On Tue, Dec 10, 2019 at 08:32:17PM +0100, Heinrich Schuchardt wrote:
On 12/10/19 9:56 AM, Cristian Ciocaltea wrote:
Add support for booting EFI binaries contained in FIT images. A typical usage scenario is chain-loading GRUB2 in a verified boot environment.
Signed-off-by: Cristian Ciocalteacristian.ciocaltea@gmail.com
Reading through the code it looks good. What I really need to do is analyze the address usage on the sandbox. To me it is unclear if images->fdt_addr is a physical address or an address in the address space of the sandbox.
Did you test this on the sandbox? You can use lib/efi_loader/helloworld.efi as a binary and the 'host load hostfs' command for loading the FIT image.
I only tested on qemu, I've never used the sandbox, so it's a good opportunity to give it a try.
Shouldn't we add booting a UEFI FIT image to the Python test in test/py/tests/test_fit.py?
Unfortunately I'm not familiar with the testing framework (including Python scripting), but I'll do my best to add such a test.
doc/uImage.FIT/signature.txt describes that several properties of the RSA public key should be stored in the control device tree. Unfortunately no example is supplied in which format they should be stored. Could you send me an example, please.
I found the following
https://github.com/bn121rajesh/ipython-notebooks/blob/master/BehindTheScene/...
Is this an accurate description? Or how do you get the parameters from your RSA public key?
My test scenario involves the following steps:
1. Create a public/private key pair $ openssl genpkey -algorithm RSA -out ${DEV_KEY} \ -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
2. Create a certificate containing the public key $ openssl req -batch -new -x509 -key ${DEV_KEY} -out ${DEV_CRT}
3. Dump QEMU virt board DTB $ qemu-system-arm -nographic -M virt,dumpdtb=${BOARD_DTB} \ -cpu cortex-a15 -smp 1 -m 512 -bios u-boot.bin [...]
4. Create (unsigned) FIT image and put the public key into DTB, with the 'required' property set, telling U-Boot that this key MUST be verified for the image to be valid $ mkimage -f ${FIT_ITS} -K ${BOARD_DTB} -k ${KEYS_DIR} -r ${FIT_IMG}
5. Sign the FIT image $ fit_check_sign -f ${FIT_IMG} -k ${BOARD_DTB}
6. Run QEMU supplying the DTB containing the public key and the u-boot binary built with CONFIG_OF_BOARD $ qemu-system-arm -nographic \ -M virt -cpu cortex-a15 -smp 1 -m 512 -bios u-boot.bin \ -dtb ${BOARD_DTB} [...]
This is what I get after booting QEMU with the command above:
=> fdt addr $fdtcontroladdr => fdt print / { [...] signature { key-dev { required = "conf"; algo = "sha256,rsa2048"; rsa,r-squared = * 0x5ef05188 [0x00000100]; rsa,modulus = * 0x5ef05294 [0x00000100]; rsa,exponent = <0x00000000 0x00010001>; rsa,n0-inverse = <0x649cd557>; rsa,num-bits = <0x00000800>; key-name-hint = "dev"; }; }; [...]
Best regards
Heinrich