Hello, Please find a patchset proposal for U-Boot verified boot basic support. Before submitting those, I would like to ask people on this list some feedbacks on the way it's currently implemented.
The verified boot support principle is to sign a kernel fitImage, thanks to an SSL keypair, and to append a public key in u-boot device tree blob to enable software integrity check at runtime. The proposal depends on the U-Boot CONFIG_OF_SEPARATE which in effect splits U-Boot binaries allowing the DTB file to be outside the main u-boot binaries. Thus, regarding the current fitImage generation, the following is proposed: - extend the generated fit-images.its file from kernel-fitimage.bbclass in order to add a 'signature' tag to the configuration section, then add a call to uboot-mkimage to sign the fitImage and append the public key to DTB file. - add a task in u-boot.inc 'do_assemble_dtb' which concatenates the device tree blob with public key to u-boot binary, and organize the u-boot and virtual/kernel recipes' tasks this way: u-boot:do_deploy -> virtual/kernel:do_assemble_fitimage -> u-boot:do_assemble_dtb To enable the verified boot, the following variables can be added in a configuration file: KERNEL_CLASSES ?= " kernel-fitimage " KERNEL_IMAGETYPE ?= "fitImage" UBOOT_SIGN_KEYDIR = "/signature/keys/directory" UBOOT_SIGN_KEYNAME = "dev" UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000" UBOOT_SIGN_ENABLE = "1" Well, I don't know if these changes are the way to go, but at least I think this limits the codes changes and it propagates the feature to BSP layers which uses u-boot.inc. Anyway, I would be pleased to get feedback on this. Best regards, Yannick Yannick Gicquel (4): u-boot: basic support of device tree blob reassembly u-boot: deploy u-boot nodtb and dtb files kernel: fitimage: support device tree compiler options kernel: fitimage: basic support for fitimage signature meta/classes/kernel-fitimage.bbclass | 53 +++++++++++++++++++++++++++++++-- meta/recipes-bsp/u-boot/u-boot-sign.inc | 21 +++++++++++++ meta/recipes-bsp/u-boot/u-boot.inc | 36 ++++++++++++++++++++++ 3 files changed, 108 insertions(+), 2 deletions(-) create mode 100644 meta/recipes-bsp/u-boot/u-boot-sign.inc -- 1.9.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
