# Trusted Boot Module

User Manual

**white**box

## **white**box

## Contents

| 1 | Introduction                                                                      | 3                  |
|---|-----------------------------------------------------------------------------------|--------------------|
|   | Building ROTS         2.1 u-boot          2.2 Linux kernel          2.3 initramfs | 3                  |
|   | Flashing ROTS 3.1 Using an External Programmer                                    | <b>4</b><br>4<br>6 |
| 4 | Booting ROTS                                                                      | 6                  |

### 1 Introduction

## 2 Building ROTS

#### 2.1 u-boot

At the moment of writing, the mainline version of u-boot does not have support for SPI NOR flash on Allwinner SoCs such as the Allwinner A10, A20 and the A64. A driver model compatible SPI driver for u-boot is has been worked on and the code can be found at https://github.com/StephanvanSchaik/u-boot/tree/sunxi-spi. This driver has been tested on the following boards:

- H2+ Orange Pi Zero with Macronix MX25L1605D 16 Mbit
- A20 OLinuXino LIME 2 with Winbond W25Q128BV 128 Mbit
- · A64 Pine64+ with Winbond W25Q128BV 128 Mbit
- · A64 OLinuXino with Eon EN25Q64 64 Mbit

To compile u-boot with support for SPI NOR flash:

```
git clone https://github.com/StephanvanSchaik/u-boot -b sunxi-spi make clean make A20-OLinuXino-Lime2_defconfig CROSS_COMPILE=armv7a-hardfloat-linux-gnueabi- make
```

After u-boot-sunxi-with-spl.bin has been built, we can put it on an SD card as follows to test it:

```
dd if=u-boot-sunxi-with-spl.bin of=/dev/sda bs=1024 seek=8
```

While U-boot also supports booting from SPI NOR flash, it has been disabled by default:

```
make menuconfig
```

Enable the CONFIG\_SPL\_SPI\_SUNXI option. It is possible that the resulting binary will be too large. In that case, an option like CONFIG\_SPL\_MMC\_SUPPORT can be disabled to save some space. After the configuration options have been set up, rebuild the u-boot binary again.

#### 2.2 Linux kernel

Make sure that the following options are enabled:

- CONFIG\_BLK\_DEV\_INITRD
- CONFIG\_RD\_GZIP
- CONFIG\_RD\_BZIP2
- CONFIG\_RD\_LZMA
- CONFIG\_RD\_XZ
- CONFIG\_RD\_LZO
- CONFIG\_RD\_LZ4
- CONFIG\_KEXEC

As the ROTS image will be read-only once it has been flashed to the SPI NOR flash, it is encouraged to build a minimal kernel images to reduce the amount of possible bugs and vulnerabilities. More specifically, it is recommended to build a kernel without any support for networking, graphics and audio.

#### 2.3 initramfs

For the initramfs, we will need static binaries of busybox, kexec-tools, cpio and gzip.

## 3 Flashing ROTS

#### 3.1 Using an External Programmer

In order to be able to program the SPI NOR flash with an external programmer, we will need an external programmer such as the BusPirate v3.6a or the BusPirate v4.0 and SOIC clip. Figure 1 illustrates the pin-out of a Winbond W25Q128.V SPI NOR flash, but any SPI NOR flash chip should be compatible with this pin-out. The SPI NOR flash should have a circular shape at one of the corners, this corner should be bottom-right corner. Once the pins of the SPI NOR flash are aligned with the pin-out in figure 1, we can clip the SPI NOR flash chip between the SOIC clip.



Figure 1: the pin-out of the Winbond W25Q128.V SPI NOR flash

Figure 2 shows how to connect the BusPirate v3.6a with the SPI NOR flash chip. Connect the *Chip Select* (CS) pins using the white cable, the *Master In Slave Out* (MISO) pin with the *Data Out* (DO) pin using the black cable, the *Master Out Slave In* (MOSI) pin with the *Data In* (DI) pin using the grey cable and the *Clock* (CLK) pins using the purple cable. Further, the *Ground* (GND) pins should be connected using the brown cable and the 5V and the VCC pins should be connected with the orange cable. In order for the SPI NOR flash chip to function, the H/R pin of the SPI NOR flash chip should be pulled high, this can be done by connecting the 5V pin with the H/R pin. Finally, to be able to program the chip in case write-protection has been configured before, we have to make sure that the *Write-Protect* (WP) is pulled high to disable write-protection.



Figure 2: connecting the BusPirate v3.6a with the SPI NOR Flash

Because the configuration of write-protection is vendor-specific, the mainline version of *flashrom* does not support configuring write-protection. Therefore, to be able to configure the write-protection of the SPI NOR flash chip, we have to use Google's fork of *flashrom*.

Unlike the mainline version of flashrom, Google's fork has two flags to get the name and the size of the Flash chip:

```
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --flash-name
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built

with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
vendor="Macronix" name="MX25L6406E"

./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --get-size
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built

with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
8388608
```

Further, Google's fork of flashrom allows us to tag regions on the SPI NOR flash chip with a custom name. Assuming that the SPI NOR flash chip is 16 MiB, we will be using the following layout.txt file for the ROTS:

```
000000:09ffff uboot
0a0000:5fffff linux
600000:ffffff initramfs
```

We can then write u-boot.bin, bzImage and initramfs.cpio.gz to the SPI NOR flash chip by using the respective names of the regions. To speed up the process of writing these images, we have to disable parsing the fmap and the verification of unmodified regions. Furthermore, to maintain an optimal stability, an SPI speed of no more than 2 MHz is recommended when using the BusPirate v3.6a:

```
./flashrom --programmer=buspirate_spi:spispeed=2M,dev=/dev/buspirate -1 layout.txt -i

→ uboot:u-boot.bin linux:bzImage initramfs:initramfs.cpio.gz -w --ignore-fmap

→ --fast-verify
```

Now that the images have been written to their respective regions, we can look at the write-protect ranges supported by the chip:

```
./flashrom --programmer=buspirate_spi:dev=/dev/buspirate --wp-list
flashrom v0.9.4 : bc6cab1 : Oct 30 2014 07:32:01 UTC on Linux 4.9.4-gentoo (x86_64), built
→ with libpci 3.1.10, GCC 4.8.x-google 20140307 (prerelease), little endian
Valid write protection ranges:
start: 0x000000, length: 0x000000
start: 0x7e0000, length: 0x020000
start: 0x7c0000, length: 0x040000
start: 0x7a0000, length: 0x080000
start: 0x700000, length: 0x100000
start: 0x600000, length: 0x200000
start: 0x400000, length: 0x400000
start: 0x000000, length: 0x800000
start: 0x000000, length: 0x800000
start: 0x000000, length: 0x400000
start: 0x000000, length: 0x600000
start: 0x000000, length: 0x700000
start: 0x000000, length: 0x780000
start: 0x000000, length: 0x7c0000
start: 0x000000, length: 0x7e0000
start: 0x000000, length: 0x800000
```

Since we don't want our images to be tampered with, we want to enable write-protection for the full range. We can configure the write-protected range as follows:

```
./flashrom --programmer=buspirate_spi:spispeed=2M,dev=/dev/buspirate --wp-range 0x0000000  

Ox800000
```

After setting the range, we are still able to modify the contents of the entire SPI NOR flash chip. To protect the range, we have to enable write protection as follows:

```
./flashrom --programmer=buspirate_spi:spispeed=2M,dev=/dev/buspirate --wp-enable
```

Upon enabling write-protection, the *Write-Protect* (WP) pin has to be pulled low for the write-protection to be effective. This prevents the user from disabling the write-protection feature, changing the write-protect range and from writing to the write-protected region.

#### 3.2 Using sunxi-fel

Download and compile the sunxi-fel tool as follows:

```
git clone -b spiflash-a20-test https://github.com/ssvb/sunxi-tools.git make
```

Connect or reset while holding the recovery or FEL button. Once the board has booted into FEL mode, we can detect the SPI NOR flash chip as follows:

```
./sunxi-fel spiflash-info
Manufacturer: Winbond (EFh), model: 40h, size: 16777216 bytes.
```

Then we can write the u-boot.bin, bzImage and initramfs.cpio.gz images as follows:

```
./sunxi-fel -p spiflash-write 0x000000 u-boot.bin
./sunxi-fel -p spiflash-write 0x0a0000 bzImage
./sunxi-fel -p spiflash-write 0x600000 initramfs.cpio.gz
```

## 4 Booting ROTS

After powering up the board, *u-boot* will be loaded. *u-boot* will then load the Linux kernel image and the initramfs from the SPI NOR flash and boot the Linux kernel with the initramfs as follows:

```
sf probe 0:0 6000000
sf read 0x42000000 0xa0000 5636096
sf read 0x43000000 0x600000 10485760
bootm 0x42000000 0x43000000
```

The ROTS kernel will now boot up and mount the initramfs as the rootfs. At some point the kernel will run the init script in the initramfs. When this happens the ROTS will start communicating with the TBM to fetch the time as well as the certificates. Once these have been retrieved from the TBM, the ROTS will mount the external media such as hard disks and enumerate and verify possible boot images on those media.