|
|
|
@ -107,6 +107,231 @@ Firmware. |
|
|
|
|
[ARM Trusted Firmware]: https://github.com/ARM-software/arm-trusted-firmware |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Verified Boot |
|
|
|
|
------------- |
|
|
|
|
|
|
|
|
|
U-Boot supports an image verification method called "Verified Boot". |
|
|
|
|
This is a brief tutorial to utilize this feature for the UniPhier platform. |
|
|
|
|
You will find details documents in the doc/uImage.FIT directory. |
|
|
|
|
|
|
|
|
|
Here, we take LD20 reference board for example, but it should work for any |
|
|
|
|
other boards including 32 bit SoCs. |
|
|
|
|
|
|
|
|
|
1. Generate key to sign with |
|
|
|
|
|
|
|
|
|
$ mkdir keys |
|
|
|
|
$ openssl genpkey -algorithm RSA -out keys/dev.key \ |
|
|
|
|
-pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 |
|
|
|
|
$ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt |
|
|
|
|
|
|
|
|
|
Two files "dev.key" and "dev.crt" will be created. The base name is arbitrary, |
|
|
|
|
but need to match to the "key-name-hint" property described below. |
|
|
|
|
|
|
|
|
|
2. Describe FIT source |
|
|
|
|
|
|
|
|
|
You need to write an FIT (Flattened Image Tree) source file to describe the |
|
|
|
|
structure of the image container. |
|
|
|
|
|
|
|
|
|
The following is an example for a simple usecase: |
|
|
|
|
|
|
|
|
|
---------------------------------------->8---------------------------------------- |
|
|
|
|
/dts-v1/; |
|
|
|
|
|
|
|
|
|
/ { |
|
|
|
|
description = "Kernel, DTB and Ramdisk for UniPhier LD20 Reference Board"; |
|
|
|
|
#address-cells = <1>; |
|
|
|
|
|
|
|
|
|
images { |
|
|
|
|
kernel@0 { |
|
|
|
|
description = "linux"; |
|
|
|
|
data = /incbin/("PATH/TO/YOUR/LINUX/DIR/arch/arm64/boot/Image.gz"); |
|
|
|
|
type = "kernel"; |
|
|
|
|
arch = "arm64"; |
|
|
|
|
os = "linux"; |
|
|
|
|
compression = "gzip"; |
|
|
|
|
load = <0x82080000>; |
|
|
|
|
entry = <0x82080000>; |
|
|
|
|
hash@0 { |
|
|
|
|
algo = "sha256"; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
fdt@0 { |
|
|
|
|
description = "fdt"; |
|
|
|
|
data = /incbin/("PATH/TO/YOUR/LINUX/DIR/arch/arm64/boot/dts/socionext/uniphier-ld20-ref.dtb"); |
|
|
|
|
type = "flat_dt"; |
|
|
|
|
arch = "arm64"; |
|
|
|
|
compression = "none"; |
|
|
|
|
hash@0 { |
|
|
|
|
algo = "sha256"; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
ramdisk@0 { |
|
|
|
|
description = "ramdisk"; |
|
|
|
|
data = /incbin/("PATH/TO/YOUR/ROOTFS/DIR/rootfs.cpio"); |
|
|
|
|
type = "ramdisk"; |
|
|
|
|
arch = "arm64"; |
|
|
|
|
os = "linux"; |
|
|
|
|
compression = "none"; |
|
|
|
|
hash@0 { |
|
|
|
|
algo = "sha256"; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
configurations { |
|
|
|
|
default = "config@0"; |
|
|
|
|
|
|
|
|
|
config@0 { |
|
|
|
|
description = "Configuration0"; |
|
|
|
|
kernel = "kernel@0"; |
|
|
|
|
fdt = "fdt@0"; |
|
|
|
|
ramdisk = "ramdisk@0"; |
|
|
|
|
signature@0 { |
|
|
|
|
algo = "sha256,rsa2048"; |
|
|
|
|
key-name-hint = "dev"; |
|
|
|
|
sign-images = "kernel", "fdt", "ramdisk"; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
