[U-Boot] Fwd: verifying & signing
Hi Simon,
http://lists.denx.de/pipermail/u-boot/2014-June/180845.html
As the above link explains the Signing of kernel & verifying with uboot,
Could you please let me know do you have any methods of signing & verifying the linux kernel with root file system ie., am using ti-sdk-am335x-evm-07.00.00.00 BSP's where linux kernel is from this BSP only & would be planning to use rootfs as my Angstrom filesystem or any others
Could you please let me know how do we sign & verify the kernel with rootfs with detailed steps as am using beaglebone black as my development board with ti-sdk-am335x-evm-07.00.00.00 BSP's
Awaiting for your replies Many Thanks in advance
Hi,
On 2 November 2014 07:06, srinivasan srinivasan.rns@gmail.com wrote:
Hi Simon,
http://lists.denx.de/pipermail/u-boot/2014-June/180845.html
As the above link explains the Signing of kernel & verifying with uboot,
Could you please let me know do you have any methods of signing & verifying the linux kernel with root file system ie., am using ti-sdk-am335x-evm-07.00.00.00 BSP's where linux kernel is from this BSP only & would be planning to use rootfs as my Angstrom filesystem or any others
If you use dm-verity you can verify your root disk using a hash which is stored in the verified part of U-Boot. This is the method used by Chrome OS. This requires a read-only rootfs though. Is that acceptable?
See this page for some info on how Android does this:
https://source.android.com/devices/tech/security/dm-verity.html
Could you please let me know how do we sign & verify the kernel with rootfs with detailed steps as am using beaglebone black as my development board with ti-sdk-am335x-evm-07.00.00.00 BSP's
I don't have details steps of this part sorry. An overview is here:
http://events.linuxfoundation.org/sites/events/files/slides/chromeos_and_diy...
Awaiting for your replies Many Thanks in advance
Regards, Simon
Hi Simon,
Good Morning!
Many Thanks a lot for all your support so far,
1. With respect to the verified boot , I want to put the images onto NAND FLASH, Could you please let me know what is the procedure of flashing the verified boot images onto NAND instead of micro-SD
2.Does dm-verity works only on read-only rootfs?.. or it works on read-write rootfs?.. because as of now we are looking out only for a bare minimal rootfs , could you please suggest me if any rootfs with minimal support where dm-verity can be applied & verified apart from android
I want to implement the automatic software update & recovery feature (ie., firmware update of uboot, kernel & rootfs) in ti-sdk-am335x-evm-07.00.00.00 BSP's , if in case if it bricks to unbrick by itself, Could you please help me with suitable pointers & source code links for implementing this feature
Awaiting for your replies Many Thanks in advance again,
Srinivasan S
________________________________________ From: sjg@google.com sjg@google.com on behalf of Simon Glass sjg@chromium.org Sent: Monday, November 3, 2014 5:08 AM To: srinivasan Cc: U-Boot Mailing List; Srinivasan S Subject: Re: verifying & signing
Hi,
On 2 November 2014 07:06, srinivasan srinivasan.rns@gmail.com wrote:
Hi Simon,
http://lists.denx.de/pipermail/u-boot/2014-June/180845.html
As the above link explains the Signing of kernel & verifying with uboot,
Could you please let me know do you have any methods of signing & verifying the linux kernel with root file system ie., am using ti-sdk-am335x-evm-07.00.00.00 BSP's where linux kernel is from this BSP only & would be planning to use rootfs as my Angstrom filesystem or any others
If you use dm-verity you can verify your root disk using a hash which is stored in the verified part of U-Boot. This is the method used by Chrome OS. This requires a read-only rootfs though. Is that acceptable?
See this page for some info on how Android does this:
https://source.android.com/devices/tech/security/dm-verity.html
Could you please let me know how do we sign & verify the kernel with rootfs with detailed steps as am using beaglebone black as my development board with ti-sdk-am335x-evm-07.00.00.00 BSP's
I don't have details steps of this part sorry. An overview is here:
http://events.linuxfoundation.org/sites/events/files/slides/chromeos_and_diy...
Awaiting for your replies Many Thanks in advance
Regards, Simon
Hi,
On 3 November 2014 20:01, Srinivasan S srinivasan.s@tataelxsi.co.in wrote:
Hi Simon,
Good Morning!
