Hi Simon,
When I was generating the keys ie., Step 4: Create a key pair
Am facing one more error while generating private key & certificate containing public key used for verification when I execute the below openssl commands it is saying can't open config file:
srinivasan@tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$ openssl genrsa -F4 -out keys/dev.key 2048 WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf Generating RSA private key, 2048 bit long modulus ............................+++ ...............................................+++ e is 65537 (0x10001) srinivasan@tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf Unable to load config info from /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf
Could you pls do the needful in resolving this errors cz of which am not able to proceed further
Many Thanks in advance
________________________________________ From: sjg@google.com sjg@google.com on behalf of Simon Glass sjg@chromium.org Sent: Tuesday, November 4, 2014 12:07 PM To: Srinivasan S Cc: srinivasan; U-Boot Mailing List Subject: Re: verifying & signing
Hi,
On 3 November 2014 20:01, Srinivasan S srinivasan.s@tataelxsi.co.in wrote:
Hi Simon,
Good Morning!
Many Thanks a lot for all your support so far,
- With respect to the verified boot , I want to put the images onto NAND FLASH, Could you please let me know what is the procedure of flashing the verified boot images onto NAND instead of micro-SD
One option would be to use UBI to provide a consistent block interface and then sit verity on top of that. But there may be other options, I'm not sure.
2.Does dm-verity works only on read-only rootfs?.. or it works on read-write rootfs?.. because as of now we are looking out only for a bare minimal rootfs , could you please suggest me if any rootfs with minimal support where dm-verity can be applied & verified apart from android
It requires a read-only rootfs. You can enable it on a filesystem fairly easily - you need to run a tool to generate the hashes and root hash, then pass that to the kernel on boot. You don't need to use Android or Chrome OS - it is available in mainline Linux. I'm not sure if there is a cogent guide somewhere though.
I want to implement the automatic software update & recovery feature (ie., firmware update of uboot, kernel & rootfs) in ti-sdk-am335x-evm-07.00.00.00 BSP's , if in case if it bricks to unbrick by itself, Could you please help me with suitable pointers & source code links for implementing this feature
This is one way.
http://www.chromium.org/chromium-os/u-boot-porting-guide/2-concepts
So ensure there can be no bricking you probably need to have a U-Boot that you never update. It can then check the signature of a secondary updateable U-Boot, and jump to it if it is OK. This is what Chrome OS does.
BTW as this is a mailing list you should normally put the replies below the text, not above.
Regards, Simon
Awaiting for your replies Many Thanks in advance again,
Srinivasan S
From: sjg@google.com sjg@google.com on behalf of Simon Glass sjg@chromium.org Sent: Monday, November 3, 2014 5:08 AM To: srinivasan Cc: U-Boot Mailing List; Srinivasan S Subject: Re: verifying & signing
Hi,
On 2 November 2014 07:06, srinivasan srinivasan.rns@gmail.com wrote:
Hi Simon,
http://lists.denx.de/pipermail/u-boot/2014-June/180845.html
As the above link explains the Signing of kernel & verifying with uboot,
Could you please let me know do you have any methods of signing & verifying the linux kernel with root file system ie., am using ti-sdk-am335x-evm-07.00.00.00 BSP's where linux kernel is from this BSP only & would be planning to use rootfs as my Angstrom filesystem or any others
If you use dm-verity you can verify your root disk using a hash which is stored in the verified part of U-Boot. This is the method used by Chrome OS. This requires a read-only rootfs though. Is that acceptable?
See this page for some info on how Android does this:
https://source.android.com/devices/tech/security/dm-verity.html
Could you please let me know how do we sign & verify the kernel with rootfs with detailed steps as am using beaglebone black as my development board with ti-sdk-am335x-evm-07.00.00.00 BSP's
I don't have details steps of this part sorry. An overview is here:
http://events.linuxfoundation.org/sites/events/files/slides/chromeos_and_diy...
Awaiting for your replies Many Thanks in advance
Regards, Simon