Hi Harsha,
On 31 May 2014 07:45, Harsha Kiran harshakiran443@gmail.com wrote:
Hi Simon,
I started working on the secure u-boot loading the FIT images and there are some of the issues i observed.
I took the latest U-Boot 2014.07-rc2 and applied the below mentioned patches..
(..http://patchwork.ozlabs.org/patch/339609/) (..http://patchwork.ozlabs.org/patch/339610/) (..http://patchwork.ozlabs.org/patch/339611/) I had to do a work around to apply this patch. if i apply the patched directly to the latest u-boot it failed in the fit_image.c file. I searched online and found fit_image.c from (..https://kernel.googlesource.com/pub/scm/linux/kernel/git/maz/u-boot/+/eb6321...) and applied the patch and it was perfect. Then i applied http://patchwork.ozlabs.org/patch/350541/
With these patches and removing CONFIG_OF_CONTROL in am335x_evm.h, i was able to load my FIT image successfully. if i include CONFIG_OF_CONTROL, i get the following error No valid FDT found - please append one to U-Boot binary, use u-boot-dtb.bin or define CONFIG_OF_EMBED. For sandbox, use -d <file.dtb> ### ERROR ### Please RESET the board ###.
This is likely another missing patch.
I just sent out a new series (available in u-boot-x86.git branch 'bone') which adds some step-by-step documentation. It also collects all the fixes in one place.
Now for the secure u-boot i added the CONFIG_FIT_SIGNATURE and CONFIG_RSA. i modified the doc/uImage.FIT/kernel_fdt.its file to include the signature content. Here is the file..
/*
- Simple U-boot uImage source file containing a single kernel and FDT blob
*/
/*
- Simple U-boot uImage source file containing a single kernel and FDT blob
*/
/dts-v1/;
/ { description = "Simple image with single Linux kernel and FDT blob"; #address-cells = <1>;
images { kernel@1 { description = "3.12 Kernel RT"; data = /incbin/("./zImage"); type = "kernel"; arch = "arm"; os = "linux"; compression = "none"; load = <0x80008000>; entry = <0x80008000>; hash@1 { algo = "sha1"; }; signature@1 { algo = "sha1,rsa2048"; key-name-hint = "dev"; }; }; fdt@1 { description = "Flattened Device Tree blob"; data = /incbin/("./am335x-evmsk.dtb"); type = "flat_dt"; arch = "arm"; compression = "none"; hash@1 { algo = "sha1"; }; signature@1 { algo = "sha1,rsa2048"; key-name-hint = "dev"; }; }; }; configurations { default = "conf@1"; conf@1 { description = "Boot Linux kernel with FDT blob"; kernel = "kernel@1"; fdt = "fdt@1"; }; };};
Then, i signed my images with the keys generated from openssl,
DTC_OPS="-I dts -O dtb -p 2000" sudo mkimage -D "${DTC_OPS}" -f kernel_fdt.its -k dev-keys -K u-boot-pubkey.dtb -r kernel_fdt.itb
build the u-boot again with the signed binary..
harsha@harshakiran_kasha:/abb/Experiment_Secure/u-boot$ sudo make ARCH=arm CROSS_COMPILE=/abb/compilers/gcc-linaro-arm-linux-gnueabihf-4.7-2013.04-20130415_linux/bin/arm-linux-gnueabihf- -j8 DEV_TREE_BIN=./u-boot-pubkey.dtb
Now, while booting, i was able to load the u-boot-dtb.bin file from the u-boot prompt and it loaded the FIT image.
U-Boot# fatload mmc 0 0x82000000 u-boot-dtb.bin reading u-boot-dtb.bin 466611 bytes read in 36 ms (12.4 MiB/s) U-Boot# go 0x82000000 ## Starting application at 0x82000000 ...
U-Boot 2014.07-rc2 (May 31 2014 - 02:16:18)
I2C: ready DRAM: 256 MiB NAND: 0 MiB MMC: OMAP SD/MMC: 0, OMAP SD/MMC: 1 *** Warning - readenv() failed, using default environment
Net: <ethaddr> not set. Validating first E-fuse MAC cpsw, usb_ether Hit any key to stop autoboot: 0 mmc0 is current device SD/MMC found on device 0 reading uEnv.txt 2481 bytes read in 7 ms (345.7 KiB/s) Loaded environment from uEnv.txt Importing environment from mmc ... Running uenvcmd ... reading kernel_fdt.itb 4157190 bytes read in 267 ms (14.8 MiB/s) ## Loading kernel from FIT Image at 82000000 ... Using 'conf@1' configuration Verifying Hash Integrity ... OK Trying 'kernel@1' kernel subimage Description: 3.12 Kernel RT Type: Kernel Image Compression: uncompressed Data Start: 0x820000e4 Data Size: 4117728 Bytes = 3.9 MiB Architecture: ARM OS: Linux Load Address: 0x80008000 Entry Point: 0x80008000 Hash algo: sha1 Hash value: 3d72bc90b8afb5464cb03de2952d1bba90cd542e Sign algo: sha1,rsa2048:dev Sign value: unavailable Verifying Hash Integrity ... sha1+ sha1,rsa2048:dev- OK ## Loading fdt from FIT Image at 82000000 ... Using 'conf@1' configuration Trying 'fdt@1' fdt subimage Description: Flattened Device Tree blob Type: Flat Device Tree Compression: uncompressed Data Start: 0x823ed6f8 Data Size: 38048 Bytes = 37.2 KiB Architecture: ARM Hash algo: sha1 Hash value: 01d8a7481ac4ae281e68383776287a94bd5f2d78 Sign algo: sha1,rsa2048:dev Sign value: unavailable Verifying Hash Integrity ... sha1+ sha1,rsa2048:dev- OK Booting using the fdt blob at 0x823ed6f8 Loading Kernel Image ... OK Loading Device Tree to 8f611000, end 8f61d49f ... OK
Starting kernel ...
I worry that you are loading a zImage to 80008000 which is the intended load address of the kernel itself. Does the zImage wrapper handle that?
In my example, I use the Image rather than zImage, so that U-Boot can decompress it.
it says that the hash integrity is verified but when i tried with an unsigned kernel_fdt.bin with signed u-boot-dtb.bin i was still able to load the FIT and the logs are the same.
Yes but you didn't use the -r flag for mkimage, so the verification is optional.
I not really sure if the veification part is done correctly. Am i following the correct procedure or missing something??
Mostly I think. See my documentation in the series mentioned above - hopefully it will help.
Regards, Simon