Many Thanks a lot for all your support so far,
- With respect to the verified boot , I want to put the images onto NAND FLASH, Could you please let me know what is the procedure of flashing the verified boot images onto NAND instead of micro-SD
One option would be to use UBI to provide a consistent block interface and then sit verity on top of that. But there may be other options, I'm not sure.
2.Does dm-verity works only on read-only rootfs?.. or it works on read-write rootfs?.. because as of now we are looking out only for a bare minimal rootfs , could you please suggest me if any rootfs with minimal support where dm-verity can be applied & verified apart from android
It requires a read-only rootfs. You can enable it on a filesystem fairly easily - you need to run a tool to generate the hashes and root hash, then pass that to the kernel on boot. You don't need to use Android or Chrome OS - it is available in mainline Linux. I'm not sure if there is a cogent guide somewhere though.
I want to implement the automatic software update & recovery feature (ie., firmware update of uboot, kernel & rootfs) in ti-sdk-am335x-evm-07.00.00.00 BSP's , if in case if it bricks to unbrick by itself, Could you please help me with suitable pointers & source code links for implementing this feature
This is one way.
http://www.chromium.org/chromium-os/u-boot-porting-guide/2-concepts
So ensure there can be no bricking you probably need to have a U-Boot that you never update. It can then check the signature of a secondary updateable U-Boot, and jump to it if it is OK. This is what Chrome OS does.
BTW as this is a mailing list you should normally put the replies below the text, not above.
Regards, Simon
Awaiting for your replies Many Thanks in advance again,
Srinivasan S
From: sjg@google.com sjg@google.com on behalf of Simon Glass sjg@chromium.org Sent: Monday, November 3, 2014 5:08 AM To: srinivasan Cc: U-Boot Mailing List; Srinivasan S Subject: Re: verifying & signing
Hi,
On 2 November 2014 07:06, srinivasan srinivasan.rns@gmail.com wrote:
Hi Simon,
http://lists.denx.de/pipermail/u-boot/2014-June/180845.html
As the above link explains the Signing of kernel & verifying with uboot,
Could you please let me know do you have any methods of signing & verifying the linux kernel with root file system ie., am using ti-sdk-am335x-evm-07.00.00.00 BSP's where linux kernel is from this BSP only & would be planning to use rootfs as my Angstrom filesystem or any others
If you use dm-verity you can verify your root disk using a hash which is stored in the verified part of U-Boot. This is the method used by Chrome OS. This requires a read-only rootfs though. Is that acceptable?
See this page for some info on how Android does this:
https://source.android.com/devices/tech/security/dm-verity.html
Could you please let me know how do we sign & verify the kernel with rootfs with detailed steps as am using beaglebone black as my development board with ti-sdk-am335x-evm-07.00.00.00 BSP's
I don't have details steps of this part sorry. An overview is here:
http://events.linuxfoundation.org/sites/events/files/slides/chromeos_and_diy...
Awaiting for your replies Many Thanks in advance
Regards, Simon
Hi Simon,
________________________________________ From: sjg@google.com sjg@google.com on behalf of Simon Glass sjg@chromium.org Sent: Tuesday, November 4, 2014 12:07 PM To: Srinivasan S Cc: srinivasan; U-Boot Mailing List Subject: Re: verifying & signing
Hi,
On 3 November 2014 20:01, Srinivasan S srinivasan.s@tataelxsi.co.in wrote:
Hi Simon,
Good Morning!
Many Thanks a lot for all your support so far,
- With respect to the verified boot , I want to put the images onto NAND FLASH, Could you please let me know what is the procedure of flashing the verified boot images onto NAND instead of micro-SD
One option would be to use UBI to provide a consistent block interface and then sit verity on top of that. But there may be other options, I'm not sure.
2.Does dm-verity works only on read-only rootfs?.. or it works on read-write rootfs?.. because as of now we are looking out only for a bare minimal rootfs , could you please suggest me if any rootfs with minimal support where dm-verity can be applied & verified apart from android
It requires a read-only rootfs. You can enable it on a filesystem fairly easily - you need to run a tool to generate the hashes and root hash, then pass that to the kernel on boot. You don't need to use Android or Chrome OS - it is available in mainline Linux. I'm not sure if there is a cogent guide somewhere though.
