Hi Harsha,
On 31 May 2014 07:45, Harsha Kiran <harshakiran...@gmail.com> wrote:
> Hi Simon,
>
> I started working on the secure u-boot loading the FIT images and there are
> some of the issues i observed.
>
> I took the latest U-Boot 2014.07-rc2 and applied the below mentioned
> patches..
>
> (..http://patchwork.ozlabs.org/patch/339609/)
> (..http://patchwork.ozlabs.org/patch/339610/)
> (..http://patchwork.ozlabs.org/patch/339611/) I had to do a work around to
> apply this patch. if i apply the patched directly to the latest u-boot it
> failed in the fit_image.c file.
> I searched online and found fit_image.c from
> (..https://kernel.googlesource.com/pub/scm/linux/kernel/git/maz/u-boot/+/eb63218b9b95a59baa8b241f3a88e4415dabf833/tools/fit_image.c)
> and applied the patch and it was perfect.
> Then i applied http://patchwork.ozlabs.org/patch/350541/
>
> With these patches and removing CONFIG_OF_CONTROL in am335x_evm.h, i was
> able to load my FIT image successfully. if i include CONFIG_OF_CONTROL, i
> get the following error
> No valid FDT found - please append one to U-Boot binary, use u-boot-dtb.bin
> or define CONFIG_OF_EMBED. For sandbox, use -d <file.dtb> ### ERROR ###
> Please RESET the board ###.
This is likely another missing patch.
I just sent out a new series (available in u-boot-x86.git branch
'bone') which adds some step-by-step documentation. It also collects
all the fixes in one place.
>
> Now for the secure u-boot i added the CONFIG_FIT_SIGNATURE and CONFIG_RSA. i
> modified the doc/uImage.FIT/kernel_fdt.its file to include the signature
> content.
> Here is the file..
>
> /*
> * Simple U-boot uImage source file containing a single kernel and FDT blob
> */
>
> /*
> * Simple U-boot uImage source file containing a single kernel and FDT blob
> */
>
> /dts-v1/;
>
> / {
> description = "Simple image with single Linux kernel and FDT blob";
> #address-cells = <1>;
>
> images {
> kernel@1 {
> description = "3.12 Kernel RT";
> data = /incbin/("./zImage");
> type = "kernel";
> arch = "arm";
> os = "linux";
> compression = "none";
> load = <0x80008000>;
> entry = <0x80008000>;
> hash@1 {
> algo = "sha1";
> };
> signature@1 {
> algo = "sha1,rsa2048";
> key-name-hint = "dev";
> };
> };
> fdt@1 {
> description = "Flattened Device Tree blob";
> data = /incbin/("./am335x-evmsk.dtb");
> type = "flat_dt";
> arch = "arm";
> compression = "none";
> hash@1 {
> algo = "sha1";
> };
> signature@1 {
> algo = "sha1,rsa2048";
> key-name-hint = "dev";
> };
> };
> };
>
> configurations {
> default = "conf@1";
> conf@1 {
> description = "Boot Linux kernel with FDT blob";
> kernel = "kernel@1";
> fdt = "fdt@1";
> };
> };
> };
>
> Then, i signed my images with the keys generated from openssl,
>
>
> DTC_OPS="-I dts -O dtb -p 2000"
> sudo mkimage -D "${DTC_OPS}" -f kernel_fdt.its -k dev-keys -K
> u-boot-pubkey.dtb -r kernel_fdt.itb
>
> build the u-boot again with the signed binary..
>
> harsha@harshakiran_kasha:/abb/Experiment_Secure/u-boot$ sudo make ARCH=arm
> CROSS_COMPILE=/abb/compilers/gcc-linaro-arm-linux-gnueabihf-4.7-2013.04-20130415_linux/bin/arm-linux-gnueabihf-
> -j8 DEV_TREE_BIN=./u-boot-pubkey.dtb
>
>
> Now, while booting, i was able to load the u-boot-dtb.bin file from the
> u-boot prompt and it loaded the FIT image.
>
> U-Boot# fatload mmc 0 0x82000000 u-boot-dtb.bin
> reading u-boot-dtb.bin
> 466611 bytes read in 36 ms (12.4 MiB/s)
> U-Boot# go 0x82000000
> ## Starting application at 0x82000000 ...
>
>
> U-Boot 2014.07-rc2 (May 31 2014 - 02:16:18)
>
> I2C: ready
> DRAM: 256 MiB
> NAND: 0 MiB
> MMC: OMAP SD/MMC: 0, OMAP SD/MMC: 1
> *** Warning - readenv() failed, using default environment
>
> Net: <ethaddr> not set. Validating first E-fuse MAC
> cpsw, usb_ether
> Hit any key to stop autoboot: 0
> mmc0 is current device
> SD/MMC found on device 0
> reading uEnv.txt
> 2481 bytes read in 7 ms (345.7 KiB/s)
> Loaded environment from uEnv.txt
> Importing environment from mmc ...
> Running uenvcmd ...
> reading kernel_fdt.itb
> 4157190 bytes read in 267 ms (14.8 MiB/s)
> ## Loading kernel from FIT Image at 82000000 ...
> Using 'conf@1' configuration
> Verifying Hash Integrity ... OK
> Trying 'kernel@1' kernel subimage
> Description: 3.12 Kernel RT
> Type: Kernel Image
> Compression: uncompressed
> Data Start: 0x820000e4
> Data Size: 4117728 Bytes = 3.9 MiB
> Architecture: ARM
> OS: Linux
> Load Address: 0x80008000
> Entry Point: 0x80008000
> Hash algo: sha1
> Hash value: 3d72bc90b8afb5464cb03de2952d1bba90cd542e
> Sign algo: sha1,rsa2048:dev
> Sign value: unavailable
> Verifying Hash Integrity ... sha1+ sha1,rsa2048:dev- OK
> ## Loading fdt from FIT Image at 82000000 ...
> Using 'conf@1' configuration
> Trying 'fdt@1' fdt subimage
> Description: Flattened Device Tree blob
> Type: Flat Device Tree
> Compression: uncompressed
> Data Start: 0x823ed6f8
> Data Size: 38048 Bytes = 37.2 KiB
> Architecture: ARM
> Hash algo: sha1
> Hash value: 01d8a7481ac4ae281e68383776287a94bd5f2d78
> Sign algo: sha1,rsa2048:dev
> Sign value: unavailable
> Verifying Hash Integrity ... sha1+ sha1,rsa2048:dev- OK
> Booting using the fdt blob at 0x823ed6f8
> Loading Kernel Image ... OK
> Loading Device Tree to 8f611000, end 8f61d49f ... OK
>
> Starting kernel ...
>
I worry that you are loading a zImage to 80008000 which is the
intended load address of the kernel itself. Does the zImage wrapper
handle that?
In my example, I use the Image rather than zImage, so that U-Boot can
decompress it.
>
> it says that the hash integrity is verified but when i tried with an
> unsigned kernel_fdt.bin with signed u-boot-dtb.bin i was still able to load
> the FIT and the logs are the same.
Yes but you didn't use the -r flag for mkimage, so the verification is optional.
> I not really sure if the veification part is done correctly. Am i following
> the correct procedure or missing something??
Mostly I think. See my documentation in the series mentioned above -
hopefully it will help.
Regards,
Simon
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
http://lists.denx.de/mailman/listinfo/u-boot