---------------------------------------->8---------------------------------------- |
|
|
|
|
|
|
|
|
|
You need to change the three '/incbin/' lines, depending on the location of |
|
|
|
|
your kernel image, device tree blob, and init ramdisk. The "load" and "entry" |
|
|
|
|
properties also need to be adjusted if you want to change the physical placement |
|
|
|
|
of the kernel. |
|
|
|
|
|
|
|
|
|
The "key-name-hint" must specify the key name you have created in the step 1. |
|
|
|
|
|
|
|
|
|
The FIT file name is arbitrary. Let's say you saved it into "fit.its". |
|
|
|
|
|
|
|
|
|
3. Compile U-Boot with FIT and signature enabled |
|
|
|
|
|
|
|
|
|
To use the Verified Boot, you need to enable the following two options: |
|
|
|
|
CONFIG_FIT |
|
|
|
|
CONFIG_FIT_SIGNATURE |
|
|
|
|
|
|
|
|
|
They are disabled by default for UniPhier defconfig files. So, you need to |
|
|
|
|
tweak the configuration from "make menuconfig" or friends. |
|
|
|
|
|
|
|
|
|
$ make uniphier_v8_defconfig |
|
|
|
|
$ make menuconfig |
|
|
|
|
[ enable CONFIG_FIT and CONFIG_FIT_SIGNATURE ] |
|
|
|
|
$ make CROSS_COMPILE=aarch64-linux-gnu- |
|
|
|
|
|
|
|
|
|
4. Build the image tree blob |
|
|
|
|
|
|
|
|
|
After building U-Boot, you will see tools/mkimage. With this tool, you can |
|
|
|
|
create an image tree blob as follows: |
|
|
|
|
|
|
|
|
|
$ tools/mkimage -f fit.its -k keys -K dts/dt.dtb -r -F fitImage |
|
|
|
|
|
|
|
|
|
The -k option must specify the key directory you have created in step 1. |
|
|
|
|
|
|
|
|
|
A file "fitImage" will be created. This includes kernel, DTB, Init-ramdisk, |
|
|
|
|
hash data for each of the three, and signature data. |
|
|
|
|
|
|
|
|
|
The public key needed for the run-time verification is stored in "dts/dt.dtb". |
|
|
|
|
|
|
|
|
|
5. Compile U-Boot again |
|
|
|
|
|
|
|
|
|
Since the "dt.dtb" has been updated in step 4, you need to re-compile the |
|
|
|
|
U-Boot. |
|
|
|
|
|
|
|
|
|
$ make CROSS_COMPILE=aarch64-linux-gnu- |
|
|
|
|
|
|
|
|
|
The re-compiled "u-boot.bin" is appended with DTB that contains the public key. |
|
|
|
|
|
|
|
|
|
6. Flash the image |
|
|
|
|
|
|
|
|
|
Flash the "fitImage" to a storage device (NAND, eMMC, or whatever) on your |
|
|
|
|
board. |
|
|
|
|
|
|
|
|
|
Please note the "u-boot.bin" must be signed, and verified by someone when it is |
|
|
|
|
loaded. For ARMv8 SoCs, the "someone" is generally ARM Trusted Firmware BL2. |
|
|
|
|
ARM Trusted Firmware supports an image authentication mechanism called Trusted |
|
|
|
|
Board Boot (TBB). The verification process must be chained from the moment of |
|
|
|
|
the system reset. If the Chain of Trust has a breakage somewhere, the verified |
|
|
|
|
boot process is entirely pointless. |
|
|
|
|
|
|
|
|
|
7. Boot verified kernel |
|
|
|
|
|
|
|
|
|
Load the fitImage to memory and run the following from the U-Boot command line. |
|
|
|
|
|
|
|
|
|
> bootm <addr> |
|
|
|
|
|
|
|
|
|
Here, <addr> is the base address of the fitImage. |
|
|
|
|
|
|
|
|
|
If it is successful, you will see messages like follows: |
|
|
|
|
|
|
|
|
|
---------------------------------------->8---------------------------------------- |