I want to implement the automatic software update & recovery feature (ie., firmware update of uboot, kernel & rootfs) in ti-sdk-am335x-evm-07.00.00.00 BSP's , if in case if it bricks to unbrick by itself, Could you please help me with suitable pointers & source code links for implementing this feature
This is one way.
http://www.chromium.org/chromium-os/u-boot-porting-guide/2-concepts
So ensure there can be no bricking you probably need to have a U-Boot that you never update. It can then check the signature of a secondary updateable U-Boot, and jump to it if it is OK. This is what Chrome OS does.
BTW as this is a mailing list you should normally put the replies below the text, not above.
Regards, Simon
Awaiting for your replies Many Thanks in advance again,
Srinivasan S
From: sjg@google.com sjg@google.com on behalf of Simon Glass sjg@chromium.org Sent: Monday, November 3, 2014 5:08 AM To: srinivasan Cc: U-Boot Mailing List; Srinivasan S Subject: Re: verifying & signing
Hi,
On 2 November 2014 07:06, srinivasan srinivasan.rns@gmail.com wrote:
Hi Simon,
http://lists.denx.de/pipermail/u-boot/2014-June/180845.html
As the above link explains the Signing of kernel & verifying with uboot,
Could you please let me know do you have any methods of signing & verifying the linux kernel with root file system ie., am using ti-sdk-am335x-evm-07.00.00.00 BSP's where linux kernel is from this BSP only & would be planning to use rootfs as my Angstrom filesystem or any others
If you use dm-verity you can verify your root disk using a hash which is stored in the verified part of U-Boot. This is the method used by Chrome OS. This requires a read-only rootfs though. Is that acceptable?
See this page for some info on how Android does this:
https://source.android.com/devices/tech/security/dm-verity.html
Could you please let me know how do we sign & verify the kernel with rootfs with detailed steps as am using beaglebone black as my development board with ti-sdk-am335x-evm-07.00.00.00 BSP's
I don't have details steps of this part sorry. An overview is here:
http://events.linuxfoundation.org/sites/events/files/slides/chromeos_and_diy...
Awaiting for your replies Many Thanks in advance
Regards, Simon
Hi Simon,
When I was generating the keys ie., Step 4: Create a key pair
Am facing one more error while generating private key & certificate containing public key used for verification when I execute the below openssl commands it is saying can't open config file:
srinivasan@tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$ openssl genrsa -F4 -out keys/dev.key 2048 WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf Generating RSA private key, 2048 bit long modulus ............................+++ ...............................................+++ e is 65537 (0x10001) srinivasan@tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf Unable to load config info from /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf
Could you pls do the needful in resolving this errors cz of which am not able to proceed further
Many Thanks in advance
________________________________________ From: sjg@google.com sjg@google.com on behalf of Simon Glass sjg@chromium.org Sent: Tuesday, November 4, 2014 12:07 PM To: Srinivasan S Cc: srinivasan; U-Boot Mailing List Subject: Re: verifying & signing
Hi,
On 3 November 2014 20:01, Srinivasan S srinivasan.s@tataelxsi.co.in wrote:
Hi Simon,
Good Morning!
Many Thanks a lot for all your support so far,
- With respect to the verified boot , I want to put the images onto NAND FLASH, Could you please let me know what is the procedure of flashing the verified boot images onto NAND instead of micro-SD
One option would be to use UBI to provide a consistent block interface and then sit verity on top of that. But there may be other options, I'm not sure.
2.Does dm-verity works only on read-only rootfs?.. or it works on read-write rootfs?.. because as of now we are looking out only for a bare minimal rootfs , could you please suggest me if any rootfs with minimal support where dm-verity can be applied & verified apart from android
It requires a read-only rootfs. You can enable it on a filesystem fairly easily - you need to run a tool to generate the hashes and root hash, then pass that to the kernel on boot. You don't need to use Android or Chrome OS - it is available in mainline Linux. I'm not sure if there is a cogent guide somewhere though.
I want to implement the automatic software update & recovery feature (ie., firmware update of uboot, kernel & rootfs) in ti-sdk-am335x-evm-07.00.00.00 BSP's , if in case if it bricks to unbrick by itself, Could you please help me with suitable pointers & source code links for implementing this feature
This is one way.
http://www.chromium.org/chromium-os/u-boot-porting-guide/2-concepts
So ensure there can be no bricking you probably need to have a U-Boot that you never update. It can then check the signature of a secondary updateable U-Boot, and jump to it if it is OK. This is what Chrome OS does.
BTW as this is a mailing list you should normally put the replies below the text, not above.
