doc: uniphier: add simple guide to Verified Boot
Add a simple documentation about how to use the Verified Boot on UniPhier boards. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
This commit is contained in:
parent
15d0f3538a
commit
9e19031ca3
@ -107,6 +107,231 @@ Firmware.
|
||||
[ARM Trusted Firmware]: https://github.com/ARM-software/arm-trusted-firmware
|
||||
|
||||
|
||||
Verified Boot
|
||||
-------------
|
||||
|
||||
U-Boot supports an image verification method called "Verified Boot".
|
||||
This is a brief tutorial to utilize this feature for the UniPhier platform.
|
||||
You will find details documents in the doc/uImage.FIT directory.
|
||||
|
||||
Here, we take LD20 reference board for example, but it should work for any
|
||||
other boards including 32 bit SoCs.
|
||||
|
||||
1. Generate key to sign with
|
||||
|
||||
$ mkdir keys
|
||||
$ openssl genpkey -algorithm RSA -out keys/dev.key \
|
||||
-pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
|
||||
$ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
|
||||
|
||||
Two files "dev.key" and "dev.crt" will be created. The base name is arbitrary,
|
||||
but need to match to the "key-name-hint" property described below.
|
||||
|
||||
2. Describe FIT source
|
||||
|
||||
You need to write an FIT (Flattened Image Tree) source file to describe the
|
||||
structure of the image container.
|
||||
|
||||
The following is an example for a simple usecase:
|
||||
|
||||
---------------------------------------->8----------------------------------------
|
||||
/dts-v1/;
|
||||
|
||||
/ {
|
||||
description = "Kernel, DTB and Ramdisk for UniPhier LD20 Reference Board";
|
||||
#address-cells = <1>;
|
||||
|
||||
images {
|
||||
kernel@0 {
|
||||
description = "linux";
|
||||
data = /incbin/("PATH/TO/YOUR/LINUX/DIR/arch/arm64/boot/Image.gz");
|
||||
type = "kernel";
|
||||
arch = "arm64";
|
||||
os = "linux";
|
||||
compression = "gzip";
|
||||
load = <0x82080000>;
|
||||
entry = <0x82080000>;
|
||||
hash@0 {
|
||||
algo = "sha256";
|
||||
};
|
||||
};
|
||||
|
||||
fdt@0 {
|
||||
description = "fdt";
|
||||
data = /incbin/("PATH/TO/YOUR/LINUX/DIR/arch/arm64/boot/dts/socionext/uniphier-ld20-ref.dtb");
|
||||
type = "flat_dt";
|
||||
arch = "arm64";
|
||||
compression = "none";
|
||||
hash@0 {
|
||||
algo = "sha256";
|
||||
};
|
||||
};
|
||||
|
||||
ramdisk@0 {
|
||||
description = "ramdisk";
|
||||
data = /incbin/("PATH/TO/YOUR/ROOTFS/DIR/rootfs.cpio");
|
||||
type = "ramdisk";
|
||||
arch = "arm64";
|
||||
os = "linux";
|
||||
compression = "none";
|
||||
hash@0 {
|
||||
algo = "sha256";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
configurations {
|
||||
default = "config@0";
|
||||
|
||||
config@0 {
|
||||
description = "Configuration0";
|
||||
kernel = "kernel@0";
|
||||
fdt = "fdt@0";
|
||||
ramdisk = "ramdisk@0";
|
||||
signature@0 {
|
||||
algo = "sha256,rsa2048";
|
||||
key-name-hint = "dev";
|
||||
sign-images = "kernel", "fdt", "ramdisk";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
---------------------------------------->8----------------------------------------
|
||||
|
||||
You need to change the three '/incbin/' lines, depending on the location of
|
||||
your kernel image, device tree blob, and init ramdisk. The "load" and "entry"
|
||||
properties also need to be adjusted if you want to change the physical placement
|
||||
of the kernel.
|
||||
|
||||
The "key-name-hint" must specify the key name you have created in the step 1.
|
||||
|
||||
The FIT file name is arbitrary. Let's say you saved it into "fit.its".
|
||||
|
||||
3. Compile U-Boot with FIT and signature enabled
|
||||
|
||||
To use the Verified Boot, you need to enable the following two options:
|
||||
CONFIG_FIT
|
||||
CONFIG_FIT_SIGNATURE
|
||||
|
||||
They are disabled by default for UniPhier defconfig files. So, you need to
|
||||
tweak the configuration from "make menuconfig" or friends.
|
||||
|
||||
$ make uniphier_v8_defconfig
|
||||
$ make menuconfig
|
||||
[ enable CONFIG_FIT and CONFIG_FIT_SIGNATURE ]
|
||||
$ make CROSS_COMPILE=aarch64-linux-gnu-
|
||||
|
||||
4. Build the image tree blob
|
||||
|
||||
After building U-Boot, you will see tools/mkimage. With this tool, you can
|
||||
create an image tree blob as follows:
|
||||
|
||||
$ tools/mkimage -f fit.its -k keys -K dts/dt.dtb -r -F fitImage
|
||||
|
||||
The -k option must specify the key directory you have created in step 1.
|
||||
|
||||
A file "fitImage" will be created. This includes kernel, DTB, Init-ramdisk,
|
||||
hash data for each of the three, and signature data.
|
||||
|
||||
The public key needed for the run-time verification is stored in "dts/dt.dtb".
