Secure boot on Milk V duo 256
Hello:
I am figuring out how to proceed on secure booting the Milk V DUO 256. Likely in this list I can get some help. It is ARM/Risc-V board with an SG2002 SOC. The SOC has OTP memory and some bootrom.
The current distribution uses u-boot and linux buildroot but doesn't do secure boot.
Therefore I am trying to start at the first part. Verify digital dignature of u-boot and have u-boot verify digital signature of the kernel.
Can someone point me here in the right direction no how to proceed.
Regards
Waldo Alvarez Desarrollo de Software / Software Development https://pipflow.com https://tradingfuturo.com
Sent with [Proton Mail](https://proton.me/mail/home) secure email.
Hi Waldo
On 13:28 Thu 02 Jan , Waldo Alvarez wrote:
Hello:
I am figuring out how to proceed on secure booting the Milk V DUO 256. Likely in this list I can get some help. It is ARM/Risc-V board with an SG2002 SOC. The SOC has OTP memory and some bootrom.
The current distribution uses u-boot and linux buildroot but doesn't do secure boot.
Therefore I am trying to start at the first part. Verify digital dignature of u-boot and have u-boot verify digital signature of the kernel.
Can someone point me here in the right direction no how to proceed.
I'm no expert of secure boot area.. but you can search first, there are quite a lot docs/articles about secure boot of uboot/linux
for the initial bootchain: from bootrom to bootloader, there is indeed secure boot feature which documented in vendor datasheet, see chapter 14
https://github.com/milkv-duo/duo-files/blob/main/duo/datasheet/CV1800B-CV180...
Regards
Waldo Alvarez Desarrollo de Software / Software Development https://pipflow.com https://tradingfuturo.com
Sent with [Proton Mail](https://proton.me/mail/home) secure email.
Hello Yixun Lan:
Thank you for your reply.
I was reviewing the source tree and came across some OTP/Efuse code for other boards located at:
/drivers/misc
For example, I found files like rockchip-efuse.c and sifive-otp.c. I’m still working on understanding how this integrates with the rest of the codebase. Some of these implementations set the device serial number as an environment variable. Interestingly, I noticed that some include code to write to the OTP.
I wonder if someone could derive a public key from an existing one by overwriting certain bits. For example, by flipping zeroes to ones and then brute-force the remaining bits to generate a new valid private key, to subsequently subvert the boot process by sigining new code with that new derived key.
Looks to me like a possible attack vector. Just a guess. I would comment/disable that OTP writting code to be on the safe side.
I could find this regarding FIT signatures:
https://docs.u-boot.org/en/latest/usage/fit/signature.html
For the Linux kernel, I was considering using the dm-crypt module alongside IMA (Integrity Measurement Architecture) as a next step.
It seems that Sophon has not yet released the eFuse controller documentation for the SG2002, according to their latest Technical Reference Manual. However, for the CV1800B, the eFuse controller is fully documented. Based on the technical drawings, it appears that the SG2002 includes the same controller or a very similar one. Both SoCs are quite similar, with the main differences being the addition of an NPU and a selectable ARM core at boot time, alongside the RISC-V cores and the 8051 core.
Regards
Waldo Alvarez Desarrollo de Software / Software Development https://pipflow.com https://tradingfuturo.com
Sent with Proton Mail secure email.
On Friday, January 3rd, 2025 at 1:40 AM, Yixun Lan dlan@gentoo.org wrote:
Hi Waldo
On 13:28 Thu 02 Jan , Waldo Alvarez wrote:
Hello:
I am figuring out how to proceed on secure booting the Milk V DUO 256. Likely in this list I can get some help. It is ARM/Risc-V board with an SG2002 SOC. The SOC has OTP memory and some bootrom.
The current distribution uses u-boot and linux buildroot but doesn't do secure boot.
Therefore I am trying to start at the first part. Verify digital dignature of u-boot and have u-boot verify digital signature of the kernel.
Can someone point me here in the right direction no how to proceed.
I'm no expert of secure boot area.. but you can search first, there are quite a lot docs/articles about secure boot of uboot/linux
for the initial bootchain: from bootrom to bootloader, there is indeed secure boot feature which documented in vendor datasheet, see chapter 14
https://github.com/milkv-duo/duo-files/blob/main/duo/datasheet/CV1800B-CV180...
Regards
Waldo Alvarez Desarrollo de Software / Software Development https://pipflow.com https://tradingfuturo.com
Sent with Proton Mail secure email.
-- Yixun Lan (dlan) Gentoo Linux Developer GPG Key ID AABEFD55
participants (2)
-
Waldo Alvarez -
Yixun Lan