Regards, Simon
Awaiting for your replies Many Thanks in advance again,
Srinivasan S
From: sjg@google.com sjg@google.com on behalf of Simon Glass sjg@chromium.org Sent: Monday, November 3, 2014 5:08 AM To: srinivasan Cc: U-Boot Mailing List; Srinivasan S Subject: Re: verifying & signing
Hi,
On 2 November 2014 07:06, srinivasan srinivasan.rns@gmail.com wrote:
Hi Simon,
http://lists.denx.de/pipermail/u-boot/2014-June/180845.html
As the above link explains the Signing of kernel & verifying with uboot,
Could you please let me know do you have any methods of signing & verifying the linux kernel with root file system ie., am using ti-sdk-am335x-evm-07.00.00.00 BSP's where linux kernel is from this BSP only & would be planning to use rootfs as my Angstrom filesystem or any others
If you use dm-verity you can verify your root disk using a hash which is stored in the verified part of U-Boot. This is the method used by Chrome OS. This requires a read-only rootfs though. Is that acceptable?
See this page for some info on how Android does this:
https://source.android.com/devices/tech/security/dm-verity.html
Could you please let me know how do we sign & verify the kernel with rootfs with detailed steps as am using beaglebone black as my development board with ti-sdk-am335x-evm-07.00.00.00 BSP's
I don't have details steps of this part sorry. An overview is here:
http://events.linuxfoundation.org/sites/events/files/slides/chromeos_and_diy...
Awaiting for your replies Many Thanks in advance
Regards, Simon
Hi Simon
Sorry to push you hard again could you please help me in resolving the below issue that am facing while generating private key & certificate containing public key
ie., when executing Step 4: Create a key pair (http://lists.denx.de/pipermail/u-boot/2014-June/180845.html)
WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf Unable to load config info from /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf
Many Thanks a lot in advance ________________________________________ From: Srinivasan S Sent: Tuesday, November 4, 2014 3:37 PM To: Simon Glass Cc: srinivasan; U-Boot Mailing List Subject: Re: verifying & signing
Hi Simon,
When I was generating the keys ie., Step 4: Create a key pair
Am facing one more error while generating private key & certificate containing public key used for verification when I execute the below openssl commands it is saying can't open config file:
srinivasan@tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$ openssl genrsa -F4 -out keys/dev.key 2048 WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf Generating RSA private key, 2048 bit long modulus ............................+++ ...............................................+++ e is 65537 (0x10001) srinivasan@tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf Unable to load config info from /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf
Could you pls do the needful in resolving this errors cz of which am not able to proceed further
Many Thanks in advance
________________________________________ From: sjg@google.com sjg@google.com on behalf of Simon Glass sjg@chromium.org Sent: Tuesday, November 4, 2014 12:07 PM To: Srinivasan S Cc: srinivasan; U-Boot Mailing List Subject: Re: verifying & signing
Hi,
On 3 November 2014 20:01, Srinivasan S srinivasan.s@tataelxsi.co.in wrote:
Hi Simon,
Good Morning!
Many Thanks a lot for all your support so far,
- With respect to the verified boot , I want to put the images onto NAND FLASH, Could you please let me know what is the procedure of flashing the verified boot images onto NAND instead of micro-SD
One option would be to use UBI to provide a consistent block interface and then sit verity on top of that. But there may be other options, I'm not sure.
2.Does dm-verity works only on read-only rootfs?.. or it works on read-write rootfs?.. because as of now we are looking out only for a bare minimal rootfs , could you please suggest me if any rootfs with minimal support where dm-verity can be applied & verified apart from android
It requires a read-only rootfs. You can enable it on a filesystem fairly easily - you need to run a tool to generate the hashes and root hash, then pass that to the kernel on boot. You don't need to use Android or Chrome OS - it is available in mainline Linux. I'm not sure if there is a cogent guide somewhere though.
I want to implement the automatic software update & recovery feature (ie., firmware update of uboot, kernel & rootfs) in ti-sdk-am335x-evm-07.00.00.00 BSP's , if in case if it bricks to unbrick by itself, Could you please help me with suitable pointers & source code links for implementing this feature
This is one way.
http://www.chromium.org/chromium-os/u-boot-porting-guide/2-concepts
So ensure there can be no bricking you probably need to have a U-Boot that you never update. It can then check the signature of a secondary updateable U-Boot, and jump to it if it is OK. This is what Chrome OS does.
