Hi Simon, I was able to succesfully test the Secure u-boot on the beaglebone black from the u-boot-x86 Bone git. Thanks for all the help and it was a great beaglebone_vboot.txt file !
I have some of minor things i would like to mention when i followed the procedure. 1) in the 7th step 7. Put U-Boot and the kernel onto the board ------------------------------------------- The MLO information is missing.. 2) I was not able to boot with kernel (image.lzo) in the FIT. it gave me the following error U-Boot# bootm 0x82000000 ## Loading kernel from FIT Image at 82000000 ... Using 'conf@1' configuration Verifying Hash Integrity ... OK Trying 'kernel@1' kernel subimage Description: unavailable Created: 2014-06-04 1:28:38 UTC Type: Kernel Image Compression: lzo compressed Data Start: 0x820000a8 Data Size: 8543704 Bytes = 8.1 MiB Architecture: ARM OS: Linux Load Address: 0x80008000 Entry Point: 0x80008000 Hash algo: sha1 Hash value: 9504d8fefcec81c054e2d0fb4e9d9b6bcfb9b4b7 Verifying Hash Integrity ... sha1+ OK ## Loading fdt from FIT Image at 82000000 ... Using 'conf@1' configuration Trying 'fdt@1' fdt subimage Description: beaglebone-black Created: 2014-06-04 1:28:38 UTC Type: Flat Device Tree Compression: uncompressed Data Start: 0x82825f68 Data Size: 34352 Bytes = 33.5 KiB Architecture: ARM Hash algo: sha1 Hash value: 4b14973cf0fe4a40dc420ed55d2441c6f51f586b Verifying Hash Integrity ... sha1+ OK Booting using the fdt blob at 0x82825f68 Uncompressing Kernel Image ... LZO: uncompress or overwrite error -1 - must RESET board to recover resetting ... U-Boot SPL 2014.07-rc2 (Jun 03 2014 - 20:09:15) reading u-boot.img reading u-boot.img But when i switch it back to the zImage it worked good. I will check again on this. Thanks, Harsha Kiran On Mon, Jun 2, 2014 at 11:46 PM, Simon Glass <s...@chromium.org> wrote: > Hi Harsha, > > On 31 May 2014 07:45, Harsha Kiran <harshakiran...@gmail.com> wrote: > > Hi Simon, > > > > I started working on the secure u-boot loading the FIT images and there > are > > some of the issues i observed. > > > > I took the latest U-Boot 2014.07-rc2 and applied the below mentioned > > patches.. > > > > (..http://patchwork.ozlabs.org/patch/339609/) > > (..http://patchwork.ozlabs.org/patch/339610/) > > (..http://patchwork.ozlabs.org/patch/339611/) I had to do a work around > to > > apply this patch. if i apply the patched directly to the latest u-boot it > > failed in the fit_image.c file. > > I searched online and found fit_image.c from > > (.. > https://kernel.googlesource.com/pub/scm/linux/kernel/git/maz/u-boot/+/eb63218b9b95a59baa8b241f3a88e4415dabf833/tools/fit_image.c > ) > > and applied the patch and it was perfect. > > Then i applied http://patchwork.ozlabs.org/patch/350541/ > > > > With these patches and removing CONFIG_OF_CONTROL in am335x_evm.h, i was > > able to load my FIT image successfully. if i include CONFIG_OF_CONTROL, i > > get the following error > > No valid FDT found - please append one to U-Boot binary, use > u-boot-dtb.bin > > or define CONFIG_OF_EMBED. For sandbox, use -d <file.dtb> ### ERROR ### > > Please RESET the board ###. > > This is likely another missing patch. > > I just sent out a new series (available in u-boot-x86.git branch > 'bone') which adds some step-by-step documentation. It also collects > all the fixes in one place. > > > > > Now for the secure u-boot i added the CONFIG_FIT_SIGNATURE and > CONFIG_RSA. i > > modified the doc/uImage.FIT/kernel_fdt.its file to include the signature > > content. > > Here is the file.. > > > > /* > > * Simple U-boot uImage source file containing a single kernel and FDT > blob > > */ > > > > /* > > * Simple U-boot uImage source file containing a single kernel and FDT > blob > > */ > > > > /dts-v1/; > > > > / { > > description = "Simple image with single Linux kernel and FDT blob"; > > #address-cells = <1>; > > > > images { > > kernel@1 { > > description = "3.12 Kernel RT"; > > data = /incbin/("./zImage"); > > type = "kernel"; > > arch = "arm"; > > os = "linux"; > > compression = "none"; > > load = <0x80008000>; > > entry = <0x80008000>; > > hash@1 { > > algo = "sha1"; > > }; > > signature@1 { > > algo = "sha1,rsa2048"; > > key-name-hint = "dev"; > > }; > > }; > > fdt@1 { > > description = "Flattened Device Tree blob"; > > data = /incbin/("./am335x-evmsk.dtb"); > > type = "flat_dt"; > > arch = "arm"; > > compression = "none"; > > hash@1 { > > algo = "sha1"; > > }; > > signature@1 { > > algo = "sha1,rsa2048"; > > key-name-hint = "dev"; > > }; > > }; > > }; > > > > configurations { > > default = "conf@1"; > > conf@1 { > > description = "Boot Linux kernel with FDT blob"; > > kernel = "kernel@1"; > > fdt = "fdt@1"; > > }; > > }; > > }; > > > > Then, i signed my images with the keys generated from openssl, > > > > > > DTC_OPS="-I dts -O dtb -p 2000" > > sudo mkimage -D "${DTC_OPS}" -f kernel_fdt.its -k dev-keys -K > > u-boot-pubkey.dtb -r kernel_fdt.itb > > > > build the u-boot again with the signed binary.. > > > > harsha@harshakiran_kasha:/abb/Experiment_Secure/u-boot$ sudo make > ARCH=arm > > > CROSS_COMPILE=/abb/compilers/gcc-linaro-arm-linux-gnueabihf-4.7-2013.04-20130415_linux/bin/arm-linux-gnueabihf- > > -j8 DEV_TREE_BIN=./u-boot-pubkey.dtb > > > > > > Now, while booting, i was able to load the u-boot-dtb.bin file from the > > u-boot prompt and it loaded the FIT image. > > > > U-Boot# fatload mmc 0 0x82000000 u-boot-dtb.bin > > reading u-boot-dtb.bin > > 466611 bytes read in 36 ms (12.4 MiB/s) > > U-Boot# go 0x82000000 > > ## Starting application at 0x82000000 ... > > > > > > U-Boot 2014.07-rc2 (May 31 2014 - 02:16:18) > > > > I2C: ready > > DRAM: 256 MiB > > NAND: 0 MiB > > MMC: OMAP SD/MMC: 0, OMAP SD/MMC: 1 > > *** Warning - readenv() failed, using default environment > > > > Net: <ethaddr> not set. Validating first E-fuse MAC > > cpsw, usb_ether > > Hit any key to stop autoboot: 0 > > mmc0 is current device > > SD/MMC found on device 0 > > reading uEnv.txt > > 2481 bytes read in 7 ms (345.7 KiB/s) > > Loaded environment from uEnv.txt > > Importing environment from mmc ... > > Running uenvcmd ... > > reading kernel_fdt.itb > > 4157190 bytes read in 267 ms (14.8 MiB/s) > > ## Loading kernel from FIT Image at 82000000 ... > > Using 'conf@1' configuration > > Verifying Hash Integrity ... OK > > Trying 'kernel@1' kernel subimage > > Description: 3.12 Kernel RT > > Type: Kernel Image > > Compression: uncompressed > > Data Start: 0x820000e4 > > Data Size: 4117728 Bytes = 3.9 MiB > > Architecture: ARM > > OS: Linux > > Load Address: 0x80008000 > > Entry Point: 0x80008000 > > Hash algo: sha1 > > Hash value: 3d72bc90b8afb5464cb03de2952d1bba90cd542e > > Sign algo: sha1,rsa2048:dev > > Sign value: unavailable > > Verifying Hash Integrity ... sha1+ sha1,rsa2048:dev- OK > > ## Loading fdt from FIT Image at 82000000 ... > > Using 'conf@1' configuration > > Trying 'fdt@1' fdt subimage > > Description: Flattened Device Tree blob > > Type: Flat Device Tree > > Compression: uncompressed > > Data Start: 0x823ed6f8 > > Data Size: 38048 Bytes = 37.2 KiB > > Architecture: ARM > > Hash algo: sha1 > > Hash value: 01d8a7481ac4ae281e68383776287a94bd5f2d78 > > Sign algo: sha1,rsa2048:dev > > Sign value: unavailable > > Verifying Hash Integrity ... sha1+ sha1,rsa2048:dev- OK > > Booting using the fdt blob at 0x823ed6f8 > > Loading Kernel Image ... OK > > Loading Device Tree to 8f611000, end 8f61d49f ... OK > > > > Starting kernel ... > > > > I worry that you are loading a zImage to 80008000 which is the > intended load address of the kernel itself. Does the zImage wrapper > handle that? > > In my example, I use the Image rather than zImage, so that U-Boot can > decompress it. > > > > > it says that the hash integrity is verified but when i tried with an > > unsigned kernel_fdt.bin with signed u-boot-dtb.bin i was still able to > load > > the FIT and the logs are the same. > > Yes but you didn't use the -r flag for mkimage, so the verification is > optional. > > > I not really sure if the veification part is done correctly. Am i > following > > the correct procedure or missing something?? > > Mostly I think. See my documentation in the series mentioned above - > hopefully it will help. > > Regards, > Simon > --
_______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot