Hi, On 4 November 2014 19:36, Srinivasan S <srinivasa...@tataelxsi.co.in> wrote: > Hi Simon > > > Sorry to push you hard again could you please help me in resolving the below > issue that am facing while generating private key & certificate containing > public key > > ie., when executing Step 4: Create a key pair > (http://lists.denx.de/pipermail/u-boot/2014-June/180845.html) > > WARNING: can't open config file: > /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf > Unable to load config info from > /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf
Please don't top post. I don't know what xxxxyyyy is or why it appears. Did you 'mkdir keys'? Regards, Simon > > > Many Thanks a lot in advance > ________________________________________ > From: Srinivasan S > Sent: Tuesday, November 4, 2014 3:37 PM > To: Simon Glass > Cc: srinivasan; U-Boot Mailing List > Subject: Re: verifying & signing > > Hi Simon, > > When I was generating the keys ie., Step 4: Create a key pair > > Am facing one more error while generating private key & certificate > containing public key used for verification when I execute the below openssl > commands it is saying can't open config file: > > srinivasan@tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$ > openssl genrsa -F4 -out keys/dev.key 2048 > WARNING: can't open config file: > /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf > Generating RSA private key, 2048 bit long modulus > ............................+++ > ...............................................+++ > e is 65537 (0x10001) > srinivasan@tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$ > openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt > WARNING: can't open config file: > /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf > Unable to load config info from > /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf > > Could you pls do the needful in resolving this errors cz of which am not able > to proceed further > > Many Thanks in advance > > ________________________________________ > From: s...@google.com <s...@google.com> on behalf of Simon Glass > <s...@chromium.org> > Sent: Tuesday, November 4, 2014 12:07 PM > To: Srinivasan S > Cc: srinivasan; U-Boot Mailing List > Subject: Re: verifying & signing > > Hi, > > On 3 November 2014 20:01, Srinivasan S <srinivasa...@tataelxsi.co.in> wrote: >> Hi Simon, >> >> Good Morning! >> >> Many Thanks a lot for all your support so far, >> >> 1. With respect to the verified boot , I want to put the images onto NAND >> FLASH, Could you please let me know what is the procedure of flashing the >> verified boot images onto NAND instead of micro-SD > > One option would be to use UBI to provide a consistent block interface > and then sit verity on top of that. But there may be other options, > I'm not sure. > >> >> 2.Does dm-verity works only on read-only rootfs?.. or it works on read-write >> rootfs?.. because as of now we are looking out only for a bare minimal >> rootfs , could you please suggest me if any rootfs with minimal support >> where dm-verity can be applied & verified apart from android > > It requires a read-only rootfs. You can enable it on a filesystem > fairly easily - you need to run a tool to generate the hashes and root > hash, then pass that to the kernel on boot. You don't need to use > Android or Chrome OS - it is available in mainline Linux. I'm not sure > if there is a cogent guide somewhere though. > >> >> I want to implement the automatic software update & recovery feature (ie., >> firmware update of uboot, kernel & rootfs) in ti-sdk-am335x-evm-07.00.00.00 >> BSP's , if in case if it bricks to unbrick by itself, >> Could you please help me with suitable pointers & source code links for >> implementing this feature > > This is one way. > > http://www.chromium.org/chromium-os/u-boot-porting-guide/2-concepts > > So ensure there can be no bricking you probably need to have a U-Boot > that you never update. It can then check the signature of a secondary > updateable U-Boot, and jump to it if it is OK. This is what Chrome OS > does. > > BTW as this is a mailing list you should normally put the replies > below the text, not above. > > Regards, > Simon > > >> >> Awaiting for your replies >> Many Thanks in advance again, >> >> Srinivasan S >> >> >> ________________________________________ >> From: s...@google.com <s...@google.com> on behalf of Simon Glass >> <s...@chromium.org> >> Sent: Monday, November 3, 2014 5:08 AM >> To: srinivasan >> Cc: U-Boot Mailing List; Srinivasan S >> Subject: Re: verifying & signing >> >> Hi, >> >> On 2 November 2014 07:06, srinivasan <srinivasan....@gmail.com> wrote: >>> >>> >>> >>> >>> Hi Simon, >>> >>> http://lists.denx.de/pipermail/u-boot/2014-June/180845.html >>> >>> As the above link explains the Signing of kernel & verifying with uboot, >>> >>> Could you please let me know do you have any methods of signing & verifying >>> the linux kernel with root file system ie., am using >>> ti-sdk-am335x-evm-07.00.00.00 BSP's where linux kernel is from this BSP only >>> & would be planning to use rootfs as my Angstrom filesystem or any others >> >> If you use dm-verity you can verify your root disk using a hash which >> is stored in the verified part of U-Boot. This is the method used by >> Chrome OS. This requires a read-only rootfs though. Is that >> acceptable? >> >> See this page for some info on how Android does this: >> >> https://source.android.com/devices/tech/security/dm-verity.html >> >>> >>> Could you please let me know how do we sign & verify the kernel with rootfs >>> with detailed steps as am using beaglebone black as my development board >>> with ti-sdk-am335x-evm-07.00.00.00 BSP's >> >> I don't have details steps of this part sorry. An overview is here: >> >> http://events.linuxfoundation.org/sites/events/files/slides/chromeos_and_diy_vboot_0.pdf >> >> >>> >>> Awaiting for your replies >>> Many Thanks in advance >>> >>> >>> >> >> Regards, >> Simon _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