|
||||
|
||||
5. Compile U-Boot again
|
||||
|
||||
Since the "dt.dtb" has been updated in step 4, you need to re-compile the
|
||||
U-Boot.
|
||||
|
||||
$ make CROSS_COMPILE=aarch64-linux-gnu-
|
||||
|
||||
The re-compiled "u-boot.bin" is appended with DTB that contains the public key.
|
||||
|
||||
6. Flash the image
|
||||
|
||||
Flash the "fitImage" to a storage device (NAND, eMMC, or whatever) on your
|
||||
board.
|
||||
|
||||
Please note the "u-boot.bin" must be signed, and verified by someone when it is
|
||||
loaded. For ARMv8 SoCs, the "someone" is generally ARM Trusted Firmware BL2.
|
||||
ARM Trusted Firmware supports an image authentication mechanism called Trusted
|
||||
Board Boot (TBB). The verification process must be chained from the moment of
|
||||
the system reset. If the Chain of Trust has a breakage somewhere, the verified
|
||||
boot process is entirely pointless.
|
||||
|
||||
7. Boot verified kernel
|
||||
|
||||
Load the fitImage to memory and run the following from the U-Boot command line.
|
||||
|
||||
> bootm <addr>
|
||||
|
||||
Here, <addr> is the base address of the fitImage.
|
||||
|
||||
If it is successful, you will see messages like follows:
|
||||
|
||||
---------------------------------------->8----------------------------------------
|
||||
## Loading kernel from FIT Image at 84100000 ...
|
||||
Using 'config@0' configuration
|
||||
Verifying Hash Integrity ... sha256,rsa2048:dev+ OK
|
||||
Trying 'kernel@0' kernel subimage
|
||||
Description: linux
|
||||
Created: 2017-10-20 14:32:29 UTC
|
||||
Type: Kernel Image
|
||||
Compression: gzip compressed
|
||||
Data Start: 0x841000c8
|
||||
Data Size: 6957818 Bytes = 6.6 MiB
|
||||
Architecture: AArch64
|
||||
OS: Linux
|
||||
Load Address: 0x82080000
|
||||
Entry Point: 0x82080000
|
||||
Hash algo: sha256
|
||||
Hash value: 82a37b7f11ae55f4e07aa25bf77e4067cb9dc1014d52d6cd4d588f92eee3aaad
|
||||
Verifying Hash Integrity ... sha256+ OK
|
||||
## Loading ramdisk from FIT Image at 84100000 ...
|
||||
Using 'config@0' configuration
|
||||
Trying 'ramdisk@0' ramdisk subimage
|
||||
Description: ramdisk
|
||||
Created: 2017-10-20 14:32:29 UTC
|
||||
Type: RAMDisk Image
|
||||
Compression: uncompressed
|
||||
Data Start: 0x847a5cc0
|
||||
Data Size: 5264365 Bytes = 5 MiB
|
||||
Architecture: AArch64
|
||||
OS: Linux
|
||||
Load Address: unavailable
|
||||
Entry Point: unavailable
|
||||
Hash algo: sha256
|
||||
Hash value: 44980a2874154a2e31ed59222c9f8ea968867637f35c81e4107a984de7014deb
|
||||
Verifying Hash Integrity ... sha256+ OK
|
||||
## Loading fdt from FIT Image at 84100000 ...
|
||||
Using 'config@0' configuration
|
||||
Trying 'fdt@0' fdt subimage
|
||||
Description: fdt
|
||||
Created: 2017-10-20 14:32:29 UTC
|
||||
Type: Flat Device Tree
|
||||
Compression: uncompressed
|
||||
Data Start: 0x847a2cb0
|
||||
Data Size: 12111 Bytes = 11.8 KiB
|
||||
Architecture: AArch64
|
||||
Hash algo: sha256
|
||||
Hash value: c517099db537f6d325e6be46b25c871a41331ad5af0283883fd29d40bfc14e1d
|
||||
Verifying Hash Integrity ... sha256+ OK
|
||||
Booting using the fdt blob at 0x847a2cb0
|
||||
Uncompressing Kernel Image ... OK
|
||||
reserving fdt memory region: addr=80000000 size=2000000
|
||||
Loading Device Tree to 000000009fffa000, end 000000009fffff4e ... OK
|
||||
|
||||
Starting kernel ...
|
||||
---------------------------------------->8----------------------------------------
|
||||
|
||||
Please pay attention to the lines that start with "Verifying Hash Integrity".
|
||||
|
||||
"Verifying Hash Integrity ... sha256,rsa2048:dev+ OK" means the signature check
|
||||
passed.
|
||||
|
||||
"Verifying Hash Integrity ... sha256+ OK" (3 times) means the hash check passed
|
||||
for kernel, DTB, and Init ramdisk.
|
||||
|
||||
If they are not displayed, the Verified Boot is not working.
|
||||
|
||||
|
||||
UniPhier specific commands
|
||||
--------------------------
|
||||
|
||||
@ -179,4 +404,4 @@ newer SoCs. Even if it is, EA[25] is not connected on most of the boards.
|
||||
|
||||
--
|
||||
Masahiro Yamada <yamada.masahiro@socionext.com>
|
||||
Sep. 2017
|
||||
Oct. 2017
|
||||
|
Loading…
Reference in New Issue
Block a user