BTW as this is a mailing list you should normally put the replies below the text, not above.
Regards, Simon
Awaiting for your replies Many Thanks in advance again,
Srinivasan S
From: sjg@google.com sjg@google.com on behalf of Simon Glass sjg@chromium.org Sent: Monday, November 3, 2014 5:08 AM To: srinivasan Cc: U-Boot Mailing List; Srinivasan S Subject: Re: verifying & signing
Hi,
On 2 November 2014 07:06, srinivasan srinivasan.rns@gmail.com wrote:
Hi Simon,
http://lists.denx.de/pipermail/u-boot/2014-June/180845.html
As the above link explains the Signing of kernel & verifying with uboot,
Could you please let me know do you have any methods of signing & verifying the linux kernel with root file system ie., am using ti-sdk-am335x-evm-07.00.00.00 BSP's where linux kernel is from this BSP only & would be planning to use rootfs as my Angstrom filesystem or any others
If you use dm-verity you can verify your root disk using a hash which is stored in the verified part of U-Boot. This is the method used by Chrome OS. This requires a read-only rootfs though. Is that acceptable?
See this page for some info on how Android does this:
https://source.android.com/devices/tech/security/dm-verity.html
Could you please let me know how do we sign & verify the kernel with rootfs with detailed steps as am using beaglebone black as my development board with ti-sdk-am335x-evm-07.00.00.00 BSP's
I don't have details steps of this part sorry. An overview is here:
http://events.linuxfoundation.org/sites/events/files/slides/chromeos_and_diy...
Awaiting for your replies Many Thanks in advance
Regards, Simon
Hi,
On 4 November 2014 19:36, Srinivasan S srinivasan.s@tataelxsi.co.in wrote:
Hi Simon
Sorry to push you hard again could you please help me in resolving the below issue that am facing while generating private key & certificate containing public key
ie., when executing Step 4: Create a key pair (http://lists.denx.de/pipermail/u-boot/2014-June/180845.html)
WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf Unable to load config info from /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf
Please don't top post.
I don't know what xxxxyyyy is or why it appears. Did you 'mkdir keys'?
Regards, Simon
Many Thanks a lot in advance ________________________________________ From: Srinivasan S Sent: Tuesday, November 4, 2014 3:37 PM To: Simon Glass Cc: srinivasan; U-Boot Mailing List Subject: Re: verifying & signing
Hi Simon,
When I was generating the keys ie., Step 4: Create a key pair
Am facing one more error while generating private key & certificate containing public key used for verification when I execute the below openssl commands it is saying can't open config file:
srinivasan@tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$ openssl genrsa -F4 -out keys/dev.key 2048 WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf Generating RSA private key, 2048 bit long modulus ............................+++ ...............................................+++ e is 65537 (0x10001) srinivasan@tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf Unable to load config info from /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf
Could you pls do the needful in resolving this errors cz of which am not able to proceed further
Many Thanks in advance
From: sjg@google.com sjg@google.com on behalf of Simon Glass sjg@chromium.org Sent: Tuesday, November 4, 2014 12:07 PM To: Srinivasan S Cc: srinivasan; U-Boot Mailing List Subject: Re: verifying & signing
Hi,
On 3 November 2014 20:01, Srinivasan S srinivasan.s@tataelxsi.co.in wrote:
Hi Simon,
Good Morning!
Many Thanks a lot for all your support so far,
- With respect to the verified boot , I want to put the images onto NAND FLASH, Could you please let me know what is the procedure of flashing the verified boot images onto NAND instead of micro-SD
One option would be to use UBI to provide a consistent block interface and then sit verity on top of that. But there may be other options, I'm not sure.
2.Does dm-verity works only on read-only rootfs?.. or it works on read-write rootfs?.. because as of now we are looking out only for a bare minimal rootfs , could you please suggest me if any rootfs with minimal support where dm-verity can be applied & verified apart from android
It requires a read-only rootfs. You can enable it on a filesystem fairly easily - you need to run a tool to generate the hashes and root hash, then pass that to the kernel on boot. You don't need to use Android or Chrome OS - it is available in mainline Linux. I'm not sure if there is a cogent guide somewhere though.