|
|
|
|
## Loading kernel from FIT Image at 84100000 ... |
|
|
|
|
Using 'config@0' configuration |
|
|
|
|
Verifying Hash Integrity ... sha256,rsa2048:dev+ OK |
|
|
|
|
Trying 'kernel@0' kernel subimage |
|
|
|
|
Description: linux |
|
|
|
|
Created: 2017-10-20 14:32:29 UTC |
|
|
|
|
Type: Kernel Image |
|
|
|
|
Compression: gzip compressed |
|
|
|
|
Data Start: 0x841000c8 |
|
|
|
|
Data Size: 6957818 Bytes = 6.6 MiB |
|
|
|
|
Architecture: AArch64 |
|
|
|
|
OS: Linux |
|
|
|
|
Load Address: 0x82080000 |
|
|
|
|
Entry Point: 0x82080000 |
|
|
|
|
Hash algo: sha256 |
|
|
|
|
Hash value: 82a37b7f11ae55f4e07aa25bf77e4067cb9dc1014d52d6cd4d588f92eee3aaad |
|
|
|
|
Verifying Hash Integrity ... sha256+ OK |
|
|
|
|
## Loading ramdisk from FIT Image at 84100000 ... |
|
|
|
|
Using 'config@0' configuration |
|
|
|
|
Trying 'ramdisk@0' ramdisk subimage |
|
|
|
|
Description: ramdisk |
|
|
|
|
Created: 2017-10-20 14:32:29 UTC |
|
|
|
|
Type: RAMDisk Image |
|
|
|
|
Compression: uncompressed |
|
|
|
|
Data Start: 0x847a5cc0 |
|
|
|
|
Data Size: 5264365 Bytes = 5 MiB |
|
|
|
|
Architecture: AArch64 |
|
|
|
|
OS: Linux |
|
|
|
|
Load Address: unavailable |
|
|
|
|
Entry Point: unavailable |
|
|
|
|
Hash algo: sha256 |
|
|
|
|
Hash value: 44980a2874154a2e31ed59222c9f8ea968867637f35c81e4107a984de7014deb |
|
|
|
|
Verifying Hash Integrity ... sha256+ OK |
|
|
|
|
## Loading fdt from FIT Image at 84100000 ... |
|
|
|
|
Using 'config@0' configuration |
|
|
|
|
Trying 'fdt@0' fdt subimage |
|
|
|
|
Description: fdt |
|
|
|
|
Created: 2017-10-20 14:32:29 UTC |
|
|
|
|
Type: Flat Device Tree |
|
|
|
|
Compression: uncompressed |
|
|
|
|
Data Start: 0x847a2cb0 |
|
|
|
|
Data Size: 12111 Bytes = 11.8 KiB |
|
|
|
|
Architecture: AArch64 |
|
|
|
|
Hash algo: sha256 |
|
|
|
|
Hash value: c517099db537f6d325e6be46b25c871a41331ad5af0283883fd29d40bfc14e1d |
|
|
|
|
Verifying Hash Integrity ... sha256+ OK |
|
|
|
|
Booting using the fdt blob at 0x847a2cb0 |
|
|
|
|
Uncompressing Kernel Image ... OK |
|
|
|
|
reserving fdt memory region: addr=80000000 size=2000000 |
|
|
|
|
Loading Device Tree to 000000009fffa000, end 000000009fffff4e ... OK |
|
|
|
|
|
|
|
|
|
Starting kernel ... |
|
|
|
|
---------------------------------------->8---------------------------------------- |
|
|
|
|
|
|
|
|
|
Please pay attention to the lines that start with "Verifying Hash Integrity". |
|
|
|
|
|
|
|
|
|
"Verifying Hash Integrity ... sha256,rsa2048:dev+ OK" means the signature check |
|
|
|
|
passed. |
|
|
|
|
|
|
|
|
|
"Verifying Hash Integrity ... sha256+ OK" (3 times) means the hash check passed |
|
|
|
|
for kernel, DTB, and Init ramdisk. |
|
|
|
|
|
|
|
|
|
If they are not displayed, the Verified Boot is not working. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
UniPhier specific commands |
|
|
|
|
-------------------------- |
|
|
|
|
|
|
|
|
@ -179,4 +404,4 @@ newer SoCs. Even if it is, EA[25] is not connected on most of the boards. |
|
|
|
|
|
|
|
|
|
-- |
|
|
|
|
Masahiro Yamada <yamada.masahiro@socionext.com> |
|
|
|
|
Sep. 2017 |
|
|
|
|
Oct. 2017 |
|
|
|
|