run-time U-Boot. 74041bca5bSSimon GlassIt is also possible to extend this scheme to a second level, like this: 75041bca5bSSimon Glass 76041bca5bSSimon Glass1. Master private key is used by the signer to sign a first-stage image. 77041bca5bSSimon Glass2. Master public key is placed in read-only memory. 78041bca5bSSimon Glass2. Secondary private key is created and used to sign second-stage images. 79041bca5bSSimon Glass3. Secondary public key is placed in first stage images 80041bca5bSSimon Glass4. We use the master public key to verify the first-stage image. We then 81041bca5bSSimon Glassuse the secondary public key in the first-stage image to verify the second- 82041bca5bSSimon Glassstate image. 83041bca5bSSimon Glass5. This chaining process can go on indefinitely. It is recommended to use a 84041bca5bSSimon Glassdifferent key at each stage, so that a compromise in one place will not 85041bca5bSSimon Glassaffect the whole change. 86041bca5bSSimon Glass 87041bca5bSSimon Glass 88041bca5bSSimon GlassFlattened Image Tree (FIT) 89041bca5bSSimon Glass-------------------------- 90a724b7e0SGuilherme Maciel FerreiraThe FIT format is already widely used in U-Boot. It is a flattened device 91041bca5bSSimon Glasstree (FDT) in a particular format, with images contained within. FITs 92041bca5bSSimon Glassinclude hashes to verify images, so it is relatively straightforward to 93041bca5bSSimon Glassadd signatures as well. 94041bca5bSSimon Glass 95041bca5bSSimon GlassThe public key can be stored in U-Boot's CONFIG_OF_CONTROL device tree in 96*e43f74acSMasahiro Yamadaa standard place. Then when a FIT is loaded it can be verified using that 97041bca5bSSimon Glasspublic key. Multiple keys and multiple signatures are supported. 98041bca5bSSimon Glass 99041bca5bSSimon GlassSee signature.txt for more information. 100041bca5bSSimon Glass 101041bca5bSSimon Glass 102041bca5bSSimon GlassSimon Glass 103041bca5bSSimon Glasssjg@chromium.org 104041bca5bSSimon Glass1-1-13 105