On 11/12/21 20:49, François Ozog wrote:
Hi Simon
Le ven. 12 nov. 2021 à 20:36, Simon Glass <s...@chromium.org
<mailto:s...@chromium.org>> a écrit :
At present mkimage supports signing FITs, the standard U-Boot image
type.
Various people are opposed to using FIT since:
just to be sure: I am not one of those.
a) it requires adding support for FIT into other bootloaders, notably
UEFI
whatever happens to FIT is entirely orthogonal to U-Boot UEFI subsystem.
FIT can evolve, U-Boot UEFI does not have to change.
We already can create signed FIT images containing a UEFI binary and a
devcie-tree and launch the FIT image with the bootm command.
Cf.
CONFIG_BOOTM_EFI
test/py/tests/test_efi_fit.py
doc/usage/bootefi.rst
Simon, what are you missing?
b) it requires packaging a kernel in this standard U-Boot format,
meaning
that distros must run 'mkimage' and deal with the kernel and initrd
being inside a FIT
U-Boot tools are contained in distros like Debian and Ubuntu.
Package flash-kernel uses a script in /etc/initramfs/post-update.d/ for
a similar purpose. The same hook directory can be used to create a FIT
image with a simple bash script.
Why do we need a new tool for signing device-trees?
The real problem to solve is the protection of the private key used for
signing any file containing an initrd.
The kernel and initrd can be dealt with in other ways. But without FIT,
How can the initrd be checked without FIT?
we have no standard way of signing and grouping FDT files. Instead
we must
include them in the distro as separate files.
In particular, some sort of mechanism for verifying FDT files is needed.
One option would be to tack a signature on before or after the file,
processing it accordingly. But due to the nature of the FDT binary
format,
it is possible to embed a signature inside the FDT itself, which is very
convenient.
This series provides a tool, fdt_sign, which can add a signature to an
FDT. The signature can be checked later, preventing any change to
the FDT,
other than in permitted nodes (e.g. /chosen).
I am not aware of any standard defining which nodes may be changed in
the FDT fixup and which may not be changed.
How can we discover which nodes were excluded from the signature after
the signature?
This series also provides a fdt_check_sign tool, used to check
signatures.
Both of these tools are stand-alone do not require mkimage or FIT.
As with FIT signing, multiple signatures are possible, but in this case
that requires that fit_sign be called once for each signature. To
make the
check fail if a signature does not match, it should be marked as
'required' using the -r flag to fdt_sign.
Run-time support for checking FDT signatures could be added to U-Boot
fairly easily, but needs further discussion as the correct plumbing
needs
to be determined.
For now there is absolutely no configurability in the signature
mechanism.
I would have expected a description of what a signature looks like. I
don't wont to reverse engineer your patches.
Please, describe this in doc/develop/ and in this cover-letter.
This series should have been sent as RFC.
Best regards
Heinrich
It would of course be possible to adjust which nodes are signed, as is
done for FIT, but that needs further discussion also. The omission
of the
/chosen node is implemented in h_exclude_nodes() like this:
if (type == FDT_IS_NODE) {
/* Ignore the chosen node as well as /signature and subnodes */
if (!strcmp("/chosen", data) || !strncmp("/signature", data, 10))
return 0;
}
Man pages are provided with example usage of the tools. Use this to view
them:
man -l doc/fdt_check_sign.1
This series also includes various clean-ups noticed along the way,
as well
as refactoring to avoid code duplication with the new tools. The
last four
patches are the new code.
This series is available at u-boot-dm/fdt-sign-working :
https://source.denx.de/u-boot/custodians/u-boot-dm/-/tree/fdt-sign-working
<https://source.denx.de/u-boot/custodians/u-boot-dm/-/tree/fdt-sign-working>
Simon Glass (16):
rsa: Add debugging for failure cases
fit_check_sign: Update help to mention the key is in a dtb
tools: Move copyfile() into a common file
tools: Avoid leaving extra data at the end of copied files
tools: Improve comments in signing functions
tools: Drop unused name in image-host
tools: Avoid confusion between keys and signatures
tools: Tidy up argument order in fit_config_check_sig()
tools: Pass the key blob around
image: Return destination node for add_verify_data() method
tools: Pass public-key node through to caller
tools: mkimage: Show where signatures/keys are written
tools: Add a new tool to sign FDT blobs
tools: Add a new tool to check FDT-blob signatures
test: Add a test for FDT signing
tools: Add man pages for fdt_sign and fdt_check_sign
MAINTAINERS | 7 +
boot/image-fit-sig.c | 151 +++++++++----
boot/image-fit.c | 12 +-
common/spl/spl_fit.c | 3 +-
doc/fdt_check_sign.1 | 74 +++++++
doc/fdt_sign.1 | 111 ++++++++++
include/image.h | 80 ++++++-
include/u-boot/ecdsa.h | 5 +-
include/u-boot/rsa.h | 5 +-
lib/ecdsa/ecdsa-libcrypto.c | 4 +-
lib/rsa/rsa-sign.c | 5 +-
lib/rsa/rsa-verify.c | 13 +-
test/py/tests/test_fdt_sign.py | 83 ++++++++
test/py/tests/test_vboot.py | 21 +-
test/py/tests/vboot/sign-fdt.dts | 23 ++
test/py/tests/vboot_comm.py | 22 ++
tools/Makefile | 10 +-
tools/fdt-host.c | 353 +++++++++++++++++++++++++++++++
tools/fdt_check_sign.c | 85 ++++++++
tools/fdt_host.h | 46 ++++
tools/fdt_sign.c | 210 ++++++++++++++++++
tools/fit_check_sign.c | 4 +-
tools/fit_common.c | 69 ++++++
tools/fit_common.h | 23 ++
tools/fit_image.c | 59 +-----
tools/image-fdt-sig.c | 254 ++++++++++++++++++++++
tools/image-host.c | 155 +++++++++++---
tools/imagetool.h | 4 +
tools/mkimage.c | 4 +
29 files changed, 1714 insertions(+), 181 deletions(-)
create mode 100644 doc/fdt_check_sign.1
create mode 100644 doc/fdt_sign.1
create mode 100644 test/py/tests/test_fdt_sign.py
create mode 100644 test/py/tests/vboot/sign-fdt.dts
create mode 100644 test/py/tests/vboot_comm.py
create mode 100644 tools/fdt-host.c
create mode 100644 tools/fdt_check_sign.c
create mode 100644 tools/fdt_sign.c
create mode 100644 tools/image-fdt-sig.c
--
2.34.0.rc1.387.gb447b232ab-goog
--
François-Frédéric Ozog | /Director Business Development/
T: +33.67221.6485
francois.o...@linaro.org <mailto:francois.o...@linaro.org> | Skype: ffozog