I want to implement the automatic software update & recovery feature (ie., firmware update of uboot, kernel & rootfs) in ti-sdk-am335x-evm-07.00.00.00 BSP's , if in case if it bricks to unbrick by itself, Could you please help me with suitable pointers & source code links for implementing this feature
This is one way.
http://www.chromium.org/chromium-os/u-boot-porting-guide/2-concepts
So ensure there can be no bricking you probably need to have a U-Boot that you never update. It can then check the signature of a secondary updateable U-Boot, and jump to it if it is OK. This is what Chrome OS does.
BTW as this is a mailing list you should normally put the replies below the text, not above.
Regards, Simon
Awaiting for your replies Many Thanks in advance again,
Srinivasan S
From: sjg@google.com sjg@google.com on behalf of Simon Glass sjg@chromium.org Sent: Monday, November 3, 2014 5:08 AM To: srinivasan Cc: U-Boot Mailing List; Srinivasan S Subject: Re: verifying & signing
Hi,
On 2 November 2014 07:06, srinivasan srinivasan.rns@gmail.com wrote:
Hi Simon,
http://lists.denx.de/pipermail/u-boot/2014-June/180845.html
As the above link explains the Signing of kernel & verifying with uboot,
Could you please let me know do you have any methods of signing & verifying the linux kernel with root file system ie., am using ti-sdk-am335x-evm-07.00.00.00 BSP's where linux kernel is from this BSP only & would be planning to use rootfs as my Angstrom filesystem or any others
If you use dm-verity you can verify your root disk using a hash which is stored in the verified part of U-Boot. This is the method used by Chrome OS. This requires a read-only rootfs though. Is that acceptable?
See this page for some info on how Android does this:
https://source.android.com/devices/tech/security/dm-verity.html
Could you please let me know how do we sign & verify the kernel with rootfs with detailed steps as am using beaglebone black as my development board with ti-sdk-am335x-evm-07.00.00.00 BSP's
I don't have details steps of this part sorry. An overview is here:
http://events.linuxfoundation.org/sites/events/files/slides/chromeos_and_diy...
Awaiting for your replies Many Thanks in advance
Regards, Simon
Hi,
On 4 November 2014 03:07, Srinivasan S srinivasan.s@tataelxsi.co.in wrote:
Hi Simon,
When I was generating the keys ie., Step 4: Create a key pair
Am facing one more error while generating private key & certificate containing public key used for verification when I execute the below openssl commands it is saying can't open config file:
srinivasan@tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$ openssl genrsa -F4 -out keys/dev.key 2048 WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf Generating RSA private key, 2048 bit long modulus ............................+++ ...............................................+++ e is 65537 (0x10001) srinivasan@tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt WARNING: can't open config file: /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf Unable to load config info from /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf
Could you pls do the needful in resolving this errors cz of which am not able to proceed further
This email seems to be a duplicate. Did you make sure the directory exists?
Regards, Simon
Thanks a lot Simon,
Sorry True.. without unknowingly the ticket was duplicated I found out the issue ie.,
openssl genrsa -F4 -out keys/dev.key 2048 openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
The above commands was supposed to be executed with sudo permissions as shown below:
sudo openssl genrsa -F4 -out keys/dev.key 2048 sudo openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
Once again Many many Thanks for your support so far..
On Fri, Nov 7, 2014 at 10:42 PM, Simon Glass sjg@chromium.org wrote:
Hi,
On 4 November 2014 03:07, Srinivasan S srinivasan.s@tataelxsi.co.in wrote:
Hi Simon,
When I was generating the keys ie., Step 4: Create a key pair
Am facing one more error while generating private key & certificate
containing public key used for verification when I execute the below openssl commands it is saying can't open config file:
srinivasan@tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$
openssl genrsa -F4 -out keys/dev.key 2048
WARNING: can't open config file:
/tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf
Generating RSA private key, 2048 bit long modulus ............................+++ ...............................................+++ e is 65537 (0x10001) srinivasan@tata-HP-Elite-7100-Microtower-PC:~/TUNSTALL/board-support/linux-3.12.10-ti2013.12.01/work$
openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt
WARNING: can't open config file:
/tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf
Unable to load config info from
/tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy/sysroots/i686-arago-linux/usr/lib/ssl/openssl.cnf
Could you pls do the needful in resolving this errors cz of which am not
able to proceed further
This email seems to be a duplicate. Did you make sure the directory exists?
Regards, Simon
participants (3)
-
Simon Glass -
srinivasan -
Srinivasan S